WEBVTT 00:00.650 --> 00:08.240 In this video, I want to go over a actual spear phishing email that we received and kind of break down 00:08.960 --> 00:14.750 how it was identified and kind of how you can go through the same process to verify whether something 00:14.780 --> 00:16.220 is legitimate or not. 00:17.630 --> 00:22.370 So this email came in and it's from Cook's Direct. 00:22.400 --> 00:29.570 Ah, um, asking for accounts receivable subject important change affect December 6th, 2024. 00:29.600 --> 00:33.020 This was sent on the second remittance instruction detail. 00:34.220 --> 00:35.990 And it goes on to say good day. 00:36.020 --> 00:37.250 What's the update on this? 00:37.250 --> 00:42.530 Please could you kindly confirm if this has been updated on your payables system? 00:42.530 --> 00:43.370 Please advise. 00:43.370 --> 00:46.130 A deadline is on Friday the sixth. 00:46.160 --> 00:48.800 See below details below. 00:48.800 --> 00:52.400 Let me know if you need to avoid Czech bank letter as well. 00:52.400 --> 00:57.350 And they provide a routing number a bank account number for Cook's Direct Inc. 00:57.650 --> 01:00.470 Uh, it's a checking account for Premier Bank. 01:00.500 --> 01:02.170 They give the bank an address. 01:02.320 --> 01:03.520 Appreciate your help. 01:03.550 --> 01:05.170 They have the cooks logo. 01:05.200 --> 01:12.040 They have accounts receivable, accounts receivable, department phone number, email and the address. 01:13.090 --> 01:14.350 So. 01:16.420 --> 01:18.250 This looks fairly legitimate. 01:18.250 --> 01:21.190 So it it's not some weird email address. 01:21.220 --> 01:22.750 It's actually a domain address. 01:22.750 --> 01:27.460 And the company's is Cook's direct and the emails. 01:27.460 --> 01:28.990 Cook's direct us. 01:28.990 --> 01:34.420 So it's a legitimate domain the legitimate email. 01:34.450 --> 01:35.740 It has the logo. 01:35.740 --> 01:41.200 It has the phone number for the for the company, the office phone number, email. 01:41.200 --> 01:42.310 They provide the address. 01:42.340 --> 01:43.660 They have the logo. 01:43.960 --> 01:48.130 They have a bank routing number, account number. 01:48.160 --> 01:51.340 They have the bank name and the address. 01:51.340 --> 01:53.770 They're very polite and cordial. 01:54.760 --> 02:00.800 However, it's basically you have to update the bank account within four days. 02:01.730 --> 02:04.580 So is this legitimate or not? 02:04.610 --> 02:07.160 Again, on its face it does look pretty legitimate. 02:07.160 --> 02:14.720 So in order to determine this, we can whether it's real or fake, we could do a few things. 02:14.750 --> 02:24.290 Now if it's a if it's going directly to a person or if it's very small business, there is a high likelihood 02:24.290 --> 02:27.890 you're going to know who what type of vendors you're working with. 02:27.920 --> 02:34.100 Now, if it's a slightly larger organization, well, that can get a little bit more murky. 02:34.130 --> 02:38.450 It could be difficult to determine which vendors are which. 02:38.780 --> 02:42.860 There's typically a lot of different vendors, a lot of different departments working with a lot of 02:42.860 --> 02:43.700 different vendors. 02:43.700 --> 02:49.070 So it's kind of hard to keep track of what vendors you're actually dealing with, especially if they're 02:49.070 --> 02:51.590 dealing with, say, subcontractors or anything else. 02:52.850 --> 02:59.660 So before we get into this, I do want to say if you do the same type of process, make sure you use 02:59.660 --> 03:02.650 a dedicated virtual machine and sock puppets. 03:02.650 --> 03:04.810 You want to protect your identity. 03:06.430 --> 03:09.550 Now, right off the bat, there's a few things we could look at here. 03:09.550 --> 03:09.850 Again. 03:09.880 --> 03:11.830 We can take a look at the email address. 03:11.830 --> 03:14.470 And again, this looks legitimate. 03:14.500 --> 03:16.660 Accounts receivable at Cook's Direct us. 03:16.690 --> 03:25.210 It's not accounts receivable at gmail.com or accounts receivable at, uh guerrilla mailers 20 minute 03:25.210 --> 03:28.180 mail, some weird domain email address. 03:28.420 --> 03:35.680 We could see there is a routing number, an account number, a bank, a name and address. 03:35.680 --> 03:37.060 We could see the logo. 03:37.090 --> 03:38.590 We could see phone numbers here. 03:38.590 --> 03:40.840 We could see additional emails and addresses here. 03:41.080 --> 03:48.460 So there's a lot of good information that we could take a look at and figure out whether this is legitimate 03:48.460 --> 03:49.180 or not. 03:50.110 --> 03:53.710 Now one of the first things I like to do is always take a look at the email header. 03:53.740 --> 03:56.500 Take a look at is that email address being spoofed. 03:56.500 --> 04:04.020 And another important thing is take a look at the SPF, DKIM, and dMarc because if these fail, they 04:04.020 --> 04:07.230 should not come through to our email account. 04:07.890 --> 04:16.710 Now, depending on how you or your corporation has their email account set up, a failed SPF marker 04:16.740 --> 04:20.430 or DKIM may still come through even though it shouldn't. 04:20.670 --> 04:27.930 And one thing I have noticed with Google is if Google can't figure out if it doesn't fail or it doesn't 04:27.930 --> 04:34.680 pass, it'll still let it through because it's not sure what to do with that email, which is pretty 04:34.680 --> 04:35.070 bad. 04:35.100 --> 04:37.740 That's that's not what you want to happen. 04:37.740 --> 04:38.370 You want that. 04:38.400 --> 04:39.990 You want that to fail if it doesn't know. 04:40.020 --> 04:46.710 If it doesn't quite fail or pass, you want that email to go to spam or you want it to just get rejected. 04:47.790 --> 04:51.270 However, again, that's the case with Gmail at least. 04:51.390 --> 04:54.390 This may be the same with other email vendors, I'm not sure. 04:54.390 --> 05:00.880 But again, what you want to do is take a look at the email header and especially at the SPF and dMarc. 05:00.910 --> 05:02.650 See if it did pass. 05:04.090 --> 05:07.480 The other thing we want to do is we take a look at the domain. 05:07.480 --> 05:13.990 So we take out the first part, everything before the At symbol and we take the rest. 05:13.990 --> 05:16.420 So Cook's direct us. 05:17.350 --> 05:24.280 We punch this into a Whois lookup and we can see right here domain cook's direct us. 05:24.310 --> 05:25.750 We can see the register. 05:25.750 --> 05:28.690 We can see when it was registered and when it expires. 05:28.900 --> 05:33.280 So typically scammers will take a domain. 05:33.280 --> 05:38.740 They'll buy a domain for one year because that's the shortest that you could buy a domain for. 05:39.340 --> 05:45.160 And we could see a lot of different information other than when it was purchased, when it expires, 05:45.160 --> 05:46.570 how long the lease is. 05:46.780 --> 05:49.240 We could see typically other information. 05:49.270 --> 05:52.540 Sometimes we could see a register name. 05:52.540 --> 05:59.100 We could see that the name here we sometimes see the organization, the street address. 05:59.220 --> 06:03.210 Sometimes we see phone numbers and email addresses and whatnot. 06:03.930 --> 06:10.080 Now, if it's a scam, they're probably not going to use their real information. 06:10.110 --> 06:13.980 If there is anything at all, it's probably going to be bogus information. 06:13.980 --> 06:17.160 However, we still put this into a PayPal search. 06:17.160 --> 06:19.560 We could take a look at reverse phone searches. 06:19.560 --> 06:25.410 We could take a look at Google Maps, take a look at those addresses, and just double check with that. 06:27.810 --> 06:32.490 And again, what we're looking for is we take a look at the domain, we take a look. 06:32.520 --> 06:40.590 And when it expires again you could typically scammers will use a short domain if they didn't take over 06:40.590 --> 06:44.370 someone else's domain or take over account in another domain. 06:44.400 --> 06:50.670 But a one year lease on a domain for a supposed company is usually a red flag. 06:51.720 --> 06:53.160 And why? 06:53.190 --> 06:54.810 Why do they buy domains? 06:54.810 --> 06:57.180 Well, you can get a domain really cheap. 06:57.180 --> 07:03.320 So we could see we could I could buy a dotcom for $11, and in some cases you could buy it for $3. 07:03.320 --> 07:09.920 And if I spend a couple more dollars, say 3 to $5, typically I could buy a domain email to make it 07:09.920 --> 07:11.270 look even more legitimate. 07:11.270 --> 07:20.930 So if I buy, say, Microsoft support.com and I spend $11 for it, well, now I have the domain. 07:20.930 --> 07:21.890 Fantastic. 07:21.890 --> 07:27.590 And I want to buy the Microsoft support email address. 07:27.620 --> 07:29.150 Well, I spend a few more dollars. 07:29.150 --> 07:34.730 I register that email address to my domain, and now I have an email addresses at dimensions, my domain 07:34.730 --> 07:36.560 name for under $20. 07:36.560 --> 07:42.320 And that's good for a year so I can go, you know, spend go after a lot of people on this. 07:44.090 --> 07:48.170 Another thing we could take a look at since we have the domain, is we could take a look at the domain 07:48.170 --> 07:48.800 website. 07:48.800 --> 07:51.170 We could take a look at it on a regular browser. 07:51.170 --> 07:55.940 We could use things like Builtwith to find out what type of technologies were used with it. 07:55.940 --> 08:00.870 We could use some subdomain finder programs to take a look at the subdomains. 08:00.960 --> 08:06.450 We could do Google dorks, see if there's anything else hidden within that that we that we might find 08:06.450 --> 08:07.170 interesting. 08:07.170 --> 08:08.670 We could find passwords. 08:08.670 --> 08:13.200 We could find, uh, documents, PDF files, XLS files. 08:13.230 --> 08:15.720 Google docs is extraordinarily powerful. 08:15.750 --> 08:17.160 When we're doing websites. 08:17.160 --> 08:24.720 I found a passwords and bankroll payroll information using Google dorks. 08:24.870 --> 08:28.650 Uh, looking for PDF files, XLS files, and whatnot. 08:28.770 --> 08:34.020 You'd be amazed at some of the stuff that you can find just doing a simple Google dork, uh, advanced 08:34.020 --> 08:36.180 Google search on these websites. 08:38.040 --> 08:44.340 And since we had some phone numbers, we could punch it into reverse phone number lookups. 08:44.340 --> 08:48.150 Uh, one of my favorite ones for within the United States is spy dialer. 08:48.150 --> 08:51.390 So I will typically put a phone number in spy dialer. 08:51.390 --> 08:53.370 It'll give me typically a name. 08:53.370 --> 08:56.460 If I could find it, it will give me a basic location. 08:56.490 --> 09:00.650 It will tell me sometimes who the phone provider is. 09:00.680 --> 09:11.900 If it's a landline or if it's a VoIP number, I could take a listen to the voicemail if there is a voicemail, 09:11.900 --> 09:13.250 and that's really handy. 09:13.310 --> 09:19.520 I'm not exactly sure how they do it, but they're able to hit the voicemail without actually having 09:19.700 --> 09:22.610 it ring the telephone, which is a cool trick. 09:22.910 --> 09:26.750 And from the voicemail, we might be able to find additional information. 09:26.750 --> 09:31.550 In this case, we did find a possible owner with a name. 09:31.580 --> 09:37.430 And typically what I'll do is any information I found find I will put it through additional searches 09:37.430 --> 09:44.360 and additional search engines to determine whether that that matches up, because finding information 09:44.360 --> 09:50.180 on one site is not always going to be up to date or accurate, so you do want to verify your results. 09:52.040 --> 09:56.960 Another thing we can do is we can take a look at the business registry. 09:56.970 --> 10:01.500 And so Cook's Direct is a Illinois business. 10:01.500 --> 10:10.020 So going to a business entity search I could punch in Cook's Direct in Illinois and it'll give me all 10:10.020 --> 10:13.080 the information file number entity type. 10:13.500 --> 10:15.390 When was it incorporated. 10:15.390 --> 10:19.170 Duration time annual filing. 10:19.230 --> 10:21.390 Who's the agent information. 10:21.390 --> 10:22.410 What's their status? 10:22.440 --> 10:23.250 Is it active? 10:23.250 --> 10:26.100 Is it deactive whatnot? 10:26.130 --> 10:33.210 I could take a look at different filings in the history for that and whatnot. 10:33.450 --> 10:38.640 And this is really handy for determining if this is an actual business or not. 10:40.470 --> 10:48.480 And of course we could do a Google search of Bing search, Yandex search, Baidu whatever to look up 10:48.480 --> 10:48.960 Cook's Direct. 10:48.990 --> 10:54.660 Don't just click on the the link in the in the email, because if it's bogus, it's going to take you 10:54.660 --> 10:56.370 to a bogus site typically. 10:56.600 --> 11:00.500 So we do want to look up the actual Cook Strike website. 11:00.500 --> 11:03.170 And I found it at Cook's Direct. 11:03.410 --> 11:04.790 Um Cook's direct. 11:04.820 --> 11:07.760 Com not.us. 11:10.130 --> 11:13.340 And we could also do things like. 11:13.340 --> 11:14.840 Well we have a bank routing number. 11:14.840 --> 11:16.430 Is that a real routing number. 11:16.460 --> 11:21.380 Well we could use a bank routing number verification service that's online. 11:21.800 --> 11:24.410 And this one goes through LexisNexis. 11:24.440 --> 11:25.970 It's free. 11:26.000 --> 11:27.440 It's pretty easy to use. 11:27.440 --> 11:29.450 You punch it in and it does come back. 11:29.480 --> 11:33.950 And it's indeed a actual bank routing number. 11:33.980 --> 11:36.470 It's a real routing number with Premier Bank. 11:36.500 --> 11:40.730 And it gives the different addresses for for this particular bank. 11:40.730 --> 11:46.700 So that routing number I know is a real routing number, even though the website they provided and the 11:46.700 --> 11:49.190 phone number they've provided is not real. 11:50.930 --> 11:55.820 And of course we can look up the bank, your premier bank com in this case. 11:56.770 --> 11:59.020 And so what do we know at this point? 11:59.020 --> 12:01.840 We know cooks is a real business in Illinois. 12:01.870 --> 12:07.210 The URL is actually cooks direct.com, not us. 12:07.240 --> 12:11.500 The phone number is not they provide is not a business phone number. 12:11.500 --> 12:15.520 And cooks direct us is a essentially a dead page. 12:15.520 --> 12:18.010 But the bank routing number is real. 12:18.820 --> 12:20.950 So what can we do with this information? 12:20.980 --> 12:22.750 Well we can contact support at cook. 12:23.110 --> 12:25.210 Com to verify which I did. 12:25.210 --> 12:29.050 And they they knew right away what I was talking about. 12:29.050 --> 12:31.270 And they said don't don't deal with those people. 12:31.270 --> 12:33.100 It's it's a scam. 12:33.400 --> 12:40.060 Now we could also call Premier Bank to notify them of the fraudulent account, which I did in this case. 12:40.360 --> 12:46.930 They actually didn't want to believe that they had a fraudulent account until I told them that, hey, 12:46.930 --> 12:48.520 this is this is what happened. 12:48.550 --> 12:52.510 The company verified that the other business is fake. 12:52.540 --> 12:56.660 And yeah, they do have a actual account here with you guys. 12:56.660 --> 12:58.910 And here's the bank account and routing number. 12:58.910 --> 13:00.020 And they did verify it. 13:00.020 --> 13:00.890 Well yeah okay. 13:00.890 --> 13:01.940 That is real. 13:01.940 --> 13:04.070 And they sent me off to the fraud department. 13:04.100 --> 13:05.990 I emailed them with information. 13:06.140 --> 13:08.330 You could block the email domain. 13:08.330 --> 13:14.540 You could also contact the police, even though your mileage will vary, whether they're going to do 13:14.540 --> 13:20.000 anything at all or if they're able to do anything in additional steps we could take is we could do I 13:20.000 --> 13:27.650 could do some like say, social engineering, I could email and bank or a, you know, um, I tried 13:27.680 --> 13:30.290 to I tried to process the information. 13:30.290 --> 13:36.620 Could you fill out this form again because I can't find your paperwork and provide a canary token for 13:36.620 --> 13:41.600 them to trigger so I can find their location or IP address and other information potentially. 13:42.230 --> 13:47.870 So this is a walkthrough of a email scam. 13:47.870 --> 13:53.990 How to identify it, the steps that I took to identify it, and I hope this helps you in the future. 13:53.990 --> 13:55.520 Thank you so much for watching.