Site icon Sophos News

Football team pays $2.5 million to criminals in transfer fee scam

Football is a big-ticket news item all around the world, whichever flavour of the game you prefer.
Unsurprisingly, there are huge amounts of money at the top level in all codes of football – American, Australian, two different tyes of rugby, and the most widely-played variant, Association Football, variously known as the “world game”, the “beautiful game”, or soccer.
A lot of money, at least in European soccer, goes on transfer fees, paid when players switch between teams – sometimes between teams in the same league, but often in moves from country to country.
For example, Dutch player Stefan de Vrij moved from top-flight Dutch club Feyenoord to Italian football giants Lazio a few years ago.
We’re not sure what the total transfer fee was, but apparently the payments were done in installments, with the final payment, due in 2018, a cool €2,000,000 ($2.5 million).


Here’s the scary thing.
According to astonished football journalists the world over, Lazio apparently paid out that final $2.5m sum…
…to the wrong bank account, after being convinced to switch account numbers by an email scammer.
As one football writer quipped:

There’s nothing more wonderful in the world than the spam folder […] – Lord knows how much utter nonsense lives there – but perhaps Lazio need better filters on their inbox…”

I chuckled at that remark, but the truth is almost certainly much more complex than just one piece of unfiltered spam.

Whaling – phishing on a grand scale

BEC, short for business email compromise, also known as “whaling” (because it’s phishing on an grand scale), is an increasingly common cybercrime in which the crooks take their time to build up trust first, before going for a single, giant sting at the end.
BEC gets its name because the crooks often take the trouble to hack one or more email passwords inside their target company along the way.
Crooks with full access to your email account can not only send email in your name from inside your network, but can also:

In other words, once the crooks control your email account, you can no longer trust your Inbox to contain everything you were supposed to see, and you can no longer trust your Sent folder to be a record of everything that went out from your account.

High value, low volume

Remember that BEC crooks aren’t like conventional low-value/high-volume phishers, who might hope to make $20 each from hundreds of thousands of compromised passwords.
Instead, “whalers” are aiming the other way around, such as $100,000 each from 20 companies, or even millions of dollars from one or two companies.
As a result, the crooks have plenty of time to build up their insider knowledge, their trustworthiness, and their confidence-trickster patter before they go for gold.

What to do?

Let’s hope, for Lazio’s and Feyenoord’s sakes, that the money diverted in this scam gets halted by the banking system in time and can therefore be recovered…

Exit mobile version