Football is a big-ticket news item all around the world, whichever flavour of the game you prefer.
Unsurprisingly, there are huge amounts of money at the top level in all codes of football – American, Australian, two different tyes of rugby, and the most widely-played variant, Association Football, variously known as the “world game”, the “beautiful game”, or soccer.
A lot of money, at least in European soccer, goes on transfer fees, paid when players switch between teams – sometimes between teams in the same league, but often in moves from country to country.
For example, Dutch player Stefan de Vrij moved from top-flight Dutch club Feyenoord to Italian football giants Lazio a few years ago.
We’re not sure what the total transfer fee was, but apparently the payments were done in installments, with the final payment, due in 2018, a cool €2,000,000 ($2.5 million).
Here’s the scary thing.
According to astonished football journalists the world over, Lazio apparently paid out that final $2.5m sum…
…to the wrong bank account, after being convinced to switch account numbers by an email scammer.
As one football writer quipped:
There’s nothing more wonderful in the world than the spam folder […] – Lord knows how much utter nonsense lives there – but perhaps Lazio need better filters on their inbox…”
I chuckled at that remark, but the truth is almost certainly much more complex than just one piece of unfiltered spam.
Whaling – phishing on a grand scale
BEC, short for business email compromise, also known as “whaling” (because it’s phishing on an grand scale), is an increasingly common cybercrime in which the crooks take their time to build up trust first, before going for a single, giant sting at the end.
BEC gets its name because the crooks often take the trouble to hack one or more email passwords inside their target company along the way.
Crooks with full access to your email account can not only send email in your name from inside your network, but can also:
- Look through your email history to learn the sort of phrases, greetings and sign-off remarks you tend to use.
- Keep track of deals that you’re working on, and payments that are about to come due.
- Make copies of official invoices and other documents for future reference when quoting details such as account numbers, payment amounts and due dates.
- Delete fraudulent emails from the
Sent
folder so you won’t notice that your account has been hijacked to send unauthorised correspondence. - Delete incoming warning emails from colleagues, including the IT team, that might otherwise blow the lid on the scam.
- Set up email rules to divert incoming messages to an email subfolder so the crooks get to see your emails first, and can read, reply to and delete them without you realising.
In other words, once the crooks control your email account, you can no longer trust your Inbox
to contain everything you were supposed to see, and you can no longer trust your Sent
folder to be a record of everything that went out from your account.
High value, low volume
Remember that BEC crooks aren’t like conventional low-value/high-volume phishers, who might hope to make $20 each from hundreds of thousands of compromised passwords.
Instead, “whalers” are aiming the other way around, such as $100,000 each from 20 companies, or even millions of dollars from one or two companies.
As a result, the crooks have plenty of time to build up their insider knowledge, their trustworthiness, and their confidence-trickster patter before they go for gold.
What to do?
- Watch out for apparently innocent emails trying to make contact, such as, “Hey, are you in the office today?”, “I’m on the road this week, can you talk to IT for me?”, or “I left my phone in the airport so can you call me on this temporary SIM card I had to buy in [whichever country your boss is visiting this week, as mentioned on your company blog]?”
- If in doubt, ask internally for help on how to double-check the truth of any message you just received. For example, if HR were to call your boss’s allegedly lost phone and you boss were to answer, you’d have knocked a scam on the head right there by exposing the fraudsters’ treachery.
- Follow a strict, multi-person process for changing financial records for customers and suppliers. Even the CFO’s say-so (or apparent say-so), shouldn’t be enough on its own to change where business payments are made – insist upon a second pair of eyes. As carpenters like to say, “measure twice, cut once.”
- Use two-factor authentication (2FA) for your business account logins whenever you can. 2FA, where you need a one-time code as well as your password every time you login, isn’t perfect, but it makes attacks such as email account compromise much harder for the crooks.
- If you see something, say something. Phishers and whalers don’t just try to trick one user and then give up – they’ll keep trying with other people inside the company until they get lucky. So, the sooner someone raises the alarm, the sooner your security team (even if that’s just you!) can let everyone know and you can close ranks against the crooks.
Let’s hope, for Lazio’s and Feyenoord’s sakes, that the money diverted in this scam gets halted by the banking system in time and can therefore be recovered…
Anon
Really good article as usual. I found this sentence to be a little confusing:
“If they can get control of the email address of, say, your CFO or chief accountant, then they can send mail that doesn’t seem to come from one of your senior managers, but actually does come from them – or, more precisely, from their account.”
It made me think you were implying they could send email from OTHER senior manager email accounts just because they had compromised one and I don’t think that what you mean.
Paul Ducklin
You’re right – that sentence was a bit of a handful, so I got rid of it. The point speaks for itself – with your email password the crooks can send emails straight from your account
Curricula
This is amazing, you would think there is an ESCROW type service for transfer fees. Loosely paying a random bank account via email is a process gap beyond this breach.