How to investigate/mitigate $29,000 wire transfer scam
August 3, 2017 9:45 PM Subscribe
The staff at my senile father-in-law's company fell victim to a hacking or social engineering scam, and transferred $29,000 to the scammers before cluing in. We're not 100% sure how this happened. My wife and I are tech-savvy but they are not...we need to quickly look at all angles to a) ensure that nothing further happens, and b) see how the money could be recovered (longshot, I know)
I just found out tonight. Apparently this has been an issue over the last few days. This is what I know:
My father-in-law (FIL), owns a small company in Canada that imports food products and redistributes them to retailers (grocery stores).
FIL's right-hand-man (RHM) at the company handles all communications, shipping & receiving, payment to suppliers, etc.
The company has had a longstanding (20+ years) relationship with one particular overseas supplier (The Supplier).
Recently, RHM received a fake email that was expertly crafted to look like it came from The Supplier, quoting prior legitimate emails with purchase order details, informing us that they needed us to redirect wire transfer payments to a different bank in a different country. RHM fell for it and sent the funds to some numbered account in Sweden. The fake email had the same display name, but the actual FROM address was similar enough to fool non-tech savvy people like FIL and RHM.
After a few days went by, FIL spoke by phone to The Supplier and everyone realized what had happened. FIL went to the local police, but they were unsurprisingly powerless to help.
This evening, after my wife and I learned of the situation, we logged into FIL's company email account (Yahoo) to change the password. I am tech savvy and am aware that Yahoo was hacked last year, however checking the account against haveibeenpwned.com says "good news, no pwnage found".
Furthermore, a new email from the FAKE Supplier was received today. I guess they found that we were suckers and want to milk us for more. They sent instructions to wire money to another account (this time in The Netherlands). The bank opens in a few hours local time and I will be calling the police and the bank there.
So my questions are:
- what can I do and what must I do, besides what I've already done?
- what's a plausible means by which the scammers were able to craft the fake email? Especially quoting previous emails? I'm guess either they hacked into our email or that of The Supplier.
- what can Law Enforcement agencies do? what I can I reasonably expect them to do?
I just found out tonight. Apparently this has been an issue over the last few days. This is what I know:
My father-in-law (FIL), owns a small company in Canada that imports food products and redistributes them to retailers (grocery stores).
FIL's right-hand-man (RHM) at the company handles all communications, shipping & receiving, payment to suppliers, etc.
The company has had a longstanding (20+ years) relationship with one particular overseas supplier (The Supplier).
Recently, RHM received a fake email that was expertly crafted to look like it came from The Supplier, quoting prior legitimate emails with purchase order details, informing us that they needed us to redirect wire transfer payments to a different bank in a different country. RHM fell for it and sent the funds to some numbered account in Sweden. The fake email had the same display name, but the actual FROM address was similar enough to fool non-tech savvy people like FIL and RHM.
After a few days went by, FIL spoke by phone to The Supplier and everyone realized what had happened. FIL went to the local police, but they were unsurprisingly powerless to help.
This evening, after my wife and I learned of the situation, we logged into FIL's company email account (Yahoo) to change the password. I am tech savvy and am aware that Yahoo was hacked last year, however checking the account against haveibeenpwned.com says "good news, no pwnage found".
Furthermore, a new email from the FAKE Supplier was received today. I guess they found that we were suckers and want to milk us for more. They sent instructions to wire money to another account (this time in The Netherlands). The bank opens in a few hours local time and I will be calling the police and the bank there.
So my questions are:
- what can I do and what must I do, besides what I've already done?
- what's a plausible means by which the scammers were able to craft the fake email? Especially quoting previous emails? I'm guess either they hacked into our email or that of The Supplier.
- what can Law Enforcement agencies do? what I can I reasonably expect them to do?
Best answer: This has very little to do with tech savvy and a lot with very good scamming. For the last six months I have had scamming emails every single day at my work email address. These included emails that appeared to be from close colleagues, from third parties and an infuriatingly good one that looked like the kind of message our it helpdesk sends to confirm status of your ticket, down to ticket reference convention. I work for a multi national and get training in this stuff regularly and this was not obvious to me as fake based on appearance, I just knew I had no open tickets but I had to pay extreme attention to details to find the other problems. And our emails were not hacked.
One of my clients recently fell foul of the exact scam that affected your FIL's company. They only got the money back because their payment approved had an epiphany about the payment within minutes of making it, contacted the bank immediately and they had not transferred the funds physically at that point. That's also a multinational.
So whilst I can't speak to system measures or legal matters please reassure these people that they were not as foolish as they may feel. Focus should be on prevention - training on spotting these things, procedures around how they accept and validate payment request and data change requests etc. before acting on them.
posted by koahiatamadl at 10:29 PM on August 3, 2017 [3 favorites]
One of my clients recently fell foul of the exact scam that affected your FIL's company. They only got the money back because their payment approved had an epiphany about the payment within minutes of making it, contacted the bank immediately and they had not transferred the funds physically at that point. That's also a multinational.
So whilst I can't speak to system measures or legal matters please reassure these people that they were not as foolish as they may feel. Focus should be on prevention - training on spotting these things, procedures around how they accept and validate payment request and data change requests etc. before acting on them.
posted by koahiatamadl at 10:29 PM on August 3, 2017 [3 favorites]
Supplier should probably alert its other clients.
posted by amtho at 11:00 PM on August 3, 2017 [8 favorites]
posted by amtho at 11:00 PM on August 3, 2017 [8 favorites]
Is there any chance the previous order info etc originated from inside your FIL's company?
posted by KateViolet at 3:58 AM on August 4, 2017 [2 favorites]
posted by KateViolet at 3:58 AM on August 4, 2017 [2 favorites]
Local police agencies are often useless when it comes to this kind of issue. In the U.S., the FBI should be involved. In Canada - RCMP?
posted by megatherium at 4:12 AM on August 4, 2017 [1 favorite]
posted by megatherium at 4:12 AM on August 4, 2017 [1 favorite]
Best answer: If the supplier had been hacked, the email would presumably have been sent directly from their actual account, its more likely something on your end has been hacked.
Changing the yahoo password is a good start, but it could be malware installed on machines used to access the account also, i'd call in professionals to assess the computer security at the location. If that's not feasible, i'd make sure to run malware/virus scans on all machines in use at a minimum.
posted by TheAdamist at 4:44 AM on August 4, 2017 [2 favorites]
Changing the yahoo password is a good start, but it could be malware installed on machines used to access the account also, i'd call in professionals to assess the computer security at the location. If that's not feasible, i'd make sure to run malware/virus scans on all machines in use at a minimum.
posted by TheAdamist at 4:44 AM on August 4, 2017 [2 favorites]
No changes to standing payment instructions without a confirmation phone call, in which your FIL's company calls the supplier (not vice versa).
posted by Mid at 7:10 AM on August 4, 2017
posted by Mid at 7:10 AM on August 4, 2017
Best answer: Agreed that this isn't a technical problem to be solved. It's a social engineering problem coupled with loose fiscal controls. (See this story about someone conned into sending their mortgage payments somewhere else and lost their house).
Can one person at the company send/wire company money to anyone else with out a secondary person authorizing it ?
posted by k5.user at 7:16 AM on August 4, 2017 [1 favorite]
Can one person at the company send/wire company money to anyone else with out a secondary person authorizing it ?
posted by k5.user at 7:16 AM on August 4, 2017 [1 favorite]
Have a signer on the sending account contact their bank and ask to have the wire recalled. The sending bank will then contact the receiving bank and ask for permission. This process can take days so it helps to make the situation and urgency clear. The receiving bank may just send the cash back, they may ask the receiving account owners for consent... Of course if the scammer has already moved the cash, that's it.
I am an international banking administrator for a large corp and have seen recalls work in this situation--but they are decreasingly effective as time passes.
posted by heatvision at 8:02 AM on August 4, 2017 [2 favorites]
I am an international banking administrator for a large corp and have seen recalls work in this situation--but they are decreasingly effective as time passes.
posted by heatvision at 8:02 AM on August 4, 2017 [2 favorites]
You have to alert the RCMP in their cyber crime unit here. When I had an issue I could get my money back, but the timeline was a couple of days, not years. In any case, they keep databases and this can help future victims.
posted by TheGoodBlood at 8:46 AM on August 4, 2017
posted by TheGoodBlood at 8:46 AM on August 4, 2017
Supplier may not have been hacked -- in fact, nobody may have been hacked. It's possible, though, that the person(s) perpetrating this are working from a list of their clients. Even if not, this category of attack is a new thing that all companies like those clients should be watching out for, so notifying their clients to be on alert will be helpful for everyone. Supplier doesn't want all its clients to be victimized by whatever means, so protecting them by sharing information makes sense.
posted by amtho at 9:04 AM on August 4, 2017 [1 favorite]
posted by amtho at 9:04 AM on August 4, 2017 [1 favorite]
Do push the police to take action and do work with Supplier to investigate. I have not seen these scams, but it makes me wonder how they were able to successfully create the scam. Is it possible it's someone in Supplier's company? Good luck with the process and with FIL.
posted by theora55 at 9:15 AM on August 4, 2017
posted by theora55 at 9:15 AM on August 4, 2017
I don't use Yahoo, but changing the password might not be enough. Check and make sure there are no connected apps or forwarding filters or anything like that. Two-step verification is also a good idea. But it sounds like this isn't so much a hacking problem as it is simply a scam. The scammer must've "spoofed" the supplier's email account, or hacked it and actually used it. Flag it to the supplier, but "spoofing" can happen, especially if people are checking incoming messages carefully. In your situation, I'd call the bank and I'd call the police in the Netherlands and see if maybe they can help you catch these people in a sting operation, but they might not be interested. Often times, banks will cover you in cases of fraud, but I'm not sure about this specific instance.
posted by AppleTurnover at 1:12 PM on August 4, 2017
posted by AppleTurnover at 1:12 PM on August 4, 2017
« Older Where in the neighborhood do we watch the eclipse? | All theory, no action got very, very old Newer »
This thread is closed to new comments.
This is common enough to be worried about it happening again, and can be prevented by requiring all transfers to new accounts be verbally confirmed by the supplier.
posted by FallowKing at 10:15 PM on August 3, 2017 [1 favorite]