So, there’s this guy called Shizzy who has a hobby of sending email pretending to be a to be different people – all in the name of comedy.
In one of his most recent scams he pretended to be the CEO of Starbucks and began a long email-conversation with a newly-appointed HR Assistant in one of Starbuck’s offices.
(The rest of this post discusses the contents of the email exchange, so don’t continue reading if you want to check out the full transcript first!)
This is a great example of the severity of social engineering in the workplace. Shizzy managed to get this guy to…
- Spy on his manager, including make notes about her comings and goings
- Visit a local Starbucks branch with the view to firing a counter-staff employee (for being too fat)
- Communicate suspected Class A drug use by a member of staff
- Report fraudulent time-keeping by his co-workers
- Purchase a book from Amazon on “business ethics”, highlight important passages and send it to the CEO’s office
Shizzy had this guy so 0wned that he even convinced him to shave his goatee beard off, having communicated “facial hair was against company policy”.
Ok, this was all very funny (very, very funny in fact), but at the same time it also very dangerous to Starbucks. Shizzy clearly could have requested sensitive business documents, security information, etc.
The heart of this scam was the fact that Shizzy purchased starbuckcorp.com, and used this domain to send emails from (Starbucks official domain for employee email addresses is @startbucks.com).
Does your corporate email system clearly identify whether an email has originated internally or externally? In the case of Shizzy’s email, his was clearly originating externally but looking like it originated internally. Most corporate email applications (such as Outlook) hide the headers from the user, further helping to mask a rouge email.
Sure, with better education this guy would know what to look for when checking the authenticity of the email, but how many people are going to do this for every email they get? New and junior members of staff (who are unaware of custom and practice but still eager to please) are the most susceptible and yet the hardest to educate (is corporate email security at the top of the list of your employee induction programme?).
And yes, with a bit of good-old comon sense, this guy should have wised up to what was going on far ealier than he did. But don’t forget these emails were engineered for laughs, a real social engineering attack might look like a totally reasonable request.