back to article Someone needs to go back to school: Texas district fleeced for $2.3m after staff fall for devious phishing email

A miscreant managed to swipe $2.3m from a Texas school district after staff inadvertently wired large sums of public money to the crook's bank account. It appears either a hacker managed to compromise systems and alter account details, or a staffer was tricked into changing the information by social engineering. In any case, …

  1. Erik4872

    So what happens to the money?

    I know we in the US personal banking world are in the Stone Age compared to Europe. Wire transfers here are for moving large amounts of money around (like funding brokerage accounts, shadowy secret-agent style payments, etc.) and generally don't get used for day to day banking. But as far as I know, a wire transfer is like handing a bag of cash to someone, it's semi-anonymous and you can't get the money back once it happens.

    So, what happens to the money? Is it just gone forever? Does an insurance company just pay for the loss?

    It's interesting because European countries use wire transfers heavily for personal banking. There have to be better protections in place than there seem to be here...otherwise people would be getting wiped out constantly.

    1. Hans 1 Silver badge

      Re: So what happens to the money?

      When you use Western Union or Moneygram in Europe you know it is fraudulent, I do not understand how those businesses can operate here ... I doubt there are any legitimate transations going through them, then again, I have never used the service. But yeah, I assume this is how money is wired in the US.

      Personal banking wire transfers can be revoked in France pretty easily, provided they did not go abroad. Most banks have systems in place to prevent you from setting up a dodgy beneficiary in a foreign country, especially when it is outside EU. So, yeah money transfers are pretty safe, here, however, they take forever to be honoured, like three business days if it is inter-bank... in the UK I know you can send money same day even abroad, I do not know if you can undo it, though.

      In France you can almost buy a second hand car eyes closed, if the car has a problem at the time of sale and the seller did not tell you, the sale is cancelled and you get your money back.

      1. Richard 12 Silver badge

        Re: So what happens to the money?

        Moneygram, Western Union and the like are for sending money to your family "back home", nothing else. Plenty of people do that, it's not fraudulent.

        Most of the EU protections are only for consumers. Businesses are more or less on their own - they are expected to employ lawyers, accountants and vaguely competent financial people.

        So while as a consumer you can often (though not always) get your money back, businesses generally can't (unless they have insurance explicitly to cover it)

        This is probably also why consumer credit cards almost always have zero annual fees and 24x7 phone lines, while business credit cards have large annual fees and can only be contacted 9-5 Monday-Friday.

        1. Hans 1 Silver badge

          Re: So what happens to the money?

          Moneygram, Western Union and the like are for sending money to your family "back home", nothing else. Plenty of people do that, it's not fraudulent.

          Yeah, I heard that "excuse", but since you have no control over who is getting the money it is bullshit, fraudulent bullshit.

          1. Cynic_999 Silver badge

            Re: So what happens to the money?

            "

            Yeah, I heard that "excuse", but since you have no control over who is getting the money it is bullshit, fraudulent bullshit.

            "

            The person collecting the cash has to present in person a recognized, government-issued photo ID to collect the money, and the employee at the WU outlet is diligent about that and knows all the scams. Besides, nobody except the intended reciptient is likely to know the transaction ID (also needed to get the money). Plus the sender will almost certainly be in frequent communication with the person they send the money and will ensure that they got it - and if not a complaint to WU is taken very seriously.

            WU got a bad reputation for being used by various scammers. But if you get scammed into sending money to someone you don't know and have never met, that's your fault, not WU. WU simply carried out your wishes just as you intended. It's the same as handing cash to a stranger with a hard-luck story who approaches you in the street. Don't blame the ATM if a builder insists on cash in advance and then does a runner.

            WU will ask how you know the person you are sending money to and whether you have met in person, and will refuse the transaction if it appears dodgy. For transactions over a certain amount (a few £100), you are asked more searching questions about the purpose of the transaction and your relationship with the receiver.

      2. dfsmith

        Re: So what happens to the money?

        The story says a month [+/-1] elapsed between the transfers and the discovery. I'm curious how France copes with this, since the money would now be long gone.

      3. katrinab Silver badge

        Re: So what happens to the money?

        In the UK, money transfers take about 3 seconds, and they can’t be recalled. Frauds similar to the one describe do take place fairly frequently.

        I’ve done SEPA transfers between UK and Italy in both directions. They generally take about 4 working hours - if I do it in the morning, it will arrive by afternoon, if I do it in the afternoon, it will arrive the following morning.

        1. big_D Silver badge

          Re: So what happens to the money?

          In Germany it is mainly SEPA and they can be recalled.

          Likewise, if a company has a direct debit mandate and they take too much / you don't agree with the amount taken, you can book that back as well.

          1. The First Dave

            Re: So what happens to the money?

            Technically, for Direct Debits, the bank is on the hook to return your money, there is no direct connection with whether or not they are able to reverse the transaction.

      4. Cynic_999 Silver badge

        Re: So what happens to the money?

        "

        When you use Western Union or Moneygram in Europe you know it is fraudulent, I do not understand how those businesses can operate here ... I doubt there are any legitimate transations going through them, then again, I have never used the service.

        "

        Yeah, yeah - just like TOR is only used by criminals, right?

        WU sees millions of perfectly legitimate transactions. As just one example, many people from developing countries work (legally) in Europe or other more developed countries due to the far higher wages. A great many such people use WU to send cash back to their families, for whom a bank account would be impractical or perhaps not trusted.

        WU is also used by parents sending cash to offspring travelling in another country when other methods have failed or are impractical (e.g. they lost or invalidated their ATM card).

        I've also once used WU to send money to myself when I was on holiday and all the local ATMs ran out of money during a festival. The banks were closed, but there was a WU outlet that was open, and I could make an online money transfer with WU using my debit card details. The country in question had very few places that accepted cards - almost all restaurants and shops etc. took cash only, so I really needed to have paper money.

        There are many Westerners who have met & befriended families while holidaying in poor countries and who send regular amounts for family support - again as no member of the family has a bank account, companies like WU are the only way to get cash to them.

    2. sanmigueelbeer Silver badge
      Joke

      Re: So what happens to the money?

      I think someone got an email from Microsoft about their computer has a virus. To inoculate, they need to pay $2.3mil in Bitcoin.

      1. Rich 11 Silver badge

        Re: So what happens to the money?

        It's Texas. The school probably got an email saying that unless they paid up Windows 7 was about to evolve into Windows 10.

    3. 2+2=5 Silver badge

      Re: So what happens to the money?

      > I know we in the US personal banking world are in the Stone Age compared to Europe.

      Nope, the whole banking industry world-wide is in the f*cking Stone Age. It's completely unacceptable that a mere number is used to identify the recipient.

      For consumer transfers there should be a name at least, and the transfer rejected if the name doesn't match the account - at least then the fraudster has to try and create a name that tricks the person as well e.g "Mr. C. A. Shonly"

      For business transfers over $1K there needs to be some sort of cryptographic handshake between payer and payee (the account holders, not the banks) to ensure identities are known. But, oh no, this might mean money could be traced - how will bankers survive when they can no longer launder money for 3rd world despots, sanctions busters and organised crime?

      1. Richard 12 Silver badge

        It's worse than that

        Most sort code & account number pairings do not have any form of embedded checksum. (IBAN does but other than in the Eurozone it generally isn't used for in-country transfers)

        So a single typographic error - eg transposed digits - is completely undetectable.

        Until you've accidentally paid a few million dollars to the wrong account, and a few weeks later get a reminder/final demand backed by inbound legal action to pay the invoice you definitely did pay on time, didn't you?

      2. Ochib

        Re: So what happens to the money?

        This has been proposed in the UK, however the banks have been slow to put this into practice

        https://www.wearepay.uk/new-name-check-safeguard-for-payments-revealed/

      3. big_D Silver badge

        Re: So what happens to the money?

        Germany used to enforce the name being correct in transfers, but people got the names wrong so often that they dropped it.

        If you were sending money to "Meine Elektronikfirma GmbH & Co. KG", you had to get the whole thing correct. Many people, writing out the transfer by hand, would just end "Meine Eletronikfirma" as the recipient and the bank would reject the payment, or they'd forget the period after Co etc. Or the cashier would make a mistake typing in the data.

        The automated systems couldn't tell the difference between "this is the wrong account" and "this is the right account, but 1 character is wrong". Given long names and not enough space on the payment slips for all the characters, it was just asking for trouble.

        1. mr-slappy

          Re: So what happens to the money?

          "Germany used to enforce the name being correct in transfers, but people got the names wrong so often that they dropped it"

          Not only that, but I quite often find that the HTML input field for an electronic payment is not long enough to allow for a long account name. (Why would they do that?)

          For example, my wife's and my joint bank account has the name "Mr Benedict X and Mrs Beatrice Y Slappy" (names changed 'cos I'm paranoid).

  2. Doctor Syntax Silver badge

    It used to be the case that your accounts system would have a postal address for a supplier, probably with some control management procedures to cover set-up and changes. Payments were made by printing out a piece of paper and posting it to that address. The supplier took the piece of paper to their bank to arrange for a credit transfer.

    Of course this was far too cumbersome to continue into the C21st. We need something much slicker, otherwise we'd be taking the bread out of the mouths of children of fraudsters like this. That would be unacceptable.

    1. veti Silver badge

      The irony is that making overseas payments - to, e.g., friends or family members - is much harder now than it was 20 years ago.

      1. katrinab Silver badge
        WTF?

        If I want to send money to Italy, which I do from time to time, I tap a few virutal buttons on the Revolut app on my phone, and four hours later, the money arrives at its destination. It doesn't cost me a single cent in bank charges.

        20 years ago, I would have had to spend an entire lunchtime at a bank branch, the transfer would take about two weeks to clear, and it would cost me many thousands of lire in bank charges.

        1. Is It Me Bronze badge

          Pretty much the same on Monzo and even Barclays. I think I had to pay a small fee when I have done it from Barclays.

          1. katrinab Silver badge

            Barclays I believe charges €6 / $6 for international payments. Whether or not you consider that to be a small fee I suppose depends on the size of the payment.

            1. Anonymous Coward
              Anonymous Coward

              > Barclays I believe charges €6 / $6 for international payments. Whether or not you consider that to be a small fee I suppose depends on the size of the payment.

              <fx:Pete & Dud> Yer, well, it's yer international electrons what are so expensive, innit.</fx>

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020