Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Businesses Security The Almighty Buck Communications Network The Internet News Hardware Technology

One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam (softpedia.com) 189

An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.
This discussion has been archived. No new comments can be posted.

One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam

Comments Filter:
  • by The Other White Meat ( 59114 ) on Wednesday August 31, 2016 @09:17PM (#52806137)

    If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.

    • by Anonymous Coward on Wednesday August 31, 2016 @09:45PM (#52806191)

      Surely she should at least have called him on the phone to confirm the request?

      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Thursday September 01, 2016 @04:37AM (#52806925)
        Comment removed based on user account deletion
      • It really depends, if the scammers were smart and had well scouted the target perhaps this was a regular transaction size. People that do something on a regular basis can easily be tricked if you make your scam look just like a regular amount. 40 million may have raised less eyebrows than a much smaller amount. quite a few similar stories like this popping up in Australia at the moment of both government agencies and businesses falling for this. find a regular transaction and then fool the person that does
    • Re: (Score:3, Informative)

      by Anonymous Coward

      You don't even need that, all you need to do is separately reverse the conversation to confirm.

      Get an e-mail from the CEO asking for X? Look the CEO's phone number up in your rolodex and CALL them to ask for confirmation that you should do X.

      This form of "authorization verification" has been around for hundreds of years, ever since someone could forge a letter.

      (Email equivalent is to compose-new-email and choose their e-mail from your enterpise contacts, NOT reply to the existing message.)

      • "Are you questioning my orders? Are you trying to undermine my authority? WHAT IS WRONG WITH YOU???"

      • by JaredOfEuropa ( 526365 ) on Thursday September 01, 2016 @03:13AM (#52806801) Journal
        "Call him? You really want to call the general to confirm these orders? At this late hour? Sure, go ahead. Here, use my phone, it's your neck". I thought that only worked in movies...

        But seriously, in a large company like that I wouldn't expect such large transactions (or even small ones) to happen without prior authorization in the ERP system. The finance guys won't transfer even a handful of euros without having the beneficiary in the system or if there is no PO and invoice, or transfer order (or whatever these things are called). Email by itself should not be considered sufficient authorization, ever, certainly not an email that also contains the request and bank details.
      • Get an e-mail from the CEO asking for X? Look the CEO's phone number up in your rolodex and CALL them to ask for confirmation that you should do X.

        In an organisation big enough for $40m to be a normal sized transaction, you'll probably never even see the CEO, never mind get his direct phone number.

    • Like CXX level managers are going to bother with that stuff. If everything isn't as dumbed down for them easy enough to be used by a toddler, its the IT manager's head that will roll.

      But if you know about computer security you already know this.

      • by AK Marc ( 707885 )
        I've set it up so the CxO staff used encryption and never knew what it was. Though it did get turned off eventually, as their friends didn't know what to do with all the stuff at the end. Seamless, since about 1998, if you know about this stuff.
      • But if you know about computer security you already know this.

        One of my colleagues, who does IT security work, told me that the biggest security threat is "the loose nut behind keyboard."

        I think that sums it up quite nicely.

      • That's why a good CEO knows what to hand over and to listen to what comes back. He doesn't need to know anything about "that computer stuff". What he needs is a CIO and a CISO who do, who tell him what is necessary and him to heed their advice, because that's why he pays those two (and it better be two) more than their staff combined.

        Of course, if you use the CISO position as a scapegoat ejector seat, that's of course also doable. It just might be more expensive.

    • If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.

      Secure crypto tools are illegal to export overseas and there's a good chance they are running Windows. Open source tools don't suffer the same issue, but they do lack a huge amount of the business-specific features needed for an enterprise that large (not to suggest it's impossible, but it's practically impossible given the small number of people capable of operating an open source enterprise scale environment and the number of them needed to keep it running.)

    • by Gussington ( 4512999 ) on Thursday September 01, 2016 @12:18AM (#52806529)
      I did a short term job on a business banking support desk about 15 years ago. Back then customers had an app to do their banking which had key mailed out separately to validate the account to the app. I had access to the app and the keys, so only need a valid username and password to impersonate a customer and execute a transaction. Being the old days when no-one knew about computers or security, people would often forget their passwords and ring up to get a new one, and the check for this was a fax of the user's signature against a record at the bank. Also having access to this the plan was simple:
      1. Setup a PC with the app
      2. Ring up the bank to impersonate a user. Send in a copy of a signature on file
      3. Receive password, and empty the account
      Bank transfers occur overnight and international takes two days. So if it was done before the afternoon cutoff, you could have the money out of the country within 36 hours. Some of our customers had hundreds of millions of dollars.
      The only thing stopping me was balls not made of steel. Looking back I should've done it. Even if caught I'd be out of jail by now :)
      • by dbIII ( 701233 ) on Thursday September 01, 2016 @02:33AM (#52806735)

        The only thing stopping me was balls not made of steel

        I'd say you were also stopped by an upbringing that wasn't completely worthless and didn't turn you into a sociopath.

        • Sociopaths are born that way, what they don't have to be is a psychopath. I don't trust sociopaths, but they're not all evil.
          If he was a psychopath, he would probably be involved in managing the bank; those people are usually the ones who steal from the bank.

      • by Holi ( 250190 )
        Really? The only thing stopping you was your fear of going to jail? So you have no moral compass and you base all your moral decisions based on fear of punishment? You're religious aren't you? Most likely christian. They love that whole morality through fear thing.
    • That only works if the person receiving the email knows to check it for authenticity.

    • by mjwx ( 966435 )

      If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.

      If they had of used basic checks by other staff that has been around for MILLENNIA they could have prevented this. One person should not be able to sign off on 40 billion Euro.

      But its the same problem with PKI and mail. It would simply cost too much to implement, just as it would cost too much in extra staff to ensure that no-one makes mistakes.

      The weak link here isn't the technology, its the people. Its not an email that was tricked into transferring 40 million, it was a person. You cant fix people w

  • IT Contractors (Score:5, Insightful)

    by Anonymous Coward on Wednesday August 31, 2016 @09:30PM (#52806165)
    All those contractors you outsourced to are selling your internal procedures for scams like this.
    • by Viol8 ( 599362 )

      Not just contractors - entire companies are in on that sort of scam in india. In the UK the government and various companies think nothing of sending our private data to the cheapest bidder in Bangalore, then react with shock and horror when - surprise! - some of the data goes walkies. I honestly wonder sometimes if there's a maximum IQ allowed for CEOs and ministers because surely people can't honestly be this stupid they didn't forsee this sort of thing?

  • by caseih ( 160668 ) on Wednesday August 31, 2016 @10:06PM (#52806239)

    Are not transactions like this tracked along the way and why can't the banks just reverse all the transactions?

    • Being an American, and therefore used to our banking system, this was always something I was wondering about with wire transfers. Apparently, they are instant and basically the same thing as handing a bag of cash to the recipient. Once the recipient takes the cash, it's irrevocable - they would have to agree to give you your bag back if you wanted the money. Same thing goes for these bank transfers - anyone with the authority over the company's bank accounts is a target for scams like these. We 'Muricans ar

      • Re: (Score:3, Informative)

        by AK Marc ( 707885 )
        In the US, the consumer protections are almost non existent. Fraud is often legal, under the banner "caveot emptor". Most of the world isn't the same. Here, if someone sends you $1,000,000 by accident, the bank will reverse it, and if you spent it, that's theft. Everyone uses bank transfers for everything. Nobody writes checks, and most stores won't take them.
        • What are you taking about? There are plenty of consumer protection laws. For less than $20k most financially responsible people can get credit for 45 days with no interest.

          We use ACH for almost everything and as long as the money isn't withdrawn, it is reversible. And you can't just send people ACH anytime. You have to first set up a trust with both accounts that both sides validate.

          Granted if you send someone 10k instead of 1k, a normal person can't reverse it without the other party. Only other recourse

          • by AK Marc ( 707885 )

            Granted if you send someone 10k instead of 1k, a normal person can't reverse it without the other party.

            Right. Your $9,000 is gone. And you have to sue to get it back. Most of the rest of the world would prosecute the receiver's refusal to return what isn't theres as fraud or theft. So you just give back that which isn't yours. Unless you are in the US.

            What are you taking about? There are plenty of consumer protection laws.

            Great, so if you buy a car off Craigslist, and turns out the car was a lemon and the seller knew and didn't disclose, do you have any option other than sue? No? Then there are no consumer protection laws. P.S. You'll lose the lawsuit, after spending mo

            • Just a minor point, but most consumer protection laws dont cover private transactions between individuals - they would only apply if the person you bought off of on your equivalent of Craigslist was a business and was selling as a business.

            • No most of the world does not have the state prosecute as theft. Maybe in the EU but not else where*. It normally isn't considered a crime for mistakes between private parties. It would be considered a civil matter here.

              As for Fraud, you are stepping into a whole new area of legal space. Yes, we all pretty much have the same laws. It is a state crime, not civil.

              As for the rest of your post, we have the same, if not better laws in the US if the other side is a business. Even on Craigslist, if that person

              • by AK Marc ( 707885 )

                As for Fraud, you are stepping into a whole new area of legal space. Yes, we all pretty much have the same laws. It is a state crime, not civil.

                Nope. Same coin. Perhaps separate side. Since we are all in agreement that US law doesn't protect dumb consumers that make a bad choice, lets look at fraud. The seller encourages a bad choice. I think it would be safe to say that fraud is universally illegal. The only question is where one draws the line between civil and criminal, and victim-blaming. In Nigeria, 419 scams are legal, because the law explicitly blames the victim. So the scammers craft their scams to make sure the scam is legal. That p

        • by AmiMoJo ( 196126 )

          In Europe it depends on who you are and how much is involved. For individuals with relatively small amounts they will often just reverse the transaction if you have prove that they were at fault somehow. If you were scammed though they might refuse or at most try to recover as much money from the destination account as they can. Since it will likely have been drained that will be â0.

          Generally speaking when someone steals money the victim gets back what is left only. If they spend half of it, that money

      • Re: (Score:3, Funny)

        by whoever57 ( 658626 )

        Apparently, they are instant and basically the same thing as handing a bag of cash to the recipient

        What, you mean that the money doesn't flow, a few dollars at a time, from one account to the other, with a progress bar to show how much has transferred, like Hollywood has shown me in countless movies and TV shows?

        I'm shocked! </sarcasm>

      • Once the recipient takes the cash, it's irrevocable - they would have to agree to give you your bag back if you wanted the money. Same thing goes for these bank transfers - anyone with the authority over the company's bank accounts is a target for scams like these.

        This is the same everywhere. And it's like that because how else would any banking system work effectively?
        At some point you have to agree to execute a transaction, and you have to trust that the person with the money is responsible with the authority they possess. As a receiver I have to expect certainty over that transaction so I can operate efficiently. Any other system introduces complexity, cost and inefficiencies, and doesn't necessarily solve the initial problem

      • by PCM2 ( 4486 )

        Nah, I kinda call bullshit. There's got to be more to this story.

        I knew a guy who worked for a major US financial institution. His whole job was correcting for these kinds of errors. Like, money would get transferred to the wrong account all the time, and his job was to call up the other financial institution and say, "Yeah, we made a mistake, we need those millions back." And they would be returned.

        Now, mind you, these were errors on the financial institution's part. It wasn't some dumb customer making the

        • by jandrese ( 485 )
          My guess is that the money was already gone so the other bank couldn't help. The kind of people who do the research to find the dumbest person in the company with financial authority are the kind of people who have a network setup to launder the money before the victim has a chance to act.
    • My thoughts exactly. I've been able to get my bank to refund as little as $200 before due to identity theft using my debit card, and that was when an item was purchased, so someone had to actually eat the charges. In this case, it seems like they see where the money went. Maybe since it has to do with international borders, it'll just take a little more time.
      • My thoughts exactly. I've been able to get my bank to refund as little as $200 before due to identity theft using my debit card, and that was when an item was purchased, so someone had to actually eat the charges. In this case, it seems like they see where the money went.

        There was no recovery of your money. Someone ate the cost of the loss: either your bank or the merchant.

        Maybe since it has to do with international borders, it'll just take a little more time.

        No, it's gone. The money will have flowed thr

        • There was no recovery of your money. Someone ate the cost of the loss: either your bank or the merchant.

          It sounds like you've never had money stolen from a bank account via a debit card, and I hope you never have to go through that. But I can tell you it's a pain in the ass. Due to that situation, where I did very much get my money back, I never use a debit card, only a credit card.

          • Likewise, I don't use a debit card, except as a last resort. Instead, I use a credit card. My card has seen fraudulent transactions as high as $3000. In every case, because of the legal protections provided to credit card holders, these fraudulent transactions did not cost me anything.

            But my point was that, in your case, the thieves probably got away with the money. The transactions were not reversed all the way through the chain to the thieves' bank account.

            • Right, I understand your point, and agree. I was just pointing out that, if my bank cared about my $200, where my balance back then was anywhere between $300 and $700, then surely a client that has a balance above $40,000,000 would have some pull to get the bank to find out where it went and how to get it back.
          • It sounds like you've never had money stolen from a bank account via a debit card, and I hope you never have to go through that. But I can tell you it's a pain in the ass. Due to that situation, where I did very much get my money back, I never use a debit card, only a credit card.

            You aren't listening... The bank didn't get your money back, the bank gave you some of its own money...

            • It's more like an insurance payout. All those pesky merchant fees make a tidy profit for the bank, certainly; but they also fund theft insurance. I don't know how this works with any of the new "fintech" out there. I have a feeling it doesn't. Users of fancy new mobile currencies, beware.

          • by PCM2 ( 4486 )

            Due to that situation, where I did very much get my money back, I never use a debit card, only a credit card.

            My debit card has a gigantic Visa logo on the front. Doesn't yours?

            • My debit card has a gigantic Visa logo on the front. Doesn't yours?

              So what? That logo doesn't make it a credit card, and it certainly doesn't mean that the protections that are required by law for credit card holders apply to your debit card.

              Ultimately, that's the difference: if there is fraud on a debit card, your refund depends on the bank's policies and customer service reps. If there is fraud on a credit card, the law requires the credit card company to refund most, if not all of the fraudulent char

      • You didn't get your money back, you got the credit card companies money of equivalent value and they wore it.
        The thief got your money and spent it on good times.
    • I guess the banks figure "why should we?"

      It's not their fault the money has been transferred fraudulently, they have no responsibility and by not getting involved they avoid possible legal liabilities.

      However, you'd think that the police/interpol could track the movement of the money -- after all, it's not like someone is going to rock up to an ATM and withdraw 40 million Euros in cash, is it?

    • A bank transfer is a contract. You as the owner of the money agree to give it to someone else. Once that is agreed and transferred, you cannot just take it back.
      If you got tricked or scammed into transferring the money, the receiving banking doesn't care about your stupidity. You are effectively asking them to take money out of their customers account with no authority (only the court can do this).
      Most Banking systems are run on batch jobs which run overnight domestically or maybe 2 days for international
    • by mjwx ( 966435 )

      Are not transactions like this tracked along the way and why can't the banks just reverse all the transactions?

      Well two reasons.

      Usually by the time that they've figured out that they've been had, the crims have had plenty of time to move the money through fronts, foreign banks and what not to be able to do anything about. Any trace on the money has been lost.

      The second reasons is because the banking system would collapse.

      Much like certificate authorities in PKI, banks are trustworthy sources. So the entire banking system relies on banks paying their debts. If a bank renegs on what it has agreed to pay after

    • why can't the banks just reverse all the transactions?

      Imagine you're running a business. A person you've never heard of (let alone met) calls you up wanting a load of expensive stuff. Fortunately one of your employees has a brain and suggests you get payment in advance. Many many dollarpounds land in your account, and you release the order.

      As the truck pulls out of the gate, PYNHO(LAM) hits ctrl-Z and the progress bar starts running from right to left ...

  • by ErichTheRed ( 39327 ) on Wednesday August 31, 2016 @10:09PM (#52806245)

    The company I work for is a medium size multinational. We're big enough to do business worldwide but not so big that we get the "good" BPO vendors or hire "good" employees to do our offshore work. I've been working there for a while, and it seems to me that routine work is getting shipped to cheaper and cheaper countries every year. First it was Eastern Europe, then India, then the Philippines, now Central American countries. I can definitely see something like this happening with some of our core processes. If it followed the flowchart exactly, with all the right steps completed, and everything was in order, not one question would be raised.

    That said, every company is susceptible to this whether the employees are onshore or off. The problem is knowing when to bother the CEO on his yacht, or the golf course, or the luxury resort he's staying at to ask him a question about routine business...especially when you have a message that looks like it came from right from him. Properly implemented digital signatures would help in this case -- but think about the fact that EV certs turn the entire address bar bright green and no one notices that, and they click "Yes" to every pop-up that comes their way.

    • We're big enough to do business worldwide but not so big that we get the "good" BPO vendors or hire "good" employees to do our offshore work.

      It has nothing to do with size. The problem is that your CXX execs are too tight-fisted to pay for and develop quality outsourcing. I know, because I worked for a vary small company that was able to hire the very best offshore employees.

  • by Scoldog ( 875927 ) on Wednesday August 31, 2016 @10:53PM (#52806345)
    We're in the process of tracking the same type of emails within our company.

    It started two weeks ago when our CFO received an email purportedly from our CEO asking him to transfer money. The CFO was suspicious the second he read it, as the email was well written, had proper grammar and had more than two sentences unlike actual emails from our CEO (I wish I was joking about this, but I'm not)

    We're still trying to see where these emails are coming from.

    Even if he fell for it and tried to send the money, we have a two factor banking system where someone else with authority has to verify the transfer, authorise it and send it. We handle limits well below 40 million.

    I'm suprised one person can transfer 40 million euros without raising any eyebrows beforehand.
    • by Opportunist ( 166417 ) on Thursday September 01, 2016 @03:45AM (#52806857)

      Maybe I can explain that without breaking NDAs, because we have been tasked with solving this problem for a few customers.

      First, 40 million isn't really that big a deal for many companies. 40 millions are a routine amount for some industries. That's not to say that they wouldn't "feel" the impact of losing 40 million, there are industries that have an insane amount of money throughput without a lot of revenue. You see that in refinement industries that gobble up insane amounts of (sometimes expensive) raw materials, producing (even more expensive) intermediate products with little revenue, so that you have industries with a turnover in the billions and an annual profit in the single digit millions. You see that a lot in food or even more in oil industries.

      So yes, transferring 40 millions could well be a rather normal business operation.

      And two factor means little if you have two people who use the same input because the reason behind the two factor was that the company wants to ensure that nobody can pull an inside job and embezzle money. The companies that are being scammed are usually companies with a branch in a foreign country that is fully dependent and takes orders from the main office. Also, in general companies are preferred that have a strictly hierarchical structure where questioning authority is frowned upon and slavishly following orders is rewarded. Such companies are prime targets and there it also usually works.

      Your example isn't really comparable for two reasons. First, it was the CFO that noticed the problem, a person who has authority and who would even in a strictly hierarchical system be able to talk directly to the CEO, maybe in secrecy so nobody would notice that he "questions" the boss, but even if not he is in a position where he may, if not must, question such decisions. Also, I would assume that the culture in your company is not one of "me boss, you nothing".

      The situation in the scams is very different. Every successful scam so far was pulled at a foreign branch where the people tasked with transferring the money can't simply go informally to their boss and ask whether that's ok, they would have to call or write mails, which might leave a paper trail or be noticed by third parties, also you usually deal with companies here that have a strict hierarchy where you do not question orders.

      Two factor doesn't help here either, because then simply the other person who would need to agree gets the same mail, and likewise cannot question it. What would help is being able and allowed to verify the order or, better, have a digital signature system in place and people who know how to use it.

    • by Holi ( 250190 )
      We have been getting them for years, We don;t allow anyone in the company to make transfer requests via email, Problem solved.
  • Anyone who runs a business will know that businesses are continually sent phony invoices and phony demands for payment of numerous kinds.

    • by jandrese ( 485 )
      Yeah, there is a cottage industry built up around sending fake invoices to companies for smallish amounts (a few thousand typically) in the hopes that the accounts payable people are lazy and send the money without checking first. The problem is that they've become victims of their own success. Companies see so many of them that they have procedures in place to prevent the scam from working.
  • At least a good news, the money remains in Europe
  • * 2 factor authentication * transfer requests should originate through bank system (not emails) OR CFO should be able to add an 'approver', in this case the CEO, to sign the request.
    • * 2 factor authentication * transfer requests should originate through bank system (not emails) OR CFO should be able to add an 'approver', in this case the CEO, to sign the request.

      Then the CFO or CEO gets annoyed with the pesky 2FA requests and gives it to his PA to sort out. She has great boobs but is dumb as a post, so is the perfect target for phishing attacks. "Hi it's Rob from the bank, we need to confirm that you have the right 2FA dongle of your account. Can you read the number on the screen to me please". Yes this works, I've seen it happen.

  • These are rampant. (Score:5, Informative)

    by Mike Van Pelt ( 32582 ) on Thursday September 01, 2016 @12:40AM (#52806557)

    This has been going on for at least three years that I know of. There's no real "hacking" involved here at all. Just solid research and social engineering.

    The thief finds out the name of the CEO, and possibly his email address.

    He then finds the name and email address of the treasurer or controller, someone who can transfer funds.

    The thief may register a look-alike domain, for instance, "RealCeoName@cornpany.com" instead of "RealCeoName@company.com". (Depending on your font, you might not be able to tell the difference between those two without a magnifying glass. Or even with one.) Or, he may send the email forged as "from" the CEO's real email address with a Reply-To header diverting replies to a Gmail, Hotmail, or Rob-U-Blind.ru email address. (We all know how easy it is to forge email addresses, right?) Or, he may just have a normal-looking Yahoo address. Usually, the "human readable name" of the From header is the CEO's real name, so MS Outbreak will helpfully not show the victim that the email address is not right.

    The thief addresses the treasurer or controller by name. Sometimes the initial email is nothing more than "Hey, Bob, are you in the office today?" If Bob bites, then the pitch for the transfer is sent. Or, the transfer request might be right up front. A common phrase is "I'm in meetings and can't take calls, kindly email me." If the thief gets no answer, he'll often send a "Bob, did you get my last email?" ping.

    Amounts are usually in the few tens of thousands of dollars. If the financial officer falls for it, more transfer requests are likely to follow until they finally wise up.

    I saw one where the thief somehow knew about a legitimate transaction, and inserted himself, saying "We changed banks, send the payment for that shipment of widgits to our new account, ..." That one I suspect was an inside job.

    A related scam is "Hey, Bob, I'm in China, and this fantastic merger opportunity came up. It is absolutely imperative you keep this completely quiet, and tell NO ONE about it! The lawyer who is handling this will be contacting you in a separate email." This scam can go for hundreds of thousands or even millions.

    Defense: Everyone who handles money, and everyone who says how money is to be handled, most especially the CEO, must agree and sign off on an absolutely inflexible rule that financial transactions are NEVER NEVER NEVER done just on the basis of email. Actual voice confirmation should be required, or the request must go through the company's normal accounting application, etc.

    • by dbIII ( 701233 )

      A related scam is "Hey, Bob, I'm in China, and this fantastic merger opportunity came up. It is absolutely imperative you keep this completely quiet, and tell NO ONE about it! The lawyer who is handling this will be contacting you in a separate email." This scam can go for hundreds of thousands or even millions.

      There is a trend in Australia to spin off former government owned operations into semi-private "businesses" (telcos, power generators etc) and It seems that just about every one of them "fell" for so

    • Comment removed based on user account deletion
    • by jandrese ( 485 )
      I wonder how long until the scammers helpfully include a contact number in the signature for the money manager to call when they want to verify the transaction? Label it as the cell number to avoid suspicion that it's on the wrong exchange.
      • A treasurer or controller likely knows the CEO personally, or has at least talked to him in person. The thief would have to be able to convincingly impersonate the CEO. Especially since these tend to be targeting small-to-mid size companies, organizations, and charities.
  • For each email received, the receiving server shall send a request to the sending server to have the email resend. The request should be done via an email, as if the receiver answered the sender.

    Once the receiver receives the email back, intact, then it is confirmed that this is an original email. Otherwise the email shall be deleted.

    This is nothing more than the receiver calling the sender to ask "did you send this email?", automated.

  • by UnknowingFool ( 672806 ) on Thursday September 01, 2016 @07:57AM (#52807331)

    A few years back, someone emailed different HR people posing as the CEO. The "CEO" wanted them to email a copy of every employee's W-2. While that doesn't affect the company, it affects every employee as the scammers know detailed and vital information about every employee. That information could be used to pilfer the employee's tax refunds, banks, etc.

    The CEO is a bit eccentric so a copy of every W-2 would not be the strangest thing he could request. That meant that he wanted thousands of W-2 PDFs emailed to him. Luckily HR knew the CEO well enough that 1) he was technologically capable enough and wouldn't have them email him copies; he would want it on a network drive he could access, 2) he would never ask a low level HR person himself for the information; he would have asked head of HR, 3) and he wouldn't care about details of thousands of employees personal information; he would want someone to create a summarized report about whatever information he needed like the average salary by demographic, state, etc. Also they thought it might be a violation of privacy laws to send information like that over email. But we learned that other companies were not so fortunate and fell for the scam.

    After that, the IT department changed the email system so that spoofed email addresses could not look authentic. It would no longer say: "Smith, John (CEO)" but "asdf@random.internetaddress.com".

  • I heard of a scam where I work where an alleged "higher-up" emailed someone asking for some private information we had access to. They didn't tell us if that scam was successful, but they did tell us that if we got any such request, we needed to clear it with our immediate boss before sending anything.

  • Person who wired the money gets a split of the proceeds, then claims they made a mistake. Sure, she's out of a job, but she can live pretty well on 20 million Euros...

Ocean: A body of water occupying about two-thirds of a world made for man -- who has no gills. -- Ambrose Bierce

Working...