One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam (softpedia.com) 189
An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.
Encryption and Digital Signatures (Score:5, Insightful)
If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.
Re:Encryption and Digital Signatures (Score:5, Insightful)
Surely she should at least have called him on the phone to confirm the request?
Comment removed (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Re:Encryption and Digital Signatures (Score:5, Funny)
$40m is different from $40M. 4 cents isn't a big deal.
Re: (Score:2)
Goddamn Marketing, always ruining our maths
Re:Encryption and Digital Signatures (Score:4, Insightful)
What line? Use digitally signed mails everywhere and the line can as well be drawn at a single cent, it's not like there's any overhead involved.
The first thing that happened when the first scam hit the papers was that we ensured everyone knows how to spot mails with bogus signatures (we have encrypted+signed mails as a standard for a few years now), that was basically all we had to do.
Re: (Score:2)
It is not a silver bullet, but it would deflect the attacks to companies not implementing it. As you point out, criminals go for the low hanging fruit. If my revenue is the same whether I target easy prey or whether I have to overcome even a not too sophisticated security process, I go for the easy target.
You don't have to run faster than the lion. Only faster than the slowest one in the herd.
Re: (Score:3, Informative)
You don't even need that, all you need to do is separately reverse the conversation to confirm.
Get an e-mail from the CEO asking for X? Look the CEO's phone number up in your rolodex and CALL them to ask for confirmation that you should do X.
This form of "authorization verification" has been around for hundreds of years, ever since someone could forge a letter.
(Email equivalent is to compose-new-email and choose their e-mail from your enterpise contacts, NOT reply to the existing message.)
Re: (Score:3)
"Are you questioning my orders? Are you trying to undermine my authority? WHAT IS WRONG WITH YOU???"
Re:Encryption and Digital Signatures (Score:5, Informative)
But seriously, in a large company like that I wouldn't expect such large transactions (or even small ones) to happen without prior authorization in the ERP system. The finance guys won't transfer even a handful of euros without having the beneficiary in the system or if there is no PO and invoice, or transfer order (or whatever these things are called). Email by itself should not be considered sufficient authorization, ever, certainly not an email that also contains the request and bank details.
Re: (Score:2)
Get an e-mail from the CEO asking for X? Look the CEO's phone number up in your rolodex and CALL them to ask for confirmation that you should do X.
In an organisation big enough for $40m to be a normal sized transaction, you'll probably never even see the CEO, never mind get his direct phone number.
Re: (Score:3, Funny)
Can you confirm you want to fire them all?
Re: (Score:2)
Sure. With the lack of their next paycheck.
Re:Encryption and Digital Signatures (Score:5, Insightful)
Your company is just ripe for this kind of scam, then.
This is why companies with any sense, and decent financial auditing, has a non-negotiable, set procedure for moving money around. Especially when dealing with large sums like 40 million Euro. All that tedious form filling, signing and authorising is not done just to give the admin staff additional work, and a sense of power. It's to prevent the company being scammed.
Re: (Score:2)
Re: (Score:2)
Like CXX level managers are going to bother with that stuff. If everything isn't as dumbed down for them easy enough to be used by a toddler, its the IT manager's head that will roll.
But if you know about computer security you already know this.
Re: (Score:2)
Re: (Score:2)
But if you know about computer security you already know this.
One of my colleagues, who does IT security work, told me that the biggest security threat is "the loose nut behind keyboard."
I think that sums it up quite nicely.
Re: (Score:2)
PEBKAC will always be the biggest issue in IT.
Re: (Score:3)
That's why a good CEO knows what to hand over and to listen to what comes back. He doesn't need to know anything about "that computer stuff". What he needs is a CIO and a CISO who do, who tell him what is necessary and him to heed their advice, because that's why he pays those two (and it better be two) more than their staff combined.
Of course, if you use the CISO position as a scapegoat ejector seat, that's of course also doable. It just might be more expensive.
Re: (Score:2)
If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.
Secure crypto tools are illegal to export overseas and there's a good chance they are running Windows. Open source tools don't suffer the same issue, but they do lack a huge amount of the business-specific features needed for an enterprise that large (not to suggest it's impossible, but it's practically impossible given the small number of people capable of operating an open source enterprise scale environment and the number of them needed to keep it running.)
Re: (Score:2)
I think DeVry need to update their course materials.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
At least say Germany, we're not all as insane as that country with its Wheelchair-Goebbels [wikipedia.org].
Re:Encryption and Digital Signatures (Score:5, Interesting)
1. Setup a PC with the app
2. Ring up the bank to impersonate a user. Send in a copy of a signature on file
3. Receive password, and empty the account
Bank transfers occur overnight and international takes two days. So if it was done before the afternoon cutoff, you could have the money out of the country within 36 hours. Some of our customers had hundreds of millions of dollars.
The only thing stopping me was balls not made of steel. Looking back I should've done it. Even if caught I'd be out of jail by now
Re:Encryption and Digital Signatures (Score:5, Insightful)
I'd say you were also stopped by an upbringing that wasn't completely worthless and didn't turn you into a sociopath.
Re: (Score:2)
Sociopaths are born that way, what they don't have to be is a psychopath. I don't trust sociopaths, but they're not all evil.
If he was a psychopath, he would probably be involved in managing the bank; those people are usually the ones who steal from the bank.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That only works if the person receiving the email knows to check it for authenticity.
Re: (Score:2)
If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.
If they had of used basic checks by other staff that has been around for MILLENNIA they could have prevented this. One person should not be able to sign off on 40 billion Euro.
But its the same problem with PKI and mail. It would simply cost too much to implement, just as it would cost too much in extra staff to ensure that no-one makes mistakes.
The weak link here isn't the technology, its the people. Its not an email that was tricked into transferring 40 million, it was a person. You cant fix people w
Re: (Score:2)
Day word, cottonmouth. Command word, trinity. Action word, Jericho.
Re: (Score:2)
Where did you get your MBA? I was thinking I might like to not enroll there.
Re: (Score:2)
AP knows who is supposed to be paid, AR has no idea...
Raising a cheque in AR would be much more unusual, so it would come under more scrutiny.
Also, you wouldn't be sending them an invoice, it would be some sort of refund that would be tied to a sale, surely?
Re: (Score:2)
He can't hear you at the bottom of that hole he's digging.
IT Contractors (Score:5, Insightful)
Re: (Score:2)
Not just contractors - entire companies are in on that sort of scam in india. In the UK the government and various companies think nothing of sending our private data to the cheapest bidder in Bangalore, then react with shock and horror when - surprise! - some of the data goes walkies. I honestly wonder sometimes if there's a maximum IQ allowed for CEOs and ministers because surely people can't honestly be this stupid they didn't forsee this sort of thing?
Aren't transactions like this tracked? (Score:4, Interesting)
Are not transactions like this tracked along the way and why can't the banks just reverse all the transactions?
Re: (Score:2)
Being an American, and therefore used to our banking system, this was always something I was wondering about with wire transfers. Apparently, they are instant and basically the same thing as handing a bag of cash to the recipient. Once the recipient takes the cash, it's irrevocable - they would have to agree to give you your bag back if you wanted the money. Same thing goes for these bank transfers - anyone with the authority over the company's bank accounts is a target for scams like these. We 'Muricans ar
Re: (Score:3, Informative)
Re: Aren't transactions like this tracked? (Score:2)
What are you taking about? There are plenty of consumer protection laws. For less than $20k most financially responsible people can get credit for 45 days with no interest.
We use ACH for almost everything and as long as the money isn't withdrawn, it is reversible. And you can't just send people ACH anytime. You have to first set up a trust with both accounts that both sides validate.
Granted if you send someone 10k instead of 1k, a normal person can't reverse it without the other party. Only other recourse
Re: (Score:2)
Granted if you send someone 10k instead of 1k, a normal person can't reverse it without the other party.
Right. Your $9,000 is gone. And you have to sue to get it back. Most of the rest of the world would prosecute the receiver's refusal to return what isn't theres as fraud or theft. So you just give back that which isn't yours. Unless you are in the US.
What are you taking about? There are plenty of consumer protection laws.
Great, so if you buy a car off Craigslist, and turns out the car was a lemon and the seller knew and didn't disclose, do you have any option other than sue? No? Then there are no consumer protection laws. P.S. You'll lose the lawsuit, after spending mo
Re: (Score:2)
Just a minor point, but most consumer protection laws dont cover private transactions between individuals - they would only apply if the person you bought off of on your equivalent of Craigslist was a business and was selling as a business.
Re: Aren't transactions like this tracked? (Score:2)
No most of the world does not have the state prosecute as theft. Maybe in the EU but not else where*. It normally isn't considered a crime for mistakes between private parties. It would be considered a civil matter here.
As for Fraud, you are stepping into a whole new area of legal space. Yes, we all pretty much have the same laws. It is a state crime, not civil.
As for the rest of your post, we have the same, if not better laws in the US if the other side is a business. Even on Craigslist, if that person
Re: (Score:2)
As for Fraud, you are stepping into a whole new area of legal space. Yes, we all pretty much have the same laws. It is a state crime, not civil.
Nope. Same coin. Perhaps separate side. Since we are all in agreement that US law doesn't protect dumb consumers that make a bad choice, lets look at fraud. The seller encourages a bad choice. I think it would be safe to say that fraud is universally illegal. The only question is where one draws the line between civil and criminal, and victim-blaming. In Nigeria, 419 scams are legal, because the law explicitly blames the victim. So the scammers craft their scams to make sure the scam is legal. That p
Re: (Score:2)
In Europe it depends on who you are and how much is involved. For individuals with relatively small amounts they will often just reverse the transaction if you have prove that they were at fault somehow. If you were scammed though they might refuse or at most try to recover as much money from the destination account as they can. Since it will likely have been drained that will be â0.
Generally speaking when someone steals money the victim gets back what is left only. If they spend half of it, that money
Re: (Score:3, Funny)
What, you mean that the money doesn't flow, a few dollars at a time, from one account to the other, with a progress bar to show how much has transferred, like Hollywood has shown me in countless movies and TV shows?
I'm shocked! </sarcasm>
Re: (Score:2)
Once the recipient takes the cash, it's irrevocable - they would have to agree to give you your bag back if you wanted the money. Same thing goes for these bank transfers - anyone with the authority over the company's bank accounts is a target for scams like these.
This is the same everywhere. And it's like that because how else would any banking system work effectively?
At some point you have to agree to execute a transaction, and you have to trust that the person with the money is responsible with the authority they possess. As a receiver I have to expect certainty over that transaction so I can operate efficiently. Any other system introduces complexity, cost and inefficiencies, and doesn't necessarily solve the initial problem
Re: (Score:2)
Nah, I kinda call bullshit. There's got to be more to this story.
I knew a guy who worked for a major US financial institution. His whole job was correcting for these kinds of errors. Like, money would get transferred to the wrong account all the time, and his job was to call up the other financial institution and say, "Yeah, we made a mistake, we need those millions back." And they would be returned.
Now, mind you, these were errors on the financial institution's part. It wasn't some dumb customer making the
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
There was no recovery of your money. Someone ate the cost of the loss: either your bank or the merchant.
No, it's gone. The money will have flowed thr
Re: (Score:2)
There was no recovery of your money. Someone ate the cost of the loss: either your bank or the merchant.
It sounds like you've never had money stolen from a bank account via a debit card, and I hope you never have to go through that. But I can tell you it's a pain in the ass. Due to that situation, where I did very much get my money back, I never use a debit card, only a credit card.
Re: (Score:2)
Likewise, I don't use a debit card, except as a last resort. Instead, I use a credit card. My card has seen fraudulent transactions as high as $3000. In every case, because of the legal protections provided to credit card holders, these fraudulent transactions did not cost me anything.
But my point was that, in your case, the thieves probably got away with the money. The transactions were not reversed all the way through the chain to the thieves' bank account.
Re: (Score:2)
Re: (Score:3)
It sounds like you've never had money stolen from a bank account via a debit card, and I hope you never have to go through that. But I can tell you it's a pain in the ass. Due to that situation, where I did very much get my money back, I never use a debit card, only a credit card.
You aren't listening... The bank didn't get your money back, the bank gave you some of its own money...
Re: (Score:2)
It's more like an insurance payout. All those pesky merchant fees make a tidy profit for the bank, certainly; but they also fund theft insurance. I don't know how this works with any of the new "fintech" out there. I have a feeling it doesn't. Users of fancy new mobile currencies, beware.
Re: (Score:2)
Nope, I'm reading.
The irony is that for all the nonsense you just typed, you STILL aren't reading, because you didn't bother to understand the OP you replied to, and no, you didn't get YOUR money back, you got someone else's money back.
But go on being an idiot, the world is full of them...
Re: (Score:2)
But did you really have to sink to name-calling? I thought you were better than that.
Re: (Score:2)
Due to that situation, where I did very much get my money back, I never use a debit card, only a credit card.
My debit card has a gigantic Visa logo on the front. Doesn't yours?
Re: (Score:2)
So what? That logo doesn't make it a credit card, and it certainly doesn't mean that the protections that are required by law for credit card holders apply to your debit card.
Ultimately, that's the difference: if there is fraud on a debit card, your refund depends on the bank's policies and customer service reps. If there is fraud on a credit card, the law requires the credit card company to refund most, if not all of the fraudulent char
Re: (Score:2)
Debit cards are a million times safer than credit cards.
Interesting that parent was downmodded, even though it is more or less true. Credit cards use an inherently unsafe system secured only by the knowledge of a few numbers, whereas debit card transactions (EFTPOS) always require authorisation by the bank, entry of a PIN code that is verified remotely and nowadays almost always use a chip on the card (EMV). Moreover, a credit card charge is limited only by the maximum credit the card was issued for, while a debit card transaction is limited by the account balance.
Maybe where you're from, but here in the UK both my credit cards (along with both my debit cards) have chip and PIN which are verified online. It's standard here; there's no difference between the two.
Furthermore, under UK consumer credit law, if you buy something that's worth more than £100 using a credit card (even if you only pay 1p of that amount on the credit card), the credit card company becomes jointly liable with the supplier if something goes wrong; this can be invaluable if, for example, y
Re: (Score:2)
That may be true when you pay with your card in a shop, but a credit card also allows initiating a payment using only the card number, the expiry date and three numbers on the back. No such thing is possible with a debit card.
Errrr... I regularly use one of my debit cards to pay one particular utility bill across the internet, using only the card number, the expiry date, and the three numbers on the back. (And no, I'm not thrilled with that, however it's more-or-less necessary for reasons too tedious to go into.) However, it also sometimes asks for some letters from my Verified by Visa password but by no means always. Mind you, my credit cards also have Verified by Visa (or the Mastercard equivalent) passwords, so again, no d
Re: (Score:2)
The thief got your money and spent it on good times.
Re: (Score:2)
I guess the banks figure "why should we?"
It's not their fault the money has been transferred fraudulently, they have no responsibility and by not getting involved they avoid possible legal liabilities.
However, you'd think that the police/interpol could track the movement of the money -- after all, it's not like someone is going to rock up to an ATM and withdraw 40 million Euros in cash, is it?
Re: (Score:2)
Small nitpick here.
The tradition of using the word smurf as a method to remain incognito comes from "e-sports" where known players would play under a different pseudonym than the one they usually are known by. The case it was popularized from was when a known player used the pseudonym "smurf" instead of his regular one.
You can hire someone to go to the ATM, but it wouldn't be called a smurf. A smurf would be if the Nigerian prince would start to refer to himself as a Russian businessman to make sure that people who are familiar with the Nigerian letters wouldn't catch on as fast.
I thought he just meant you got someone to dress in a smurf costume to use the ATM so it would be harder to identify them on CCTV.
Clearly, I know nothing about "e-sports".
Re: (Score:2)
If you got tricked or scammed into transferring the money, the receiving banking doesn't care about your stupidity. You are effectively asking them to take money out of their customers account with no authority (only the court can do this).
Most Banking systems are run on batch jobs which run overnight domestically or maybe 2 days for international
Re: (Score:2)
Are not transactions like this tracked along the way and why can't the banks just reverse all the transactions?
Well two reasons.
Usually by the time that they've figured out that they've been had, the crims have had plenty of time to move the money through fronts, foreign banks and what not to be able to do anything about. Any trace on the money has been lost.
The second reasons is because the banking system would collapse.
Much like certificate authorities in PKI, banks are trustworthy sources. So the entire banking system relies on banks paying their debts. If a bank renegs on what it has agreed to pay after
Re: (Score:2)
Imagine you're running a business. A person you've never heard of (let alone met) calls you up wanting a load of expensive stuff. Fortunately one of your employees has a brain and suggests you get payment in advance. Many many dollarpounds land in your account, and you release the order.
As the truck pulls out of the gate, PYNHO(LAM) hits ctrl-Z and the progress bar starts running from right to left ...
Sounds like a problem with BPO (Score:4, Insightful)
The company I work for is a medium size multinational. We're big enough to do business worldwide but not so big that we get the "good" BPO vendors or hire "good" employees to do our offshore work. I've been working there for a while, and it seems to me that routine work is getting shipped to cheaper and cheaper countries every year. First it was Eastern Europe, then India, then the Philippines, now Central American countries. I can definitely see something like this happening with some of our core processes. If it followed the flowchart exactly, with all the right steps completed, and everything was in order, not one question would be raised.
That said, every company is susceptible to this whether the employees are onshore or off. The problem is knowing when to bother the CEO on his yacht, or the golf course, or the luxury resort he's staying at to ask him a question about routine business...especially when you have a message that looks like it came from right from him. Properly implemented digital signatures would help in this case -- but think about the fact that EV certs turn the entire address bar bright green and no one notices that, and they click "Yes" to every pop-up that comes their way.
Re: (Score:3)
It has nothing to do with size. The problem is that your CXX execs are too tight-fisted to pay for and develop quality outsourcing. I know, because I worked for a vary small company that was able to hire the very best offshore employees.
Suprised she could move that much without concern (Score:5, Interesting)
It started two weeks ago when our CFO received an email purportedly from our CEO asking him to transfer money. The CFO was suspicious the second he read it, as the email was well written, had proper grammar and had more than two sentences unlike actual emails from our CEO (I wish I was joking about this, but I'm not)
We're still trying to see where these emails are coming from.
Even if he fell for it and tried to send the money, we have a two factor banking system where someone else with authority has to verify the transfer, authorise it and send it. We handle limits well below 40 million.
I'm suprised one person can transfer 40 million euros without raising any eyebrows beforehand.
Re:Suprised she could move that much without conce (Score:5, Informative)
Maybe I can explain that without breaking NDAs, because we have been tasked with solving this problem for a few customers.
First, 40 million isn't really that big a deal for many companies. 40 millions are a routine amount for some industries. That's not to say that they wouldn't "feel" the impact of losing 40 million, there are industries that have an insane amount of money throughput without a lot of revenue. You see that in refinement industries that gobble up insane amounts of (sometimes expensive) raw materials, producing (even more expensive) intermediate products with little revenue, so that you have industries with a turnover in the billions and an annual profit in the single digit millions. You see that a lot in food or even more in oil industries.
So yes, transferring 40 millions could well be a rather normal business operation.
And two factor means little if you have two people who use the same input because the reason behind the two factor was that the company wants to ensure that nobody can pull an inside job and embezzle money. The companies that are being scammed are usually companies with a branch in a foreign country that is fully dependent and takes orders from the main office. Also, in general companies are preferred that have a strictly hierarchical structure where questioning authority is frowned upon and slavishly following orders is rewarded. Such companies are prime targets and there it also usually works.
Your example isn't really comparable for two reasons. First, it was the CFO that noticed the problem, a person who has authority and who would even in a strictly hierarchical system be able to talk directly to the CEO, maybe in secrecy so nobody would notice that he "questions" the boss, but even if not he is in a position where he may, if not must, question such decisions. Also, I would assume that the culture in your company is not one of "me boss, you nothing".
The situation in the scams is very different. Every successful scam so far was pulled at a foreign branch where the people tasked with transferring the money can't simply go informally to their boss and ask whether that's ok, they would have to call or write mails, which might leave a paper trail or be noticed by third parties, also you usually deal with companies here that have a strict hierarchy where you do not question orders.
Two factor doesn't help here either, because then simply the other person who would need to agree gets the same mail, and likewise cannot question it. What would help is being able and allowed to verify the order or, better, have a digital signature system in place and people who know how to use it.
Re: (Score:2)
Re:Suprised she could move that much without conce (Score:5, Funny)
Could you please let me know what the limit at your company is?
Not the subtlest piece of attempted social engineering I've ever seen.
Phony Invoices (Score:2)
Anyone who runs a business will know that businesses are continually sent phony invoices and phony demands for payment of numerous kinds.
Re: (Score:2)
Money transferred to Czech Republic (Score:2)
Bank improvements required (Score:2)
Re: (Score:2)
* 2 factor authentication * transfer requests should originate through bank system (not emails) OR CFO should be able to add an 'approver', in this case the CEO, to sign the request.
Then the CFO or CEO gets annoyed with the pesky 2FA requests and gives it to his PA to sort out. She has great boobs but is dumb as a post, so is the perfect target for phishing attacks. "Hi it's Rob from the bank, we need to confirm that you have the right 2FA dongle of your account. Can you read the number on the screen to me please". Yes this works, I've seen it happen.
These are rampant. (Score:5, Informative)
This has been going on for at least three years that I know of. There's no real "hacking" involved here at all. Just solid research and social engineering.
The thief finds out the name of the CEO, and possibly his email address.
He then finds the name and email address of the treasurer or controller, someone who can transfer funds.
The thief may register a look-alike domain, for instance, "RealCeoName@cornpany.com" instead of "RealCeoName@company.com". (Depending on your font, you might not be able to tell the difference between those two without a magnifying glass. Or even with one.) Or, he may send the email forged as "from" the CEO's real email address with a Reply-To header diverting replies to a Gmail, Hotmail, or Rob-U-Blind.ru email address. (We all know how easy it is to forge email addresses, right?) Or, he may just have a normal-looking Yahoo address. Usually, the "human readable name" of the From header is the CEO's real name, so MS Outbreak will helpfully not show the victim that the email address is not right.
The thief addresses the treasurer or controller by name. Sometimes the initial email is nothing more than "Hey, Bob, are you in the office today?" If Bob bites, then the pitch for the transfer is sent. Or, the transfer request might be right up front. A common phrase is "I'm in meetings and can't take calls, kindly email me." If the thief gets no answer, he'll often send a "Bob, did you get my last email?" ping.
Amounts are usually in the few tens of thousands of dollars. If the financial officer falls for it, more transfer requests are likely to follow until they finally wise up.
I saw one where the thief somehow knew about a legitimate transaction, and inserted himself, saying "We changed banks, send the payment for that shipment of widgits to our new account, ..." That one I suspect was an inside job.
A related scam is "Hey, Bob, I'm in China, and this fantastic merger opportunity came up. It is absolutely imperative you keep this completely quiet, and tell NO ONE about it! The lawyer who is handling this will be contacting you in a separate email." This scam can go for hundreds of thousands or even millions.
Defense: Everyone who handles money, and everyone who says how money is to be handled, most especially the CEO, must agree and sign off on an absolutely inflexible rule that financial transactions are NEVER NEVER NEVER done just on the basis of email. Actual voice confirmation should be required, or the request must go through the company's normal accounting application, etc.
Re: (Score:2)
There is a trend in Australia to spin off former government owned operations into semi-private "businesses" (telcos, power generators etc) and It seems that just about every one of them "fell" for so
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Email should be double-sent to avoid spoofing. (Score:2)
For each email received, the receiving server shall send a request to the sending server to have the email resend. The request should be done via an email, as if the receiver answered the sender.
Once the receiver receives the email back, intact, then it is confirmed that this is an original email. Otherwise the email shall be deleted.
This is nothing more than the receiver calling the sender to ask "did you send this email?", automated.
Smaller scams also use the same method (Score:4, Informative)
A few years back, someone emailed different HR people posing as the CEO. The "CEO" wanted them to email a copy of every employee's W-2. While that doesn't affect the company, it affects every employee as the scammers know detailed and vital information about every employee. That information could be used to pilfer the employee's tax refunds, banks, etc.
The CEO is a bit eccentric so a copy of every W-2 would not be the strangest thing he could request. That meant that he wanted thousands of W-2 PDFs emailed to him. Luckily HR knew the CEO well enough that 1) he was technologically capable enough and wouldn't have them email him copies; he would want it on a network drive he could access, 2) he would never ask a low level HR person himself for the information; he would have asked head of HR, 3) and he wouldn't care about details of thousands of employees personal information; he would want someone to create a summarized report about whatever information he needed like the average salary by demographic, state, etc. Also they thought it might be a violation of privacy laws to send information like that over email. But we learned that other companies were not so fortunate and fell for the scam.
After that, the IT department changed the email system so that spoofed email addresses could not look authentic. It would no longer say: "Smith, John (CEO)" but "asdf@random.internetaddress.com".
Might not be money (Score:2)
I heard of a scam where I work where an alleged "higher-up" emailed someone asking for some private information we had access to. They didn't tell us if that scam was successful, but they did tell us that if we got any such request, we needed to clear it with our immediate boss before sending anything.
Have they considered an inside job? (Score:2)
Re: (Score:2)
It's an internal business transaction so it would vary from company to company. Most likely though there was an attachment to the email which would be a form of some kind. If that form was completed properly there would be limited reason to not perform the transaction.
On top of that $40m is not a large amount of money to transfer in 1 go. Especially not in a manufacturing environment.
Re: (Score:2)
On top of that $40m is not a large amount of money to transfer in 1 go. Especially not in a manufacturing environment.
And this would've been calculated based on all the internal info the attackers gained access to. If you see ~$40M transactions happening every month or so, you simply time your request appropriately and jackpot.
Re:Question for finance folks (Score:4, Insightful)
I've worked on accounts payable systems.
The right way is that (petty cash aside) you don't pay anything that doesn't have an invoice. You wouldn't have an invoice if there's no purchase order. You might also have a delivery note, in which case you'd check the quantities match at least approximately. And you wouldn't have any of the above if there's no vendor master. The vendor master contains the account details to pay into.
You split the task up so it takes at least two people (ideally three) to do all the steps above.
Of course that's not agile or webspeed enough for millenials, which is why fuckups happen.
Re: (Score:2)
Hipsters and millenials aren't the same thing. They sure as hell aren't mutually exclusive though.
Re: (Score:3)
What's common practice is dictated by how your company is run. I don't remember who did the analysis, but the bottom line was something akin to "the more authoritarian the company is led (read: the more of an asshole your boss is), the higher the chance that employees will simply carry out even unsigned orders, knowing that their boss would go ballistic if they dared to ask him for confirmation, which would be considered talking back or challenging his decision and position of authority".
So in other words,
Re: (Score:2)
Well, since borders, customs and tax laws exist for you and me but not for international corporations, it should be doable to keep corporations untouchable while persecution of cybercriminals becomes possible.
Unless the distinction is not between people and corporations but between honest people and crooks. 'cause then the cybercriminals are on the same page as corporations and politicians.
Re: (Score:2)
FTFA:
a young woman working as CFO at Leoni's Bistrita factory in Romania
I didn't bother to read any further than the word "Romania".
Re: (Score:2)
Re: (Score:2)