Fraudsters have made off with over $17m in what appears to be a targeted email attack, after managing to persuade a senior executive at commodities trader Scoular to wire the funds to a Chinese bank.
An FBI statement filed last month in the US District Court in Omaha claims that Scoular corporate controller Keith McMurtry was targeted by emails faked to appear to come from CEO Chuck Elsea, according to Omaha.com.
The fraudsters seemed to have gone to great lengths to ensure the scam worked, using a made-up M&A deal as cover, and to ensure McMurtry didn’t tell anyone what he was doing.
“I need you to take care of this,” read an email spoofed to come from Elsea.
“For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company... This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
McMurtry is also said to have received an email spoofed to look like it came from an employee at Scoular’s accounting firm, telling him where to send the money – the legitimate Shanghai Pudong Development Bank.
The scammers also made sure that someone was primed and ready to pick up the phone and answer to the name of the phantom accountant when McMurtry called the number given in the email.
His suspicions about the transfer were also said to have been allayed because the firm had been discussing expansion into China, although it’s not clear whether the fraudsters knew this or just got lucky.
The heritage of the scammers is also unknown. The money was held for a company called Dadi Co. Ltd at the Shanghai bank but email addresses were apparently set up in Germany, France and Israel, and used servers in Moscow.
However, $17.2m is a drop in the ocean for Scoular, which is reported to make over $6bn in annual revenue.
Joram Borenstein, vice president at fraud prevention firm NICE Actimize, argued that organizations of all sizes are theoretically at risk of this kind of scam, especially when an email is all that’s needed to authorize a money transfer.
“Businesses should employ more stringent internal controls to avoid these situations, especially when significant sums of money are in play,” he told Infosecurity by email.