Site icon Sophos News

Sports team nearly paid a $1.25m transfer fee… to cybercrooks

If you were about to spend more than a million dollars, how careful would you be about where you sent the money?
More importantly, how would you check with the recipient of the money – and how would they check with you – that both ends of the transaction were lined up correctly, with no treachery in between?
It’s quite likely you’d have been emailing them back and forth for some time, negotiating the deal, agreeing terms and finalising payment…
…and therefore it’s quite likely that you’d email each other one last time before it all went through.
And if there were a last-minute change in payment details, you might be really relieved to hear about that, especially if the deal were time-critical, like a house purchase, a stock offer…
…or a £1,000,000 payment as part of a player transfer in the English Premier League – the richest soccer competition in the world, and the most-watched sports franchise on the planet. (Probably, although NFL, NHL, MLB and IPL fans may wish to disagree.)
After all, transfer windows are short, and transfer negotiations are complicated, so a payment that failed to go through at the last step could ruin a deal that had been months in the offing.
Well, according to a report entitled The Cyber Threat to Sports Organisations, released today by the UK’s National Cyber Security Centre, that almost happened, except that the new account number was fraudulent and rather than saving the deal at the last minute, the club would have lost the lot.
Apparently, one of the UK’s top football clubs – the report doesn’t say which one – almost paid out £1m ($1.25m) to crooks after a genuine-looking but fraudulent email convinced the club to nominate a new account to receive the funds.
Fortunately, the club’s bank flagged the transaction as suspicious, provoking further investigation and uncovering the scam.


As you can probably guess, that scam was what’s known as BEC, short for business email compromise.
BEC is something of a special category in the world of online crime – in fact, it’s probably better to refer to it as ‘internet-enabled crime’ than simply as cybercrime.
The criminals behind it don’t have to be programming wizards or malware authors; they don’t need elite hacking or exploit creating skills; and they don’t need the know-how to carry out network intrusions, lateral movements and so on.
What they do have is patience, persistence, self-belief and what you might call sociopathic-level skills in social engineering.
In old-school terminology, you’d call them confidence tricksters, though they are generally using the internet to manipulate victims, not their in-person charisma.
The basic idea behind BEC crime is surprisingly simple: get hold of the email password of someone of importance in the organisation, read all their email before they do, learn how they operate, find out what the company is up to and learn when big payments are coming up, in or out…
…and then take on the persona of the employee whose email was compromised in order to misdirect other employees, as well as creditors and debtors.
Thus the name business mail compromise, sometimes called CEO fraud or CFO fraud because those are the staff members whose email accounts typically deliver the most dramatic results for the crooks.

We try to avoid the terms CEO fraud and CFO fraud these days because those names wrongly imply that BEC depends specifically on the CEO or CFO getting hacked, and therefore if their accounts are intact, the company is safe. Many organisations don’t even use the job titles CEO and CFO, yet they too are at risk of exactly this sort of fraud.
As you can imagine, the typical corporate manipulation performed by BEC crooks is to get debtors to pay outstanding invoices into “new” bank accounts that belong to the criminal gang, or to instruct staff inside the company to pay outgoing invoices to phoney accounts instead of to genuine creditors, thus stealing money from both sides of the balance sheet.
BEC criminals use technology to help them misdirect humans, and once they have their operation running inside a company, they aim to keep the midirection going for as long as possible by mixing social engineering skills with their insider knowledge.
If a crook is inside your email, remember that they can not only send emails in your name, they can also: delete those emails from your outbox so you don’t even see they were sent; intercept and remove or modify any replies from colleagues who become suspicious and ask questions; mollify others in the company who are trying to raise the alarm; and threaten those who try to get in the way.

What to do?

Of course, this raises the tricky question, “If a crook has already snuck in, got into someone’s email, and is lying low looking for a chance to swindle the whole company, how on earth do you spot the fake emails that shoudln’t be there amongst all the real ones that are still flowing normally?”
Here are six tips to help you detect and prevent this sort of corporate manipulation:

By the way, if you’re wondering how much money is involved in BEC criminality, take a look at the story behind the recent arrest of an alleged BEC scammer in the USA who went by the name “Hushpuppi.”
Don’t let it happen to you!


Exit mobile version