CEO Wire Transfer Fraud

Update 13th May 2016: These people are still operating but are now using “” and were phishing for “What is our limit on same day transfers?”

And attempted to request a transfer of ~10,000 GBP to the following:

G Tarasiewicz Co.
Sort code: 30-90-88 (Lloyds Bank)
Account Number: 23838860

Today I was asked to investigate a suspicious e-mail that a client in the financial industry received this morning.

The recipient is currently out of office / on holiday. The supposed sender is in the office.

Here is the initial scam message purporting to be from one of the directors at the company.

On Monday, October 19, 2015, Adam REDACTED <> wrote:

Hi Scott,

I will need you to make a wire transfer for me today. What information will you need?


Sent from my iPhone

The out of office (victim) recipient then replied:

Sent: Monday, October 19, 2015 at 10:20 AM
From: “Scott REDACTED” <>
To: “Adam REDACTED” <>
Subject: Re: Request for October 19, 2015

Hi Ad – is this you?

Let me know what you need.


It is just a quirk of the e-mail client so it looks like the reply went to an address at the company domain. However their normal e-mail format is and _not_ the as shown in the quote above.

Then came the reply from the scammer:

From: “Adam REDACTED” <>
Date: 19 October 2015 05:51:15 GMT-4
Subject:Re: Request for October 19, 2015
Reply-To: “Adam REDACTED” <>

Hi S – yes, I started thinking you did not receive my email.

I need to make an urgent payment this morning, in the form of a wire transfer. Can you tell me what information you need to make this transfer?


Note that this time the e-mail shows a “Reply-To:” address off-domain. This is more what I would expect from a scam like this.

The details they want to payment sent to is the following:

Hi S – I need you to make a quick wire of £24,730 to cover a payment, I will send you the expenditure details for proper coding later today.

Details as follows:

Barclays Bank Plc

Account name: Milica Solutions
Account Number: 03865479
Sort code: 206412

Reference: REDACTED

Let me know when it’s done. Thanks


aka. Sort code: 20-64-12

It seems the e-mails were sent with a spoofed from address using a GoDaddy authenticated webmail session with he username “”.

Headers of the messages show that the IPs using the webmail account were: “” a UK cable provider customer “” a UK cable provider customer (An IP address assigned to BCM Netco Solutions hosted at RapidSwitch in the UK)

This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to CEO Wire Transfer Fraud

  1. Pingback: Bank account used in Nigerian “Invoice” fraud from hacked email accounts | thecomputerperson

  2. Pingback: Further CEO Email fraud.. | thecomputerperson

Comment on this topic

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s