back to article Fraudsters make bank as exec wires $17 MEELLION to China

Scammers have swindled commodities trader Scoular out of US$17.2 million (A$22.1 million, £11.3 million) in a targeted phishing exercise. Local news outlet Omaha.com reported the company controller at Scoular with the 800-seat company had followed instructions to wire a series of massive payments to a Chinese bank from emails …

  1. Mark 85 Silver badge
    Facepalm

    See icon ----------------------------------------------------------->

    1. DryBones
      Trollface

      I like mine better.

      Didn't even call or text the person supposedly directing him to do the stuff. Grand!

      If the person in charge of your business's money hasn't got your cell #- oh. Well then.

      1. Anonymous Coward
        Meh

        Re: I like mine better.

        Out this in balance, this guy may of transferred billions in the past, so this may of just been another days transactions to him. if he's getting 20 or 30 of these a week, it is business as usual.

        The amount may seem huge to us, but may of been loose change to them.

  2. Ragequit
    Facepalm

    It never ceases to amaze me...

    Just how quick people are to trust and not question communication. If a stranger walks up to you and tries to convince you of something most often you have *some* level incredulity until they identify themselves in some way. But when it comes to phone calls, mail, and email people are largely defenseless. Even then one simple bit of information is usually enough to disarm those who are leery. Oh, they know my bosses name, what equipment we use in the office, or they used an official looking letterhead/graphic.

    1. Anonymous Coward
      Anonymous Coward

      Re: It never ceases to amaze me...

      As stated, this may well have been standard, daily routine and practice for the firm. Yes, they should have had safeguards (Any transaction over 'x' you call me to validate) however, how feasible is that really, when often these transfers need to be made immediately, and when you're dealing with dozens o those transactions a day?

      Hey-ho.

  3. Anonymous Coward
    Anonymous Coward

    I'd like to suggest a small change to the article:

    "The scam worked because the company in question is stupid enough to wire large sums of money on the basis of a single e-mail with no verification"

    It would also be grand if the final paragraph were:

    "Company officials responsible for secure transfers and for corporate policies assembled in a conference room and committed sepuku out of shame"

    1. BigFire

      Or they have a culture of discouraging the lowly peons from asking their boss (or in this case, the actual person purportedly to have authorize the transfer). A single phone call would've solve the problem.

  4. Lyndon Hills 1

    Scoular was recently numbered 55 in a Forbes list

    but is expected to slip a few places

  5. xj25vm

    In all fairness, it sounds like it was a bit more than just a simple phishing scam. It sounds a lot more like an old fashioned elaborate con - phishing was just one of the elements in the grand scheme of things. It sounds like the scammers knew:

    1. Who was in charge of transferring money

    2. Who was meant to ask for the transfers to be performed

    3. Probably how to fake not only the sender's email address to a credible level (so that it doesn't end filtered straight into the Spam folder) - but also the content/format of the email so it doesn't raise alarm bells.

    4. Very importantly, that the company intended to buy some businesses in China, possibly in some sort of confidential manner.

    Number 4. suggests strongly some level of insider information being involved. So I would say, it wasn't just down to poor internal procedures - it sounds like somebody did their homework pretty well. Which is how a lot of successful scams play out - although from a distance it might look like it was just down to somebody not making a phone call to check things.

    1. I ain't Spartacus Gold badge

      It's 15 years since I worked in corporate land. But at the time, any transaction over £10k needed two signatures - one of which was from a manager/director in the finance department. And that was the form you filled out before going on the banking terminal to do the actual deed. I wonder if that's now changing in companies to getting an email or text from...

      Even a secret deal the CEO is doing must require the knowledge of the Finance Director. And if there's a million in the amount, you shouldn't be taking the CEO's word alone anyway, just in case he's decided to run away with a chunk of the company cash.

  6. crayon

    "although from a distance it might look like it was just down to somebody not making a phone call to check things"

    It is down to a phone call, except the idiot called the "wrong" person:

    "McMurtry called a phone number listed in the email which was answered by a scammer pretending to be that contact"

    The right person to call ought to be the one apparently requesting the transfer, ie the CE, Chuck Elsea.

  7. Simon Watson
    FAIL

    Insufficient Internal Controls

    Title says it all.

  8. Anonymous Coward
    Anonymous Coward

    What a moment.

    I sure don't condone this behavior, but can you imagine the sheer delight these guys must have experienced when that first $940K showed up? That "Holy shit, they fell for it!" moment. And then to get two more, even larger, transfers? Like winning the lottery three times in a row.

    You only need one score like that to spend the rest of your life on the beach sipping drinks with little umbrellas.

    1. Peter Simpson 1
      Thumb Up

      Re: What a moment.

      Of course, the downside is, that since it's China, if you get caught, that was one mighty expensive bullet to the back of the head.

      // win big or lose it all, I guess.

  9. Stevie Silver badge

    Bah!

    Who'd have thought the standard lack of transparency in Big Bank Behaviour could be turned to scammers' needs?

  10. razorfishsl

    Irrelevant of who should have called who.

    The real issue is that a single person could transfer funds of that size without any secondary checks at a bank or the next level up.

    If that guy turned bent... it is irrelevant that he had an email from the CEO.

    Why was the finance department not noticing that a massive payment had been made to an 'unusual bank'

  11. vagabondo
    FAIL

    Why don't

    people at least routinely use e.g. GPG signing for important email? And take notice when the sig fails.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019