Weak Passwords Can Be an Expensive Lesson for Homeowners
What happens when a roofing contractor’s proposal to replace a roof for a homeowner is intercepted by criminals?
I am not going to use real names for this story, but it is a story based on a real incident. I don’t want to embarrass anyone. My goal is to educate others to be better prepared for the inevitable. The inevitable is being scammed in one form or another. Being armed with the knowledge of how to recognize a scam and ready to tackle the scammer (metaphorically of course) is a powerful tool in the fight against cybercrime.
In 2021 Top of the World Roofers met with Gary Cabrera, a homeowner in Central Connecticut. Gary suffered some damage to his roof during a recent tropical storm and was looking for quotes to get his roof repaired. Top of the World Roofers provided a free quote as was their standard practice.
TotW Roofers’ standard practice is to review what work needs to be done and send over a quote via email after determining the costs for materials and labor. Gary’s quote was no different.
Brianne, the office manager at TotW sent over a quote to Gary’s email. TotW requires a deposit of half the total quote before work is to begin. A few days after the quote was sent over Brianne received an email from Gary asking if the deposit could be paid via Venmo.
Venmo is a mobile payment service. You install the app on your smartphone, create an account and attach a debit or credit card to it. Once you complete the set up you can transfer money to someone else who uses the app. You can receive money from others as well.
Brianne did not respond to the email right away. An hour later Brianne received another email from Gary that read “Never mind Venmo, I will pay by check”. Brianne thought nothing of this and went about her busy workday organizing TotW’s calendar, answering the phone, and dispatching the workers to job sites.
A few days later Gary called the office. Gary asked Brianne if TotW Roofer’s received the $4000 deposit through Venmo. Gary was anxious to get started on his new roof. This is when that sinking feeling starts to kick in.
What Really Happened?
This is a consumer version of a Business Email Compromise (BEC) scam. A BEC scam is a form of phishing that tricks an unsuspecting victim into sending a large sum of money to the wrong recipient by convincing the victim payment details have changed.
In this scenario between Gary and TotW Roofers Brianne was communicating with Gary using his email address email@example.com (this is not a real email address. I invented to help you understand what happened. Gary’s email was compromised due to a weak password policy and possibly some social engineering. More likely his credentials were on the dark web from a prior breach.
The criminals were snooping around in Gary’s email and saw the proposal from TotW Roofers, and sprang into action. They replied to the quote email from Gary’s real email but changed the reply-to address to a very similar email, firstname.lastname@example.org. Apparently, Brianne did not reply quick enough for the criminals so they also spoofed TotW’s email and replied to Gary yes, you can pay through Venmo, and even provided the Venmo details.
The criminals then sent another email from email@example.com stating “Nevermind Venmo, I will pay by check”. Now Gary thinks Venmo is good, and Brianne thinks there’s no point in responding to the email. The criminals inserted themselves into the email conversation between Brianne and Gary. In doing so they tricked Gary into sending money to the wrong Venmo and tricked a busy Brianne into thinking replying to Gary was not urgent.
A few days later when Gary hadn’t heard back from TotW Roofers he started to wonder what was going on and called the office. After speaking to Brianne, he realized he was scammed. Brianne informed Gary that they do not use Venmo for payments. Gary became upset at Brianne and TotW Roofers believing it was their fault. That’s when they reached out to me to investigate.
I reviewed the email exchange and a few other details to determine what happened. After reviewing with Brianne I was able to ascertain what the criminals did. At this time Gary was very unhappy and maintained that TotW was responsible for what had occurred. For the most part, the compromise was the fault of Gary (weak credentials). There was one mistake TotW made though.
TotW was using free email through the web hosting company rather than a service provider like Google or Microsoft. They did not have DNS settings to prevent email spoofing in place because the web hosting company did not provide that level of security for their free email. That is how the criminals were able to spoof an email from TotW Roofers’ domain.
Gary became standoffish and unwilling to work with me on investigating further. He did try to recover the money through Venmo, but I do not know if he was successful. I also know Venmo and similar services (I’m looking at you Cash App) are attractive targets for criminals in large part because the user population of these apps is usually not very savvy about scams like this.
In all the potential costs of this attack:
- Loss of reputation for TotW Roofers
- Lost productivity due to time spent reviewing the incident
- Peace of mind
In the grand scheme of things $4000 is not a lot of money but to a homeowner needing their roof repaired it is a significant amount of money. Had this been a 6 or 7 figure loss insurance and/or legal would have probably been involved. That would have been a lot messier. Typically, criminals target bigger paydays but targeting smaller dollar amounts allows the cybercriminals to fly under the radar. A 7 figure payday will raise a lot of red flags and draw unwanted attention for the criminals. Still, $1,000,000 is a very tempting reward for a scammer.
No one is safe from potential scams. This incident illustrates how human nature can lead to financial loss, stress, and a reputation hit for a business at a minimum. It could have been far worse and depending on what else was in Gary’s email it may have been.
Reusing passwords because that’s easier to manage, not questioning payment details, and cutting corners on email security are all human elements. There was very little use of technical skills in this compromise. It likely began with some social engineering or reuse of credentials found on the dark web from a previous breach. It all started with the human element.