Email Scam Asking Book keeper to transfer money: Anyone faced this, how do they get the names right?

Hi team,
    We have faced two instances where client the scenario goes like this

An email is received by the bookkeeper or the finance team member pretending from the Director.
The email is actually sent using a random with display email and name of the Director which any non-technical person can not find the difference other than the Signatures not being there.

My questions is:
1) How do they manage to get the names so right including the director
2) We have SPF setup for Strict settings, how can we prevent this?

Any ideas will be appreciated.
Costas GeorgiouNetwork AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
First, does company policy even allow financial requests like that?  It is difficult to block an email that is sent to a legitimate email address from outside.  SPF may block sending to others but probably not to your own addresses.
Joseph DalyCommented:
At my previous place of employment we had this happen on two occasions. Below is the best write up I have seen of the scam
Joseph DalyCommented:
Sorry this is actually the doc I was talking about.
5 Ways Acronis Skyrockets Your Data Protection

Risks to data security are risks to business continuity. Businesses need to know what these risks look like – and where they can turn for help.
Check our newest E-Book and learn how you can differentiate your data protection business with advanced cloud solutions Acronis delivers

Costas GeorgiouNetwork AdministratorAuthor Commented:
Its amazing how scammers get away with this.

Will a hardware firewall be able to prevent this?
What is the possible solutions then is your view?

I though SPF would have resolve this but it didn't. (As David mentioned )
Costas GeorgiouNetwork AdministratorAuthor Commented:
What worries me more is how did they get the name of the director and the Bookkeeper right?
I can understand they can get Director from web searches etc but not the bookkeeper.
Joseph DalyCommented:
Hardware firewall probably will not help. Spam filters may or may not catch it. If it is a newly registered domain with accurate mx records that probably won't get stopped either.  

As to how they got the info your users probably gave it to them. Linkedin makes it very easy to see who does what at a company and who may interact with each other only a daily basis. LinkedIn make these connections very obvious.

The most effective way of stopping this is user education. Check the email address, reply to info, or call/ speak directly with the person.

Our finance manager almost made the wire luckily we have approvals in place and the secondary checker called to confirm. It was only then they found out this was a scam.

Policies and procedures are your friend on this type of event.
Dave BaldwinFixer of ProblemsCommented:
It's not amazing, it is an every day occurrence.  Info about company personnel in a public company is often easy to get.  Sometimes as easy as checking the company web site to get the names and emails of the people you want to scam.

And it is next to impossible to block emails that are written as 'legitimate' emails.  The main thing to do is to train the people involved to double check any messages of any kind that request money or credentials.
Costas GeorgiouNetwork AdministratorAuthor Commented:
@ David: By Amazing i meant by the fact that even with strict SPF settings even my own server does not reject the email.
I was under the impression that at least my own server should have rejected the email since i have configured SPF with "-All" setting.

Can this be done?
i can see in the header that the IP is not permitted but email still comes through.
Dave BaldwinFixer of ProblemsCommented:
SPF is about email sent From your addresses, not To them.  It's intended to tell Other mail servers whether your emails sent to them are valid.  If it is to a valid email address on your server, I doubt that SPF is even checked.
Costas GeorgiouNetwork AdministratorAuthor Commented:
Thanks David,,, That makes sense..
So no way to stop these emails other than user training?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
Not that I know of.  It's like trying to stop the paper ads in your postal mailbox.  I get hundreds of spam and phishing emails every week.  If you reply to try to get off their list, they know they have a 'good' email address.  Besides, most of those emails are automated.  They only know you're there if you respond to them.  That's the only time people look at them.
Costas GeorgiouNetwork AdministratorAuthor Commented:
More of a discussion , all information provided makes perfect sense
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.