"whaling (like phishing, but bigger)"
What is the cut off where whaling starts and phishing ends?
Evaldas Rimasauskas, a 48-year-old Lithuanian man, has been charged with defrauding two major US-based internet companies for more than $100m through whaling attacks. Rimasauskas, from Vilnius, was arrested late last week by Lithuanian authorities on the basis of a provisional arrest warrant, according to the US Department of …
Admittedly, not on the same scale or finesse, nowhere near, but this one ran for 6 or 7 years :
Apparently, an example of the scam was that upto 50 pupils (their parents) paid £15 for a "day trip" , the secretary kept the cash and school funds paid out the coach firm. And nobody noticed, nor asked questions about the payments, relatively large at a smallish school.
* In respect of a largish firm, a commercial organisation, besides the financial employees one would also have to ask questions about the Auditors. Yet again.
Note that's £35K over 7 years
What you have here is the classic "single person of trust" in a small firm story.
"We've never had a problem, we trust him/her implicitly."
Proper accounting systems don't need trust.
They need separation of authority from request generation and regular oversight. Good systems cannot be gamed without significant collusion, not just one person inside the company.
Actually, my favourite was the one last week about the lifeboat charity treasurer who ebay'd the charity's equipment, including their lifeboat...
I mean, how did they not notice? How far out in the towering waves were they before they realised there wasn't actually a boat under them?
Way down the financial sign off food chain, some lowly clerk who was only allowed to deal with "small sums" would likely be fired if they got fooled by a fraud of a few grand.
But when someone at the top screws up and loses stupid amounts of cash to fraud, all too often there is no penalty for them to pay.
Biting the hand that feeds IT © 1998–2020