Police take just 2 days to recover $40M stolen in business email scam
- Reference: 1723030508
- News link: https://www.theregister.co.uk/2024/08/07/police_take_just_two_days/
- Source link:
Interpol was called in after an unidentified Singaporean commodity biz filed a police report on July 23 claiming it had been scammed out of $42.3 million four days earlier.
The company only became aware of the bamboozling when a supplier, the intended recipient of the money transfer, got in touch asking why it hadn't been paid.
[1]
Cybercrims capitalized on the knowledge that the victim business worked with the supplier in question and asked that the next payment made to it was sent to a new account based in Timor-Leste. The email address from which that request came was slightly misspelled but was convincing enough to trick the employee into sending the funds anyway.
[2]
[3]
Timor-Leste is known for being an attractive country for organized crime groups (OCGs) given its proximity to both Southeast Asia and the South Pacific. The smuggling of drugs and other illegal produce is usually the crime of choice in this corner of the world, but [4]money laundering and [5]cybercrime is also fairly pervasive.
The country tabled a draft cybercrime bill in 2021 but it has still yet to make any substantial moves toward becoming law. Its vague wording has also caught the attention of digital privacy advocates about it potentially threatening freedom of expression and freedom of the press.
[6]
Regardless, the country's local police force assisted their Singaporean and Interpol counterparts, locating and intercepting $39 million from the scammers' bank account. Seven arrests were also made following the intervention, which in turn led to the discovery of more than $2 million in additional funds.
The Singaporean commodity company still hasn't had its stolen funds sent back to it yet, but "steps are being taken" to complete the process.
"Speed is crucial to successfully intercepting the proceeds of online scams, with police, financial intelligence units, and banks cooperating across multiple jurisdictions in a race against time," said Isaac Oginni, director of Interpol's Financial Crime and Anti-Corruption Center.
[7]Google gamed into advertising a malicious version of Authenticator
[8]'LockBit of phishing' EvilProxy used in more than a million attacks every month
[9]Nigerian faces up to 102 years in the slammer for $1.5M phishing scam
[10]Money-grubbing crooks abuse OAuth – and baffling absence of MFA – to do financial crimes
"The cooperation between authorities in Singapore and Timor Leste in this case was exemplary and demonstrates how quick action through Interpol can help recover funds taken from the fraud victims and identify the perpetrators."
BEC scamming is a highly lucrative business and is more costly to US victims than ransomware, according to [11]a report from the feds earlier this year.
[12]
In 2023 alone, more than 21,000 complaints relating to BEC were filed with the FBI, which incurred adjusted losses exceeding $2.9 billion.
For comparison, the same report said 2,825 ransomware complaints were made with adjusted losses topping $59 million. It's a large discrepancy in monetary losses, however, it should be noted that [13]ransom payments are often made without informing law enforcement, and these losses may not account for downtime, recovery costs, and other finances associated with a ransomware attack. ®
Get our [14]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZrOaLJlnzNgoOkMSF2pBHAAAAAY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrOaLJlnzNgoOkMSF2pBHAAAAAY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrOaLJlnzNgoOkMSF2pBHAAAAAY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2024/05/22/health_care_and_romance_frauds/
[5] https://www.theregister.com/2024/04/09/uk_biz_response_to_cybercrime/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZrOaLJlnzNgoOkMSF2pBHAAAAAY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/08/05/security_in_brief/
[8] https://www.theregister.com/2024/07/30/evilproxy_phishing_kit_analysis/
[9] https://www.theregister.com/2024/06/14/phishing_scam_conviction/
[10] https://www.theregister.com/2023/12/14/moneygrubbing_crooks_abuse_oauth_apps/
[11] https://www.theregister.com/2024/03/19/crypto_scams_cost/
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZrOaLJlnzNgoOkMSF2pBHAAAAAY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.theregister.com/2024/05/12/ransomware_negotiator_payments/
[14] https://whitepapers.theregister.com/
Re: As usual, improper accounting procedures are to blame
You forgot to include the think of the children excuse and the its holiday season excuse. And then, surely, you must know that the Nigerian prince has multiple accounts that have to be used in random sequence to satisfy the evasion strategy of the criminality of taxes in my country. And before you know it, you'll inherit the entire fortune of a rich heir you secretly hoped existed with a small down-payment (with someone else's money).
Who needs critical thinking when you can look forward to riches beyond your believe!
Re: As usual, improper accounting procedures are to blame
This stuff really isnt rocket science, I really do not understand how people lose so much this way.
1) If you receive an email informing you of a change in bank account. You ring the company at the number you already have for them (not the number on the email), and ask them if it's real.
2) If you receive a call from said firm. Nod along, agree. And then ring them back on the number for the company you already have. And ask them if it's real. (If they give you any crap about ringing them back, explain to them what BEC is and how one phone call removes all doubt. If you didnt ring, maybe they would be the ones going without payment next time).
3) If you receive an email or call asking you to now pay into a bank account in another country. It's a scam. Dont do it...
4) If you get an email or even call from "your" CEO (voice changers are a thing). Say Yes, nod along, and then contact your boss to contact the CEO to confirm that yes the transfer is required.
5) Dont break procedures to rush payments. There will never, ever, ever be a case where failure to transfer money this second will cause the company to lose business. So always check, and double check...
It's always a good idea to make sure anyone dealing with money transfers is aware of this sort of stuff, but really it is just common sense. But well I guess common sense isnt actually that common...
BEC?
> The email address from which that request came was slightly misspelled but was convincing enough to trick the employee into sending the funds anyway.
So did they compromise the suppliers' email system or did they register a similar domain?
Re: BEC?
When we had something very similar they registered a similar domain (a digit 1 instead of a letter l). Fortunately our users are now well trained!
The domain was blocked as soon as I informed the registrar.
Re: BEC?
It just seemed that the story was a bit contradictory in the method of stealing the money. First it said it was a business email compromise and then it said they used a similar email address.
We had a lookalike domain registered, but they weren't using it to attack us, they were using it to make starting a conversation with other organisations seem legitimate so they could send a malicious payload. They even connected the domain to a Google Workspace account. The registrar removed all the DNS entries as soon as I told them, but I couldn't get anywhere with Google.
As usual, improper accounting procedures are to blame
" asked that the next payment made to it was sent to a new account "
In a word, no. Not until we have a written letter signed by the CEO defining the new account, and then only when we have made a test transfer and validated that it worked.
What is it with these new account scams ? I will transfer the money to the account I know. You can transfer it to another account if you so wish.
Honestly, by now accountants should know that, if the transfer is urgent and the account is unknown, it's a scam. Period.