Chapter 857 Scammed Out of Hundreds of Dollars

January 2017

In early October, our EAA chapter voted to approve monies to convert our chapter from a nonprofit to a charity. So when I got an e-mail from our chapter president last week to wire the money to a Michigan credit union, I went ahead and made the transfer.

My computer had failed, so I was doing this using web mail. I sent a copy of the wire transfer to my president using another computer to ensure he would get the copy. His “What is this?” response made me go back and look at the source code for the e-mails, which is when I realized that the “reply to” was different than the “sent from,” and I had been scammed.

We reported the incident to the local police, both the sending and receiving bank, and filled out an FTC incident report. The receiving bank said the money was immediately moved from the receiving account.

Since the attack, we have put in a policy of no wire transfers, and we now require two signatures for all expenditures of more than $500.

Chapter leaders, please be on the lookout for any suspicious or strange e-mails that may appear to come from legitimate senders you have associated with. We have received several recent cases of e-mails being received that appear to come from a legitimate sender but weren’t actually sent by that individual (a method known as spoofing). Some crafty hackers are leveraging configuration weaknesses on some external mail systems, thus making it more difficult for mail filtering systems to catch all situations.

If you receive a message that requests any sensitive information or directs you to a site to log in or submit any form of information that you find questionable, please proceed with caution and work with your chapter leaders to verify the sender.

Most e-mail systems are getting better at filtering to better pick up on these new phishing (the practice of staging a message to look as though it is coming from a sender it didn’t, in an attempt to collect sensitive information such as credit card numbers, passwords, etc.) techniques, but some of them are difficult to filter out entirely without creating issues with legitimate e-mails.

A good security practice is to view all messages with caution regardless of who they came from. If ever in doubt about the validity of a message or a request received in the message, consult with your chapter leaders or contact the sender via phone to validate if they indeed sent the message and requested such information. Sensitive information will almost never be requested by a legitimate sender through an inquiry via e-mail, and any such requests should be treated as potentially fraudulent by default.

The big thing to remember is that users should always be cautious when prompted to provide any type of sensitive information, especially if it isn’t in regard to anything that was requested or initiated.