By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post
What is Business Email Compromise? It’s a kind of phishing attack where cybercriminals impersonate high-ranking individuals, e.g. bosses or CEOs, to trick employees into giving away sensitive information or money. These emails can appear urgent and legitimate, leveraging the victim’s trust in their superiors, and making them really easy to fall for.
I was recently forwarded a good example of this attack by a community member.
On Tue, Jul 22, 2025 at 8:30 AM Linda XXXXXX<president0150150@gmail.com> wrote:
XXXXXX, I am out of the office and have limited phone connectivity. Could you help manage a newsletter publication expense on our behalf using a Zelle,PayPal,ACH or wire transfer?
Dan XXXXX can’t handle it right now. Please let me know if you can help, and I’ll provide you with the vendor’s payment information. I’ll process your reimbursement once the treasurer is available.
Kind Regards,
Linda XXXXX.
This person is involved in a local nonprofit organization, and this email was claiming to be from the president of that organization, asking him to help pay a vendor.
The first thing that stands out to me here is the email address, which would have been displaying the spoofed name of the person, but when you actually look at the email address it is a fairly random gmail address “president0150150@gmail.com” which just happens to start with “president” (to add to the legitimacy, I guess?).
How hard is it to spoof an email address and make it look like it comes from the actual person?
It’s not hard at all! You can register an email address in any name you want, and it will display that name. Unless the user inspects the email and headers more closely, they might never realize there is an issue. Never trust a sender is who they say they are, it’s way too easy to spoof an email address!
Another thing—if this sender was really with the organization, why would they not be sending from an email associated with that organization? This is a frequent part of the scam, with the scammer claiming that they are “out of the office” with “limited connectivity’ etc. Don’t fall for this, it’s a scam.
Finally, the sender is using a sense of urgency to try to get the user to panic and fork over some cash. Never buy into the sense of urgency. Nothing is that urgent, you can take the time to contact them directly by a known and legitimate phone number. I would not contact them by their legitimate email address in case that was compromised as well, which is possible. I would call them directly, at a known number not at any number received via emails with them. Check the website and find their actual number if you do not have it in your contacts.
My biggest concern with the spoofed email is just that the scammer knows too much about the organization, was able to compose an email showing some knowledge of how things work and was able to get email addresses of various board members—I want to know how.
Either they actually were able to get in and compromise this user’s email address, get info about the org, who the person is emailing, etc., or they were able to just scrape this information off the organization’s website.
I would definitely advise the person being spoofed to check their email account for signs of compromise, both the organization related one, and any personal accounts they might be using for organization related emails.
Signs of compromise:
- An inability to log in
- Unusual activity like unexpected emails in the sent folder
- Password reset notifications you didn’t request
- Your contacts are reporting strange emails from your address.
I would also check out the organization’s webpage and check to see how much information is publicly exposed, and if it can be reduced. Does the public really need to know names and emails of your staff and board members? I don’t think so, because if this info is public, bad guys can get it too. One key element of cybersecurity is reducing your attack surface by hardening—get rid of anything unnecessary to improve your security posture. Do an audit of your website, and get rid of any information that you don’t need on it and that could be used against you.
These scams are super common, and I just saw a report in the Daily Post that the county was dealing with a similar sounding scam targeting vendors and requesting payments. Stay safe online and think twice before you decide to help your “boss”, or anyone else, with an urgent or overdue invoice!