Are you there?
Beware of a malicious fraud campaign that uses these simple words to trick you.
March 28, 2019
It’s a simple sentence, one you’ve probably heard countless times before. However, in the past several months, the simple question “Are you there?” has kick-started a malicious fraud campaign that has cost companies across the world hundreds — and in some cases, thousands — of dollars.
The con goes like this: An email lands in your inbox with a subject line or message body asking, “Are you there?” or something similarly brief. Based on the email signature and the name in the “from” field, it looks like it’s coming from your co-worker or supervisor. If you reply, they’ll say something like, “Please go out and buy 10 $100 gift cards, scratch off the backs and send me the numbers. I cannot do this right now and am unavailable to talk due to this meeting. You will be reimbursed.”
Except you won’t be reimbursed for that $1,000, because — you guessed it — this isn’t actually your co-worker or supervisor. It’s a scammer trying to trick you into thinking you’re giving this information to someone you work with.
Fortunately, there are always things you can do to check the legitimacy of an email message:
- Look at the email address. It isn’t enough to see a familiar name in the “from” field. Look closely at the email address the message was sent from (if you can’t see the address, try hovering your mouse pointer over the name). If the message is a fake, instead of seeing “email@example.com,” for example, you might instead see “firstname.lastname@example.org.” If the attack is targeted, you might even see “email@example.com.” If the email address isn’t one you recognize, you’re likely being lured into a scam.
- Check the reply-to address. Email addresses can sometimes be spoofed to appear as though they are coming from a different account. However, you may be able to see the real address if you start writing a reply. If you don’t recognize the address that appears when you click “reply,” you’re likely being lured into a scam. Make sure you don’t send that reply!
- Don’t rely on email. Even if the sender’s email address is legitimate, don’t forget that email accounts can be compromised. If the sender’s request seems unusual, don’t be afraid to give them a call, send them a text or walk down the hall and talk to them. Having a quick conversation could save you from sending your or your organization’s hard-earned money to a scammer.
- Vet the sender. If, for whatever reason, you’re not comfortable reaching out to your colleague, don’t be afraid to ask the sender questions your colleague should know. “Which meeting are you at?” or “What is my extension?” could work.
Remember, email is not inherently secure, and many monetary losses and malicious data exfiltrations come from the simplest of emails. Every email, especially those involving financial transactions, should be scrutinized for legitimacy, and if something doesn’t feel right, you should verify the message via other means.
So the next time someone asks, “Are you there?” consider the source and determine if a response is really warranted.