Fraudsters make bank as exec wires $17 MEELLION to China Scammers have swindled commodities trader Scoular out of US$17.2 million (A$22.1 million, £11.3 million) in a targeted phishing exercise. Local news outlet Omaha.com reported the company controller at Scoular with the 800-seat company had followed instructions to wire a series of massive payments to a Chinese bank from emails …
Out this in balance, this guy may of transferred billions in the past, so this may of just been another days transactions to him. if he's getting 20 or 30 of these a week, it is business as usual.
The amount may seem huge to us, but may of been loose change to them.
Just how quick people are to trust and not question communication. If a stranger walks up to you and tries to convince you of something most often you have *some* level incredulity until they identify themselves in some way. But when it comes to phone calls, mail, and email people are largely defenseless. Even then one simple bit of information is usually enough to disarm those who are leery. Oh, they know my bosses name, what equipment we use in the office, or they used an official looking letterhead/graphic.
As stated, this may well have been standard, daily routine and practice for the firm. Yes, they should have had safeguards (Any transaction over 'x' you call me to validate) however, how feasible is that really, when often these transfers need to be made immediately, and when you're dealing with dozens o those transactions a day?
Hey-ho.
I'd like to suggest a small change to the article:
"The scam worked because the company in question is stupid enough to wire large sums of money on the basis of a single e-mail with no verification"
It would also be grand if the final paragraph were:
"Company officials responsible for secure transfers and for corporate policies assembled in a conference room and committed sepuku out of shame"
In all fairness, it sounds like it was a bit more than just a simple phishing scam. It sounds a lot more like an old fashioned elaborate con - phishing was just one of the elements in the grand scheme of things. It sounds like the scammers knew:
1. Who was in charge of transferring money
2. Who was meant to ask for the transfers to be performed
3. Probably how to fake not only the sender's email address to a credible level (so that it doesn't end filtered straight into the Spam folder) - but also the content/format of the email so it doesn't raise alarm bells.
4. Very importantly, that the company intended to buy some businesses in China, possibly in some sort of confidential manner.
Number 4. suggests strongly some level of insider information being involved. So I would say, it wasn't just down to poor internal procedures - it sounds like somebody did their homework pretty well. Which is how a lot of successful scams play out - although from a distance it might look like it was just down to somebody not making a phone call to check things.
It's 15 years since I worked in corporate land. But at the time, any transaction over £10k needed two signatures - one of which was from a manager/director in the finance department. And that was the form you filled out before going on the banking terminal to do the actual deed. I wonder if that's now changing in companies to getting an email or text from...
Even a secret deal the CEO is doing must require the knowledge of the Finance Director. And if there's a million in the amount, you shouldn't be taking the CEO's word alone anyway, just in case he's decided to run away with a chunk of the company cash.
"although from a distance it might look like it was just down to somebody not making a phone call to check things"
It is down to a phone call, except the idiot called the "wrong" person:
"McMurtry called a phone number listed in the email which was answered by a scammer pretending to be that contact"
The right person to call ought to be the one apparently requesting the transfer, ie the CE, Chuck Elsea.
I sure don't condone this behavior, but can you imagine the sheer delight these guys must have experienced when that first $940K showed up? That "Holy shit, they fell for it!" moment. And then to get two more, even larger, transfers? Like winning the lottery three times in a row.
You only need one score like that to spend the rest of your life on the beach sipping drinks with little umbrellas.
Irrelevant of who should have called who.
The real issue is that a single person could transfer funds of that size without any secondary checks at a bank or the next level up.
If that guy turned bent... it is irrelevant that he had an email from the CEO.
Why was the finance department not noticing that a massive payment had been made to an 'unusual bank'
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
