Phishing Scammers Convince Grocery Store To Give Them $10 Million

from the the-big-phish dept

Tue, Oct 30th 2007 9:49pm — Mike Masnick

By now, most people are familiar with how phishing scams work, usually preying on individuals and tricking them into handing over data that allows the scammers access to bank accounts or other useful info. However, scammers have been aiming a bit higher lately. One tactic is commonly referred to as "spear phishing," where scammers focus on business targets, and attempt to convince them that they're actually coming from partners or suppliers. Apparently one such spear phishing attempt nearly worked to the tune of $10 million. The scammers sent two emails to someone at the headquarters of the supermarket chain Supervalu, purporting to be from Supervalu suppliers American Greetings and Frito-Lay. Both emails claimed that their bank account info had changed and Supervalu now needed to deposit payments into different accounts. Someone at Supervalu followed the instructions, leading approximately $10 million to be deposited into the two accounts over a period of about 4 days. At this point, someone from Supervalu figured out there was a problem and alerted the authorities, who were then able to recover most of the money before the scammers withdrew it. However, it appears that no one has yet figured out who opened the accounts, though Supervalu has filed a lawsuit in order to try to get that information.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: phishing
Companies: supervalu

20 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 30 Oct 2007 @ 9:54pm

There is no defence against stupidity.
[ link to this | view in chronology ]
Search◊ Engines Web, 30 Oct 2007 @ 10:53pm

WHO??????????????????????????????
What is so-o frustrating about that news coverage is the lack of information about WHO made the discovery about the fraud - and HOW .

This could be a valuable lesson for everyone.

Hopefully that person received some recognition and there were no obstacles or politics preventing their responses to their suspicions.

One also has to wonder if this was an inside job. Someone would have to have some intimate knowledge of the company to even attempt this with any credibility.
[ link to this | view in chronology ]
modest, 30 Oct 2007 @ 11:15pm

yea so
I need to alert everyone that their utility bills are now to be sent directly to me through paypal.

I'm serious.
[ link to this | view in chronology ]
peoplegeek, 30 Oct 2007 @ 11:19pm

The grocery store people were just victims. If the email came to the right business email it could have looked okay.

The scammers on the other hand..That money should have been transferred twice in the first 24 hours it hit the account.

First to a neutral uninteresting country, next to an openly uncooperative country.

At that point it should have been turned into hard money even if it was only .50 on the dollar.

Lazy stupid scammers
[ link to this | view in chronology ]
- z, 31 Oct 2007 @ 1:45am
  
  Re:
  If you want to transfer $10 million, i can almost guarantee that the bank will sit on that money for a couple of days(and use it in the mean time)
  
  sometimes it takes days to cash a certefied check if it exceeds like $10,000. Let's say you owned your house and sold it. The lender will give you a check. You want to cash it, you better be prepared to wait for a week.
  These transactions are not as fast (for an average Joe) as we'd like it to be.
  [ link to this | view in chronology ]
- space scooter, 31 Oct 2007 @ 6:02am
  
  Re:
  peoplegeek: NO legitimate bank EVER communicates by email to notify you of account changes or required account activity. That person was unbelievably stupid to fall for such a scam. I really hope they were fired.
  [ link to this | view in chronology ]
  - .Net Developer, 31 Oct 2007 @ 6:29am
    
    Re: Re:
    What world do you live in? My bank legitimately sends me emails when the terms of my account change. Also, if you would actually READ the article, a bank did not send the email. The email looked like it came from employees at a company who said their banking info changed. Yes it is different.
    [ link to this | view in chronology ]
    - Anonymous Coward, 31 Oct 2007 @ 8:40am
      
      Re: Re: Re:
      What world do you live in?
      
      Every piece of email I receive from my bank states clearly that I should be aware of fraudlent email and should not give ANY sensitive information through email alone.
      
      Secondly, it is fantastically moronic to change where you send millions of dollars JUST because SOMEONE sent you an email. To say otherwise means YOU live in some fairy like, idyllic world, that or you're just as stupid as the person who let the 10 million go into another account because an email told him so.
      [ link to this | view in chronology ]
      - .Net Developer, 31 Oct 2007 @ 10:56am
        
        Re: Re: Re: Re:
        I agree it is moronic, but my reply was to space scooters first sentence. The rest I agree with.
        [ link to this | view in chronology ]
Paul, 31 Oct 2007 @ 12:57am

Verify?
"Someone at Supervalu followed the instructions" without verifying the authenticity first? DUMB! A non-male of the light coloured hair variety maybe?
[ link to this | view in chronology ]
- noneofyourbuisness, 3 Feb 2009 @ 6:16pm
  
  Re: Verify?
  first of all your idiot for making a comment like that it wasnt a females mistake im sure of that
  [ link to this | view in chronology ]
Max Powers at http://ConsumerFight.com, 31 Oct 2007 @ 1:35am

Stupid Criminals can't follow through
Just think if they were smart criminals. If they were not so greedy they probably could have gotten away with it if they had tried scamming for a lot less.

This is just an update of the old scam of mailing a business a fake invoice and see if they send a check.

I have always thought of pulling off the "greatest scam/con of all time" but then reality sets in and I remember all those prison movies.

It's hard to find a smart criminal these days.
[ link to this | view in chronology ]
- ehrichweiss, 31 Oct 2007 @ 8:42am
  
  Re: Stupid Criminals can't follow through
  "I have always thought of pulling off the "greatest scam/con of all time""
  
  Yeah. I just read in the news that someone was caught doing a scam I conceptualized about 10 or more years ago. The reason they got caught? Greed. My idea was that one could drive all over the country pretty much for free by using 2 vans to steal gas from gas stations through the holes they use to fill the gas in to the LARGE tanks. Park the vans next to each other so that the rear van is the one pumping and the front one is blocking the view and use a pump to fill your tank.
  
  The guys who got caught were greedy beyond all belief since they decided they wanted to steal 1,000(maybe 2,000 since they had 2 trucks involved) gallons at a time, which as you can imagine would set off the alarms that warn the station they might have gas leaking into the soil since it was losing so much so fast without moving through the gas pumps. They deserved it though because the only reason I can see to steal 1,000 gallons at a time would be to sell it because even if I filled my 3/4 ton van's 22+ gallon tanks every week, I would barely be done with 1,000 gallons in a year...and gasoline starts to go "bad" after 6 months or so.
  
  FWIW, I only dream up scams so I can use the ideas to teach people about social engineering AKA people hacking.
  [ link to this | view in chronology ]
Kevin, 31 Oct 2007 @ 4:32am

Re: by z
I've transfered over 40k between accounts via official bank wire and its instant.
[ link to this | view in chronology ]
Haywood, 31 Oct 2007 @ 5:06am

I agree with that
I got a $20K and my bank planned to sit on it for a week. they released 30% in 5 days and it took a phone call to the main office bookkeeping to get the remainder in less than 7 days. I could have however, written checks on it at my risk.
[ link to this | view in chronology ]
Killer_Tofu (profile), 31 Oct 2007 @ 6:20am

Its Like
Those phone calls from the police department or fire department saying that they are asking for money. When you mention that the police & fire groups even mentioned on TV that they will NEVER call people house to house like that, they person just becomes uncooperative and suddenly has to go.

If somebody sent me something mentioning account change, you can be sure as the sun that I will be calling the company back later to verify stuff, and not at the phone number the person who just called was either.
And if it came by email, lol, they can forget it.
[ link to this | view in chronology ]
Overcast, 31 Oct 2007 @ 6:43am

It so amazes me how much people believe in their email. Email isn't really too far from a wall you spray graffiti on.

Particularly before writing a check for 10 million bucks....

I too get statements from my bank in email, I also get bill notices in email - but if my bank sends an email wanting me to change the account number my payroll deposits go into, I think I'll call them about that. Or if I get an email wanting my password - well, too bad. If I were to get a 'notice' from my water company that they changed accounts and to send a 500 bill payment to them using that account, again, I think I'll call first.

And allowing the admission of email into court is silly. So many people seem to have this notion of how 'secure' email is... Which is funny indeed!!

I spent a few years as an Exchange admin, and seen a lot of funny stuff. All to often the server would somehow end up with emails intended for other domains, and would kick them in the Non-Delivery mailbox.. I guess a DNS glitch or something else would cause that. And anyone with a hint of SMTP knowledge and an open relay can spam away, making it look like it came from whomever they choose. Of course, if one takes the time to investigate the email header, they can tell it's a fraud, but how many do? So yes, depending on the configuration of email servers at each end, someone could send you an email addressed like: TechnicalServices@Yourbank.com - or whatever they choose. Of course a reply might bounce, but often that's not the intention.
[ link to this | view in chronology ]
yo-yo, 31 Oct 2007 @ 6:57am

Transferring Money
I work at a bank as a manager in commercial lending, but I have to take compliance training each month. Each year, I have to repeat it. I know that if your transactions are less than $10,000 the bank will not even blink. Let me take that back, if you have frequent transactions just below $10,000 - then the bank will file a SAR (Suspicious Activity Report) with the Feds. Then you are screwed. Also, just the other day, we had someone wire in $55,000 into an account they opened online and try to wire out $50,000 the next day. Did my people release it? Of course not. They checked with the other banks involved and found out that it was fraud. The crooks never got their money...

So, one transaction under $10,000 is fine, but if it looks like you are structuring, you are busted. And, if it is over $10,000 - it has to pass the "smell test" before they release it. Usually that means that they have to be familiar with you. Anything online is going to "smell fishy" to most banks. Bankers are scared to death of losing money. Everyone knows that.
[ link to this | view in chronology ]
Anonymous Coward, 31 Oct 2007 @ 7:05am

hmm...
so your telling me, that if i configure outlook express to fake my email address. to say. one of walmart's suppliers, and then send walmart an email telling them their suppliers bank account, or mailing address changed. ... then i could become rich over night....

wow. it sounds like that somebody at supervalu must be a college graduate. because their lacking commonsense and are using common stupidity to operate.

Elbert Hubbard once said: "Genius may have its limitations, but stupidity is not thus handicapped."
[ link to this | view in chronology ]
datadefender, 11 Nov 2007 @ 12:41am

the only effective mitigation is electronically signed email. virtually all email programs have the software built in already - all you need is a didgital certificate that attests your identify. You get them at www.verisign.com, www.trustcenter.de and many other certificate authorities.
[ link to this | view in chronology ]