Phishing Scammers Convince Grocery Store To Give Them $10 Million
from the the-big-phish dept
By now, most people are familiar with how phishing scams work, usually preying on individuals and tricking them into handing over data that allows the scammers access to bank accounts or other useful info. However, scammers have been aiming a bit higher lately. One tactic is commonly referred to as "spear phishing," where scammers focus on business targets, and attempt to convince them that they're actually coming from partners or suppliers. Apparently one such spear phishing attempt nearly worked to the tune of $10 million. The scammers sent two emails to someone at the headquarters of the supermarket chain Supervalu, purporting to be from Supervalu suppliers American Greetings and Frito-Lay. Both emails claimed that their bank account info had changed and Supervalu now needed to deposit payments into different accounts. Someone at Supervalu followed the instructions, leading approximately $10 million to be deposited into the two accounts over a period of about 4 days. At this point, someone from Supervalu figured out there was a problem and alerted the authorities, who were then able to recover most of the money before the scammers withdrew it. However, it appears that no one has yet figured out who opened the accounts, though Supervalu has filed a lawsuit in order to try to get that information.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
WHO??????????????????????????????
This could be a valuable lesson for everyone.
Hopefully that person received some recognition and there were no obstacles or politics preventing their responses to their suspicions.
One also has to wonder if this was an inside job. Someone would have to have some intimate knowledge of the company to even attempt this with any credibility.
[ link to this | view in chronology ]
yea so
I'm serious.
[ link to this | view in chronology ]
The scammers on the other hand..That money should have been transferred twice in the first 24 hours it hit the account.
First to a neutral uninteresting country, next to an openly uncooperative country.
At that point it should have been turned into hard money even if it was only .50 on the dollar.
Lazy stupid scammers
[ link to this | view in chronology ]
Re:
sometimes it takes days to cash a certefied check if it exceeds like $10,000. Let's say you owned your house and sold it. The lender will give you a check. You want to cash it, you better be prepared to wait for a week.
These transactions are not as fast (for an average Joe) as we'd like it to be.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Every piece of email I receive from my bank states clearly that I should be aware of fraudlent email and should not give ANY sensitive information through email alone.
Secondly, it is fantastically moronic to change where you send millions of dollars JUST because SOMEONE sent you an email. To say otherwise means YOU live in some fairy like, idyllic world, that or you're just as stupid as the person who let the 10 million go into another account because an email told him so.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Verify?
[ link to this | view in chronology ]
Re: Verify?
[ link to this | view in chronology ]
Stupid Criminals can't follow through
This is just an update of the old scam of mailing a business a fake invoice and see if they send a check.
I have always thought of pulling off the "greatest scam/con of all time" but then reality sets in and I remember all those prison movies.
It's hard to find a smart criminal these days.
[ link to this | view in chronology ]
Re: Stupid Criminals can't follow through
Yeah. I just read in the news that someone was caught doing a scam I conceptualized about 10 or more years ago. The reason they got caught? Greed. My idea was that one could drive all over the country pretty much for free by using 2 vans to steal gas from gas stations through the holes they use to fill the gas in to the LARGE tanks. Park the vans next to each other so that the rear van is the one pumping and the front one is blocking the view and use a pump to fill your tank.
The guys who got caught were greedy beyond all belief since they decided they wanted to steal 1,000(maybe 2,000 since they had 2 trucks involved) gallons at a time, which as you can imagine would set off the alarms that warn the station they might have gas leaking into the soil since it was losing so much so fast without moving through the gas pumps. They deserved it though because the only reason I can see to steal 1,000 gallons at a time would be to sell it because even if I filled my 3/4 ton van's 22+ gallon tanks every week, I would barely be done with 1,000 gallons in a year...and gasoline starts to go "bad" after 6 months or so.
FWIW, I only dream up scams so I can use the ideas to teach people about social engineering AKA people hacking.
[ link to this | view in chronology ]
Re: by z
[ link to this | view in chronology ]
I agree with that
[ link to this | view in chronology ]
Its Like
If somebody sent me something mentioning account change, you can be sure as the sun that I will be calling the company back later to verify stuff, and not at the phone number the person who just called was either.
And if it came by email, lol, they can forget it.
[ link to this | view in chronology ]
Particularly before writing a check for 10 million bucks....
I too get statements from my bank in email, I also get bill notices in email - but if my bank sends an email wanting me to change the account number my payroll deposits go into, I think I'll call them about that. Or if I get an email wanting my password - well, too bad. If I were to get a 'notice' from my water company that they changed accounts and to send a 500 bill payment to them using that account, again, I think I'll call first.
And allowing the admission of email into court is silly. So many people seem to have this notion of how 'secure' email is... Which is funny indeed!!
I spent a few years as an Exchange admin, and seen a lot of funny stuff. All to often the server would somehow end up with emails intended for other domains, and would kick them in the Non-Delivery mailbox.. I guess a DNS glitch or something else would cause that. And anyone with a hint of SMTP knowledge and an open relay can spam away, making it look like it came from whomever they choose. Of course, if one takes the time to investigate the email header, they can tell it's a fraud, but how many do? So yes, depending on the configuration of email servers at each end, someone could send you an email addressed like: TechnicalServices@Yourbank.com - or whatever they choose. Of course a reply might bounce, but often that's not the intention.
[ link to this | view in chronology ]
Transferring Money
So, one transaction under $10,000 is fine, but if it looks like you are structuring, you are busted. And, if it is over $10,000 - it has to pass the "smell test" before they release it. Usually that means that they have to be familiar with you. Anything online is going to "smell fishy" to most banks. Bankers are scared to death of losing money. Everyone knows that.
[ link to this | view in chronology ]
hmm...
wow. it sounds like that somebody at supervalu must be a college graduate. because their lacking commonsense and are using common stupidity to operate.
Elbert Hubbard once said: "Genius may have its limitations, but stupidity is not thus handicapped."
[ link to this | view in chronology ]
[ link to this | view in chronology ]