Last Friday I received an email from my boss to make a payment to Germany:
Before opening the email, I thought I was in trouble as I saw the preview saying “Hello Nathan”. Then I opened it…
My boss, Nathan Franks, does not email me to my Gmail account, nor does he use a blue font. Of course, this was not him, but I thought I’d check to find out more about it:
Reply-to is firstname.lastname@example.org… While I know my boss is a smart guy, he’s no doctor that needs privateemail. I forwarded this email to the real Nathan, who was sitting across the room from me, and he gave me the green light to have some fun with this guy. While he’s wasting time replying to me he’s not spending time scamming others.
Here’s the transcript of how the conversation went down (omitted niceties and signatures):
By this point, I wasn’t sure where I should take it. I’m not an accountant, so I thought I would make that fairly obvious by my lack of correct lingo.
I would have thought that making up a stupid product name would have thrown him off. I was wrong…
I even changed the product name in this one! He didn’t bite, he stuck to his guns and was determined to get me… or so I thought. I sent that last reply around 4:30 pm on Friday afternoon and didn’t get a reply all weekend. I thought I pushed too far, I thought it was dead, until Monday morning:
I like that he tried to use my made up product name in this one. At this point, I intended on making up a fake receipt to send, but I had lots of real work to do and forgot about it. It turns out that fake Nathan didn’t forget, and he got impatient…
While I appreciate him showing some level of care for my wellbeing, I didn’t appreciate how pushy he got because I got busy with real work. I was intending on responding and telling him all about my “symptoms”, but I didn’t have time for this either. Of course, he got impatient again…
I decided to end it here as it had gone on long enough. It was fun while it lasted, and while he was directing his attention towards me, he wasn’t scamming some poor soul.
Of course, I didn’t get a response. I was hoping for some abuse, but it makes financial sense for him to direct his attention at someone who will actually follow through with the payments.
So what was the point of all this? besides being a whole lot of fun to participate in, I wanted to make it an educational exercise for everyone. Ensure your emails are read carefully. If something seems out of the ordinary like this one, let us know.
How did this person get this much information to impersonate my boss to try and scam me? The day before this email I accepted a request on LinkedIn by someone I don’t know. I didn’t check their profile as I was just excited to have more connections! This person looked through my profile, as I use my personal email for my LinkedIn, this is all they could use. They saw who my boss was, and that email address was listed. This person determined by my job role “Account Manager” that I had something to do with accounts. They would have taken a stab that my boss uses an iPhone too.