Trolling for dollars

Over the past few years, a specialized type of phishing has become more prevalent: financial spear phishing. In keeping with security community tradition, its short name has been given a seafood-style twist: finphishing.

What is finphishing?

While almost all phishing is done for financial gain, finphishing seeks an almost instant payoff. Some phishing attacks try to steal intellectual property or credit card information, or passwords that can be used to subvert accounts. Finphishing attempts to have the victim transfer cash or easily converted gift cards to the attacker.

How is it done?

Because of the financial element, the attackers take more care in selecting victims. They look for companies and organizations with publicly-available information about organizational structure. They may seek company directories or org charts on websites, looking for manager-staff relationships.

Once the structure is mapped out, they select managers to impersonate.  They send email to that manager's employees claiming that they are in a meeting or stuck in traffic. The name on the email is that of the actual manager, although the return email address is at Gmail or with another free provider.

They tell the employee that they need some gift cards immediately for thank you gifts for a client or business partner. They specify the number and value of the gift cards. As the conversation continues through email, the victim is told to scratch away the film covering the redemption codes on the cards and to take and email photos of the codes. The attacker promises to reimburse the victim for their purchase.

Familiar tells

We see the usual hallmarks of phishing in these attacks. 

  • The rush to buy cards focuses the victim's mind on the task, rather than the plausibility of the claim.
  • The attacker asks for a specific type of card and dollar amount, which makes the request seem planned and not exorbitant.
  • By being rushed, the employee doesn't think to ask why the manager doesn't simply buy the cards online; why the gifts are time-sensitive; why the gift cards are to be scratched, making them less attractive as gifts.

Is it being used against UW?

Yes! Over the past few months, IST has had reports of many employees receiving finphishing email. The following are actual excerpts from some messages sent to Waterloo staff by attackers in September.

Good Morning,

Are you in the office yet??if not please I have an important errand i need you to do for me outside.I am in a meeting i won't be able to pick a call.

I attached a picture of what it looks like,You can get it at any store close to you.(Walmart,7 Eleven,Shoppers Drug Mart,Game Stores & others around you)..I need steam wallet Gift cards of 100$... 5 each, that's 500$ worth of Steam Cards...scratch the code panel and take a clear picture of it and send to me here in the email, Ensure you keep the cards until i ask you to dispose off,Sorry for the inconvenience,Will reimburse that back to you.


Note..I need it asap..You can get any denominations like $200,$100,$50 or $20... What matters is the Total value of $500.

Kindly do these for me...Its very important and urgent..I'm in a private meeting and wont be able to talk on phone.Will need you to please run an errand for me at the store now,I need Steam wallet gift cards to send out to some client, can you confirm if you can get some? Will want you to make arrangements to get the gift cards so i can advise certain product and denomination to procure.Thanks

Why gift cards?

By acquiring gift cards, the attacker can quickly use them for purchases or can sell the codes. Once this is done, the transaction can't be reversed.  By comparison, transfers made by bank transfers or credit card payment may be reversible. These latter methods also require the attacker to have a bank account or credit card processor.

The currently popular Steam game gift card attack is used by attackers who use the gift cards to set up accounts loaded with popular games, which they then sell on gamer forums.

How can we defend against finphishing?

Finphishing emails don't contain URLs or malware and instead rely on convincing the victim during an exchange of many messages, making it difficult to automatically detect and quarantine them. Staff have to be vigilant in the face of all phishing attacks.

Principles to prevent falling victim to finphishing

  • Verify unusual requests from your manager. If you've never bought gift cards - or anything else - for that person, consider why you are being asked to do so now. Ask who the merchandise is being bought for.
  • Verify the email address. Email clients may display only the text name, not the address, so employees need to look closely. 
  • Compare the text to other messages for your manager. If spelling, punctuation, or choice of words differs, it is likely an attack.
  • When in doubt, verify using a different contact method. Don't ask in the email thread for a phone number. Look it up yourself and call or message the purported manager.
  • Be suspicious when you are told you will be reimbursed. If the financial arrangements and payments are not in keeping with normal practise, don't go along with them.

The struggle against finphishing, and other types of email attacks, is unlikely to ever end. With care, though, we can prevent becoming victims.