California Wildfire-Themed BEC Attack Identified

It is common for phishers to use natural disasters as a lure to obtain ‘donations’ to line their pockets rather than help the victims and the California wildfires are no exception. Many people have lost their lives in the fires and the death toll is likely to rise further as hundreds of people are still unaccounted for.

Whole towns such as Paradise have been totally destroyed by the wildfires and hundreds of people have lost their homes. Many are suffering, have nowhere to live, and have lost everything. Understandably many people want to donate money to help the victims rebuild their lives. The attackers are using the compassion of others to defraud businesses.

A California wildfire phishing scam was recently detected by Agari that attempts to capitalize on the disaster. However, in contrast to many similar phishing campaigns that rely on huge volumes of emails, this campaign is much more targeted.

The scammer is conducting a business email compromise attack using the email account – or a spoofed account – of the CEO of a company. The first stage of the scam involves a quick email to an employee asking if they are available to help. When a reply is received, a second email is sent asking the employee to make a purchase of 4 Google Play gift cards, each of $500.

The CEO asks if there is a local store where the cards can be purchased and asks the employee to make the purchase ASAP and to scratch off the reverse side, get the codes, and email them back. The email claims the CEO needs the cards to send to clients who have been caught up in the wildfires to provide assistance.

While the chosen method of sending assistance is suspect to say the least, and the emails contain grammatical and spelling errors, the use of the CEO’s email account may convince employees to go ahead as instructed. These scams work because employees don’t want to question their CEO and want to respond quickly. Even though a request may be odd, the reasoning behind the request appears perfectly legitimate.

While this may seem like an obvious scam, at least worthy of a call or text to the CEO to verify its validity, some employees will no doubt not question the request. Each one that does as instructed will cost the company $2,000.

This type of scam is commonplace. They are often associated with wire transfer requests. In the rush to respond to the CEO’s request, a transfer is made, which may be for tens of thousands of dollars. The employee responds to the message via email saying the transfer has been made, the scammer deletes the email, and the fraudulent transfer is often not noticed until after the scammer has used money mules to withdraw the money from the account.

Access to the CEO’s email account can be obtained by various means, although a spear phishing attack is common. Spam filtering solutions can help to reduce the potential for the initial attack to take place and two-factor authentication controls can prevent account access if credentials are stolen.

Staff training is essential to raise awareness of the threat of BEC attacks. Policies should also be implemented that require all transfer requests sent via email, and any out-of-bounds requests, to be verified over the phone or via a text before a transfer is made.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of