A large-scale phishing campaign is using an unusual lure to earn at least $900,000 by tricking email recipients into believing they’re about to receive a baby grand piano for free.
The campaign, discovered by email security firm Proofpoint, was launched in January 2024 and has distributed over 125,000 emails, mainly targeting North American university students and faculty. However, there have been some cases of emails also targeting healthcare and food and beverage service providers.
A not really free baby grand piano
The phishing emails sent to targets claim to be from a university professor sharing the news that, due to downsizing, a person named Dereck Adams is offering a 2014 Yamaha Baby grand piano for free to those interested.
The message provides an email to arrange inspection and delivery, and if contacted, the threat actors respond with a message purporting to come from the moving firm, ‘American Van Lines Movers Services.’
That second email contains touches of legitimacy, such as a reference number for the item, dimensions, and weight, and three delivery options.
The email also adds an element of urgency, stating that multiple people have shown interest in receiving the piano and advising that the first person to pay for delivery will receive it.
There are also clear signs of fraud, as the only payment options provided to the recipient are Zelle, Paypal, Apple Pay, Chime, and Cash App, making tracing and reversing the payment much more complicated than in traditional methods.
The cost of delivery ranges between $595 and $915, depending on the option, and while it’s substantial, it’s much less than the value of the particular piano, estimated to be between $9,000 and $13,000.
Although the tactic employed in these phishing attacks isn’t innovative by any means, its earnings indicate it’s very effective.
Proofpoint says that a single Bitcoin wallet address they could link to this campaign currently holds over $900,000, though whether this all comes from the “free piano” lure is unknown.
“It is likely that multiple threat actors are conducting numerous different types of scams concurrently using the same wallet address given the volume of transactions, the variations in transaction prices, and overall amount of money associated with the account,” reports Proofpoint.
Additional investigation revealed that one of the fraudsters used a Nigerian IP address, making the researchers believe with high confidence that at least part of the operation is based in Nigeria.