We’ve got rules in place to check for any incoming email using our own domain name in the header, and block them. Those messages then come to me for inspection, so far I have zero false positives. I probably get 2 or 3 attempts a month of someone impersonating our CEO or CFO sending an email to someone else in accounting trying to get us to wire money out.
I typically reply and waste their time for a bit before telling them where to go. Mildly entertaining.
Last night, after much back and fourth and eventually telling the scammer that I have completed the transfer, he demands a transaction confirmation. So I sent him one of the many crypto word docs that come our way. I didn’t hear back from him after that so either he caught on or he fell for it and it encrypted his system.
In a separate incident, the scammer actually caught on to me wasting his time. So I had a pretty funny exchange with him that went like this:
Fake Boss: I have an invoice due from a company that I would like payment to be sent to them today via Wire Transfer, can I send you their wiring instruction so you can help me get this process right away?
Fake Boss: ?
Me: I can’t process right away.
Fake Boss: Are you kidding?
Me: How urgent is it? I’m swamped.
Fake Boss: This is an International payment.
Me: Ok, to who?
Fake Boss: (he’s caught on to my antics now) Corbett Enders and Account Number is ISIS.
So now I’ve inspected the email header, see the x-origininating IP address and geo-locate that to a street, city, etc.
Me: Is that in Johannesburg?
Fake Boss: Exactly and Untouchable.
Me: So why are you trying to rip people off?
Fake Boss: What the ■■■■ are you talking about? It a job that was provided to us by the illumnati.
Alright, a little more specific now to see just how untouchable he feels. Assuming any of my research has been accurate: http://geoiplookup.net/ip/126.96.36.199
Me: It is late there, shouldn’t you be going to bed soon? What’s the traffic like on Commissioner St. this time of night?
At this point, no reply.