Scammers stole $2.3 billion in "business email compromise" attacks, FBI reports


#1

[Read the post]


#2

I know my company came close to doing it, when an exec was abroad (known from twitter?) a convincing email came through. Luckily the person receiving it double checked.


#3

So are the FBI saying we should have email encryption?


#4

cryptographically signed but unencrypted, and the PKI is run by the state. would be perfect for TLAs: no hassle to intercept and attributable to a real-life existence.


#6

But $15 an hour minimum wage is too high.


#7

Well, it’s the nobility cough sorry, management’s prerogative to do with the resources of the fiefdom as they see fit, not the techno-serfs.


#8

The plural of serf is spelled service.


#9

We had a ~$50k scam where I work not too long ago (this year) and it made it all the way to the account creation process for the money mule before it was stopped. It started with a fake email from our CEO requesting a vendor be paid ASAFP and the recipient complied and requested the account info. The fact that the new vendor was an individual who lived in an apartment didn’t even trigger any red flags.

Security wise / process wise, absolutely nothing has changed beyond a single email going out asking people to get verbal confirmation prior to releasing funds to executives / at the request of an executive. That is our SAT program in a nutshell. Yet we “tick the box” that we do SAT training on all our contracts, in fact we tick all the security boxes and just “absorb” the risk that represents… but I digress.

The most annoying part of this event for me, aside from the plethora of “told ya” fodder for why we should be doing Security Awareness Training, particularly on staff who have access to our accounts, was the response from our resident Cyber Security expert CIO. Yes, he still calls it “Cyber” – heck, he likes to tell “Cyber Stories” & I have actually heard “Cyber Story” and “Synergy” in the same sentence from this buffoon. He is so ignorant of how these scams work that he was flabbergasted that the recipient account was in the US and not in the Caribbean – as if these ever go there as their first stop, or even last… It’s always (almost to the point that being that generalized about it is pretty darn accurate) a money mule in the States that was solicited via Monster or Dice for a WFH money management gig who then sends the money via WU or a specific type of prepaid CC, but for amounts this high, typically via WU. Crap, did it again, anyway…

The CIO wanted to go after the account recipient with everything he could muster. Called the bank, the FBI and our law firm to see what we could sue them (her) for. All while I’m pointing out how this person is most likely an innocent victim and, since they didn’t send the email nor interact with us in any way/shape/form actually hasn’t done anything and could even be the victim of identify fraud.

Added to the fact that this person is economically disadvantaged, freezing her accounts could be crippling (she lived in a really crappy apartment that had multiple BBB complaints and some really bad reviews online) but when I sent him the google earth shot of her apartment, he scoffed and said “She has a pool, she’s doing all right.” (As if a pool makes things OK? WTF?!)
“That pool is in the property of the apartments across the street, she lives on the other side of that hill, by the trailer park – as indicated by the pip on google maps. It’s odds-on she has no idea that she’s involved in criminal activity, and based on her address the median income in her area is around $20k/yr – about what you make in a month.”

He refused to listen, so I found her phone number and called it from a payphone, she wasn’t home but had an answering machine. Sounded like one of the old ones - a physical machine on a land line – I can’t remember the last time I heard one of those…

I left her an anonymous message advising her of the situation and urged her to withdraw all of her money from her account (provided account #) ASAP because my employer was moving to get her account frozen. I had also researched some attorneys in her (general) area that worked with/had worked with the EFF and gave them their contact info and suggested she reach out for advice. After I hung up, I immediately called back and suggested she google CEO email scam & money mule - I don’t know what else I could have done…

I still felt dirty at the end of the day.


#10

This topic was automatically closed after 5 days. New replies are no longer allowed.