Hi, Dave,
A work colleague experienced a similar hacker attempt today. Here's what happened: I received an email from her, stating that she was on vacation in England, had been mugged and lost her money/credit cards, but luckily still had her passport. She was struggling to pay her hotel bill in order to leave and asked for help. However, the message didn't instruct on how to help. So, some gullible friends replied to the email asking how to help, and received instructions on how to wire funds. (BTW, I was not so gullible, and called her office to find her here in the states).
The original message looked very legit, as it included her normal electronic signature, complete with contact information for her business, phone, website, etc.
She received at least a dozen phone calls of people checking to see if she was OK, but a few folks actually replied and sent funds. We've reported it to the Attorney General's Consumer Protection Office.
An additional downside is that she no longer has access to her account. Evidently the hackers, once in, change the password and user name. She's lost all her business files and is working with her provider to try to retrieve them.
I hope we can somehow ensure this doesn't happen with the NSS site.