Using the Whole Whale - A Nonprofit Podcast

A Close Call with Cybercrime: Anatomy of a Modern RFP Scam

For agencies, opportunities can come knocking at any moment. For George, the founder of a successful agency, that knock came in the form of an enticing email from what appeared to be Banana Republic. The message dangled a lucrative contract, promising a monthly budget that would make any agency salivate. It seemed too good to be true – and as George would soon discover, it was.

At first glance, the scam was impressively crafted. A LinkedIn profile for the supposed Banana Republic representative lent an air of legitimacy. The email contained links to the actual Banana Republic website, further disarming suspicion. But it was the Dropbox link that truly showcased the scammers’ cunning. Hidden among genuine Banana Republic marketing materials was an innocuous-looking executable file – the true payload of this elaborate ruse.

Intrigued but cautious, George decided to pull on this thread, engaging in a back-and-forth with the “representative.” As the conversation progressed, red flags began to appear. The contact’s name changed multiple times, from Sarah Gomez to Sarah Lopez, and finally to Ella Brown. The LinkedIn profile URL didn’t match the supposed sender’s name. These inconsistencies piqued George’s suspicions, prompting him to dig deeper.

Seeking expert insight, George reached out to Joshua Peskay, a cybersecurity specialist. Joshua’s analysis revealed the true nature of the threat: the executable file was malware, likely a sophisticated keylogger designed to steal sensitive information and transmit it to the attackers via Telegram.

The implications were chilling. Had George or someone on his team fallen for the scam and run the file, the consequences could have been dire. From ransomware attacks to data exfiltration and extortion, the potential damage to the agency and its clients was immense.

As Joshua explained, this scam represented a new breed of cyber threat, one supercharged by advancements in AI and language models. Gone are the days when broken English or obvious grammatical errors would give away a scammer. Today’s cybercriminals can craft persuasive, contextually appropriate messages in any language, making their lures harder to spot.

The incident served as a wake-up call, highlighting the importance of robust cybersecurity practices:

1. Scrutinize unsolicited offers, especially those that seem too good to be true.
2. Verify email domains and LinkedIn profiles for inconsistencies.
3. Be extremely cautious when downloading files, particularly executables.
4. Implement strong endpoint detection and response (EDR) software.
5. Use least-privilege access principles for daily computer use.
6. Conduct regular tabletop exercises to prepare for potential incidents.