Celebrity ‘Shark Tank star Barbara Corcoran loses nearly $400K in email scam, Phishing is a $12 billion business for scammers.

An employee of Shark Tank star, Barbara Corcoran, thought it was a routine wire transfer. The email request did not look unusual, and the amount of the transfer did not raise suspicion. But it was a clever scam, and nearly $400,000 was deposited into the bank account of a phishing scammer. Corcoran, who is well known as one of the “sharks” on ABC’s TV show, Shark Tank, shared details of a cybersecurity breach at her company with ABC News.

"This morning I wired $388,000 into a false bank account in Asia," Corcoran told ABC News.

Unfortunately, Corcoran’s experience is not unusual. Her business was victimized by an attack known as a Business Email Compromise (BEC). The FBI estimates that scammers earn more than $12 billion annually using these types of attacks. BEC is a type of spear-phishing attack that is highly targeted. Typically, the attacker does enough research to know the name and email address of their target, and the name and email address of the person in the company who would normally ask for large sums of money to be wired somewhere. We’ll call this person the requester. Often the target is the CFO and the requester is the CEO.

The BEC attack is fairly simple. The attacker sends an email that appears to be from the requestor, to the target. This email requests that a wire transfer be made to a specific account. If the attacker sends a well-crafted email and asks for an amount of money that doesn’t raise suspicion, they will likely reap the rewards of this scam. Blow is a sample BEC email.

These types of attacks have been happening for more than 10 years, but many people have never heard of them. As targets have become more savvy at identifying phishing attacks, the attackers have changed their approach. In Corcoran’s case, the email was not only a BEC attack, it also used another technique to add some validity to the email request. I doubt the wire transfer would have been made if the request came from a Gmail account, so the attacker registered a domain name that looks very similar to Corcoran’s domain name. We call this a doppelgänger domain or an evil twin domain. As you can see below, the attacker registered the domain name, barbaracorcran.com which is just one character different from the real domain name, barbaracorcoran.com. Many would likely miss this unless they’re looking closely at the sender’s email address.

What Can You Do?

Below are a few steps from my previous blog post on BEC that shares a few small changes to your business processes, you can greatly reduce the risk of being a victim of a successful BEC attack.

1. Education and Awareness: The most important thing you can do is to be aware of this type of attack. Understand that this happens a lot in the business world and make sure that your team knows how to identify these types of scams. I have written about advanced phishing attacks in the past but your company needs regular education and awareness training, even if you are a small company--maybe especially if you are a small company.

2. Testing: If your company does not have a cybersecurity and education and awareness program that includes internal phishing tests of your employees, consider starting that project. The results are typically eye-opening, but studies show that regular testing of employees makes them much better at identifying phishing attacks.

3. Verification Processes: Then, institute processes around money transfers that require secondary verification using a different communications medium. For example, if a request comes in through email, verify with the requester over a phone call.

4. Hire an Expert: Even small and medium sized businesses are being targeted with BEC attacks. While the large corporation likely has a staff of cybersecurity experts on hand who mitigate attacks and manage an education and awareness program, small businesses likely do not. So find an expert. Here is a CSO magazine review of some of the top companies in this business.

Thank you!

In closing, I want to thank Corcoran for making this public. Being scammed can be embarrassing and many people and companies would keep this private. By making this public, Barbara Corcoran is providing a public service, educating many people about this type of attack. Also, a thank you to Corcoran’s Shark Tank cast-mate (pun intended), Robert Herjavec for his media coverage this topic. One of the biggest challenges we have in cybersecurity is to educate the masses and when celebrities share this type of message, it helps us all to be more secure.