Threat actors made away $120,000 from an innocent victim by duping them with a sophisticated scam. This text shares the details of the cyberattack and shows how you can protect yourself.
As technology advances at a dizzying pace, so does the cunning of those seeking to exploit it for their nefarious purposes. One such example of this unfortunate reality can be seen in the recent surge of ‘Phishing-as-a-service‘ kits, which provide a turnkey solution for would-be thieves to engage in digital fraud and easily steal sensitive information. This malign development is fueling an alarming uptick in incidents of theft, with victims ranging from individuals to large corporations.
One of the latest cases is of Cody Mullenaux, an innocent small business owner who fell victim to threat actors utilizing technology and made away with the man’s funds in a sophisticated wire transfer scam. Let us see what happened and how you can protect against similar threats.
Phishing as a Service scam on Cody Mullenaux, The Man Who Lost $120,000
Despite banks investing heavily in cybersecurity and fraud detection measures, some criminal tactics remain sophisticated enough to even deceive bank employees, as evident from the case of California-based small business owner Cody Mullenaux, who lost over $120,000 after having it wired from his Chase account. Mullenaux is the inventor and founder of Aquaphant, a technology enterprise that converts moisture from the air into filtered water.
On 19 December 2022, while Christmas shopping, Mullenaux received a call from threat actors claiming to be from the Chase fraud department, asking him to verify a suspicious transaction. The number matched Chase customer service, and the link sent for identification purposes appeared legitimate, leading Mullenaux to log into his account.
During the call, Mullenaux was told that someone was attempting to steal his account funds and was instructed to wire the funds to a bank supervisor for temporary safekeeping. Staying on the phone for nearly three hours, the victim followed the instructions, answering additional security questions but getting duped out of $120,000.
There was a team of threat actors behind the sophisticated attack. While a threat actor impersonating a Chase fraud representative spoke with Mullenaux, a second threat actor posed as the victim and contacted Chase to make wire transfers.
The security questions that Mullenaux answered to the first threat actor were then fed to the second one, who used them to gain entry into his Chase account, allowing the fraudsters to convince the Chase employee they were Mullenaux himself, authorizing the three wire transfers of over $120,000.
Threat Actors Exploited Loopholes
The scammers in the story successfully took advantage of loopholes in consumer protection laws, resulting in Chase not being obligated to repay Mullenaux’s stolen funds. Banks are not bound to reimburse when customers are duped into transferring funds to a cybercriminal. However, the Electronic Fund Transfer Act requires banks to repay customers if funds are stolen without customer authorization. Still, wire transfers and fraud involving paper checks and prepaid cards are not covered.
The cybercriminals also transferred money from Mullenaux’s personal to his business account, which is not protected by Regulation E, which only covers individual accounts. Despite Mullenaux’s efforts to recover the stolen funds, including filing reports with local police and the FBI’s Internet Crime Complaint Center, the bank has yet to repay the stolen funds, with the investigation still ongoing.
No Transaction Reversal From the Bank to Cody Mullenaux
Despite Mullenaux’s attempts to recover the stolen funds, his claim was denied by the bank. The Federal Trade Commission advises that victims of fraudulent wire transfers should contact their bank, report the transfer and ask for a reversal. However, in Mullenaux’s case, the bank’s handling of the matter was not done with urgency, and a reverse wire transfer was not offered.
Even when the victim filled out a claim, it was denied, with the bank stating that Mullenaux himself had authorized the wire transfers. Not even Mullenaux’s phone records that showed that the victim never made calls to the bank on the day in question were enough to sway the bank’s decision.
Cybercriminals have advanced their tactics, using readymade software sold in kits to mask phone numbers and mimic bank login pages, leading to increased scams. Unfortunately, victims may not always have their stolen funds reimbursed by the bank. Phishing-as-a-service models have enabled low-level threat actors to carry out significant cyberattacks like this. Let us see how these kits have aided cybercriminals and simplified their work.
How Phishing-as-a-Service has Simplified the Work of Threat Actors
Phishing-as-a-service (PaaS) has simplified the work of threat actors by providing them with a turnkey solution for conducting phishing attacks. The availability of PaaS has made it possible for even technically unskilled threat actors to launch phishing attacks against target organizations for as low as $15 per day.
PaaS providers offer various services, such as creating and hosting phishing websites, crafting personalized phishing emails, and even supporting post-attack activities, such as monetizing stolen data.
With PaaS, threat actors no longer have to have specialized technical skills or invest time and resources into developing and maintaining their phishing infrastructure. This has made it easier for less technically proficient individuals to launch successful phishing attacks, thereby expanding the pool of potential attackers and increasing the overall threat posed by phishing.
How to Protect Against Phishing-as-a-service Attacks?
To protect against Phishing-as-a-service (PaaS) attacks, you should focus on the following:
- Employee Awareness Training: Provide regular phishing awareness training to employees to teach them how to recognize and avoid phishing scams, and include simulated phishing attacks to help employees understand scammers’ tricks.
- Email Security Measures: Implement email security measures such as spam filters and anti-virus software to help stop malicious emails from even reaching employees’ inboxes.
- Multi-Factor Authentication: Use MFA for all sensitive accounts, such as email and financial accounts, for an extra layer of phishing protection that makes it more difficult for hackers to access sensitive information.
- Use Strong Passwords: Encourage employees to use strong, unique passwords for all their online accounts and start using a password manager to make it easier for employees to create and remember strong passwords.
The cyberattack on Cody Mullenaux also involved threat actors using advanced social engineering tactics to dupe him into thinking they were genuine employees, which is why it is essential to follow the following steps to protect against social engineering:
- Attack Awareness: Educate yourself and others about social engineering tactics and the types of attacks.
- Verifying the Source: Be wary of unsolicited emails, phone calls, or messages from people you don’t know. Before providing any sensitive information, it would be best to verify the individual or organization requesting the data.
- Be Cautious with Links: Be careful when clicking on links in emails, messages, or websites. If you need clarification on the link, hover over it with your mouse to see where it leads.
- Protect your Personal Information: Be mindful of the information you share on social media and other public websites and the information you transmit over phone calls.
The FTC also clarified. “If a consumer gets a call, text, or email out of the blue from anyone claiming to be from their bank, alerting them of a problem, the consumer should hang up and try calling their bank on a phone number they know to be real,” which is the best advice to follow.
Final Words
The recent case of threat actors utilizing phishing-as-a-service to steal $120,000 highlights the ongoing problem of cybercrime and the importance of staying vigilant against phishing attacks. The case is a reminder that even the most sophisticated security measures can be bypassed by determined attackers and that individuals and organizations must remain proactive in their efforts to protect themselves and their assets by following the guidance provided above.