Orion SA says scammers conned company out of $60 million
- Reference: 1723548428
- News link: https://www.theregister.co.uk/2024/08/13/orion_sa_says_scammers_conned/
- Source link:
The description of the incident taken from the company's Form 8-K filing with the US Securities and Exchange Commission (SEC) suggests that it may have been a business email compromise (BEC) scheme, although the term isn't used explicitly.
"On August 10, 2024, Orion SA determined that a Company employee, who is not a named executive officer, was the target of a criminal scheme that resulted in multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties," the [1]filing reads.
[2]
"As a result of this incident, and if no further recoveries of transferred funds occur, the company expects to record a one-time pre-tax charge of approximately $60 million for the unrecovered fraudulent wire transfers."
[3]
[4]
The Form 8-K also explicitly noted that there was no break-in into its systems, nor has any of its data been compromised.
BEC scams make for a nasty business. The Feds themselves [5]said earlier this year that they're even more lucrative than [6]ransomware , incurring adjusted losses of $2.9 billion in 2023 alone.
[7]
It's a form of phishing that typically involves spoofing a trusted email address, such as a business' supplier with which the accounting department, for example, regularly authorizes sizable money transfers.
Usually, the email address is well-concealed – perhaps just a single character is amiss. The scammers often also carry out thorough research of both the target and their supplier, learning how and when they communicate to make the deception even more convincing.
For example, one Massachusetts trade union was [8]targeted in such a way in January 2023. The scammers tricked one union staffer into sending millions of dollars to their bank accounts after spoofing a supplier and mentioning previously discussed transactions from genuine emails between the target and real supplier.
[9]
Orion obviously won't be happy about potentially losing the $60 million for good, but it's far from a threatening loss for a company that recently upgraded its 2024 outlook in its half-year results.
It beefed up the estimates for net sales by a pretty sizeable amount. It initially set the range to be between $1.46 billion and $1.54 billion – it's now forecast to be between $1.57 billion to $1.61 billion. Operating profit estimates also rose to a figure somewhere between $382.3 million $415 million, compared to between $305.8 million and $338.5 million in the prior period.
[10]Trump campaign cites Iran election phish claim as evidence leaked docs were stolen
[11]Police take just 2 days to recover $40M stolen in business email scam
[12]Proofpoint phishing palaver plagues millions with 'perfectly spoofed' emails from IBM, Nike, Disney, others
[13]New York Times source code leaks online via 4chan
Orion said law enforcement was made aware of the incident and that it intends to pull every lever within reach to recover the lost funds, including potentially available [14]insurance coverage.
"To date, the Company has not found any evidence of additional fraudulent activity and currently does not believe the incident resulted in any unauthorized access to data or systems maintained by the Company," the filing went on to say.
"However, the Company's investigation into the incident and its impacts on the Company, including its internal controls, remains ongoing. The business and operations were not affected."
The Register asked for more information. Orion told us: "Amid the ongoing investigation, we are not providing details beyond what is included in our 8-K filing." ®
Get our [15]Tech Resources
[1] https://www.sec.gov/Archives/edgar/data/1609804/000095014224002170/eh240519238_8k.htm
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZruDI4OiT@KVJKVIkGBNHAAAAFY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZruDI4OiT@KVJKVIkGBNHAAAAFY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZruDI4OiT@KVJKVIkGBNHAAAAFY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2024/03/19/crypto_scams_cost/
[6] https://www.theregister.com/2024/07/17/ransomware_continues_to_pile_on/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZruDI4OiT@KVJKVIkGBNHAAAAFY&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2024/06/06/union_bec_scam/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZruDI4OiT@KVJKVIkGBNHAAAAFY&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2024/08/12/trump_campaign_hacked_iran_claim/
[11] https://www.theregister.com/2024/08/07/police_take_just_two_days/
[12] https://www.theregister.com/2024/07/30/scammers_spoofed_emails/
[13] https://www.theregister.com/2024/06/07/4chan_nyt_code/
[14] https://www.theregister.com/2024/05/14/uk_ncsc_partners_with_insurance/
[15] https://whitepapers.theregister.com/
It just gets worse...imagine the conversation...
Scammer 1: "We need a new trick, nobody falls for the Nigerian Prince scam any more, even though we offer them huge sums of money"
Scammer 2: "Now just a thought, how about we stop offering them anything and just tell them to replace a major vendor's bank details in their system with ours so we get the money instead of the proper people?"
Scammer 1"WTF? What idiot is going to fall for that, next thing you will be suggesting we invent our own currency that doesn't actually exist anywhere except in a block of data on someone else's computer - or even start telling people we have invented artificial intelligence by renaming predictive texting to LLM so we can charge for it"
Scammer 2: "You're right, sorry, let's go back to kidnapping and piracy, we could make THOUSANDS of dollars a year doing that!!"
Just as likely is an impersonation of some senior member of staff telling some junior member to transfer money because of some big deal. There was a report somewhere (not, I think, here) of Ferrari dodging an extremely good fake at very high level (boss to one step down) because he said he'd have to verify, what was the book they'd been discussing the other day? I think that was improvised but it does need to be laid down that very firmly and from the very top that any instruction to transfer large amounts of money outside of standard business procedures need to be verified by some back channel if the instruction is not given face to face, no matter how senior the "instructor" is and how junior the instructee. And that "because I say so" should never be accepted as verification.
The primary requirement is a belief that "It couldn't happen to us". So no confirmation or anything.
Every day my businesses usually get at least three or four of these kinds of scam emails.
But there are two important differences between my businesses and multi-billion dollar businesses like the subject of this article:
1. The amounts of money my businesses handle are much smaller.
2. In the final analysis, it's all my money.
So I guess that's why nobody's ever scammed my businesses out of anything.
Unless you count the Tax Man, who has unjustifiably enriched himself at my expense on more than one occasion, but with amounts too small to spend the rest of my life chasing.
Oh, and the energy companies, who routinely steal money directly from my bank accounts on the pretext of "estimated use" despite the fact that they know perfectly well that the use will be nothing like as high as their "estimates".
Oh, except for Scottish Power - who have been threatening me with legal action ever since I fired them in December 2021. I said "Please go ahead, I'll make you look very silly in Court". So instead of suing me, they keep selling their imaginary "debt" to different debt collection companies (I suppose it's easier than actually doing something worth-while for a living) who get the same response from me.
What I'm saying is that scammers are everyfuckingwhere, it isn't always obvious who they are, and you need eyes in the back of your head. I'd flog them.
Dear rich company.
Without explanation, please send all money to this brand new account we have.
Don't bother ringing us to confirm, we're all on holiday or something.
Just send millions of dollars, it'll be totally fine.
kthnxbye