Catph1shing

Fake job offers and fake cheque scams

A new(ish) scam on the internet

Boring 'who the hell am I?'

  • Brendan Murray
  • brendan@wolfhoundsecurity.com
  • https://wolfhoundsecurity.com
  • Doing Infosec before we ever heard the term

So I'm talking about what?

  • Catfishing - the standard meaning
  • Catph1shing - how I mean it
  • Where I first saw it
  • Some examples
  • How 'we' chose to deal with it
  • What is the impact on
    • the employer?
    • the potential 'employee'?
    • banks?
    • the miscreant?

Catfishing - the standard meaning

cat·fish
/ˈkatˌfiSH/

verb
gerund or present participle: catfishing
1.
fish for catfish.
"with the Mississippi River far below its normal level, the catfishing kept getting better and better"
2.
INFORMAL•US
lure (someone) into a relationship by means of a fictional online persona.
"he was being catfished by a cruel prankster"
Often in reference to the Catfish TV show.

Catph1shing - how I mean it

  • Talking about fraudulent job offers
  • People seeking work on job sites are approached with an offer
  • They undergo an interview, they provide personal information
  • They are offered a job, and a first payment in the form of a scanned cheque (check)
  • They bank the cheque and send confirmation to the 'employer'

Where I first saw it

  • Email from an 'new employee', to a generic company email address
  • They had an interview using Skype, Hangouts
  • They supplied references, personal information:
    • Name, address, DOB
    • Social security number
  • They received a scan of both sides of a cheque for $1000 with a request to bank it and send notification of successful deposit to the 'employer'
  • They got suspicious and emailed us

Dealing with it

  • First instinct is to reply and engage
  • Treated it as an 'incident'
  • Apply incident response processes
  • Take corrective actions
  • Take preventative actions

How is this an 'incident'?

  • Abnormal communication
  • Contact on generic email address, phone calls from US numbers
  • We don't recognise any of the HR manager or recruiters
  • They're for jobs we're not advertising
  • It's against normal process
  • We don't understand the impact on us

What we did!

  • We did not engage
  • Risk assessment: risk to the company
  • Corrective action:
    • Craft a standard email disclaimer response
    • Disclaimer on web site
  • Preventive action:
    • Awareness
    • Web page disclaimer
    • Work with external HR in NZ and USA

What is the impact on

  • the employer?
  • the potential 'employee'?
  • banks?
  • the miscreant?

Risk to: employer

  • Reputational
  • Immigration issues
  • Financial
  • Liability

Risk to: 'Employee'

  • Identity fraud
  • Personal expenditure
  • Stress, job risk

Risks to: banks

  • Deposit rules have a lag
  • Cheque is credited to depositor
  • Cheque is debited to originating account
  • At reconciliation, credit is reversed
  • Bank, or cheque victim, out of pocket

Risks to: miscreant

  • Some loss of anonymity
  • It is cheque fraud
  • Potential mail fraud
  • Some have been referred to FBI

References, information

The End......