55th Largest Private Company In America Sent Millions To China Because An Email Told Them To

from the you've-got-mail dept

You've all heard of this kind of scam before. Some nefarious person or group gets a hold of someone's email or computer screen, pretends to be someone in some official capacity, and demands a whatever sum of money they can get away with. Some of the time these scammers pretend to be the IRS, or a utility company, or even law enforcement. What these scams tend to mostly have in common is that they go after private citizens en masse, in the hope to entice whatever percentage of the more gullible amongst us to pay up. What you don't expect to hear about is one of the largest corporations in the United States essentially falling for the same thing.

The Scoular Co., an employee-owned commodities trader founded 120 years ago, has been taken for $17.2 million in an international email swindle, according to federal court documents. An executive with the 800-employee company wired the money in installments last summer to a bank in China after receiving emails ordering him to do so, says an FBI statement filed last month in U.S. District Court in Omaha.
Sort of takes your breath away, doesn't it. One would like to think that it takes more for any company to move millions of dollars around internationally than a simple email string. Whatever else, this seems to indicate a complete failure of process, with the lack of checks against fraud and mistakes occurring on stunning levels. In attempts to explain how this happened, Scoular CEO Chuck Elsea wove a tail of compromised identities (including his) and coincidences that caused all of this to happen. The tale, however, leaves the reader certain that there was still some serious stupid going on here.
The gambit involved emails sent to a Scoular executive that purported to be from Elsea and the company’s outside auditing firm. The emails directed the wire transfer of millions of dollars to a Chinese bank. But court documents say the emails were really from impostors using email addresses set up in Germany, France and Israel and computer servers in Moscow. The three wire transfers, the FBI says, happened in June 2014. They were prompted by emails sent to Scoular’s corporate controller, identified in the FBI statement as McMurtry. The emails purported to be from Scoular CEO Elsea, but were sent from an email address that wasn’t his normal company one.
Which is precisely where this scam should have died on its scammy vine, wilting under the dry heat of "haha, the boss got his personal email hacked." The idea that millions of dollars can be ordered transferred from an email address not associated with the company is ludicrous. Die, however, the scam did not.
The first email on June 26 instructed McMurtry to wire $780,000, which the FBI statement says he did. The next day, McMurtry was told to wire $7 million, which he also did. Three days later, another email was sent to McMurtry, instructing him to wire $9.4 million. McMurtry again complied. The first two emails from the faux CEO contain the swindle’s setup, swearing the recipient to secrecy over a blockbuster international deal.
McMurtry has reportedly been cooperating with the FBI and providing them with the reasons he so easily complied with the rogue emails' requests. Those excuses include some of the scam emails looking like they came from the company's outside accounting firm and that Scoular had indeed been in discussions for an expansion into China. Those excuses, though, don't alter the fact that a simple phone call to the parties involved, to Elsea's office (or, hell, at the watercooler or whatever), or to the general office number for the accounting firm would have exposed the scam entirely and saved the company 17 mil-do in the process. How does something like that happen?

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: china, chuck elsea, email scam, gullible, scam
Companies: scoular


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 6 Feb 2015 @ 11:47am

    Who runs their OPSEC training, Ross Ulbricht?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Feb 2015 @ 11:50am

    And therein lies the real problem...

    You can't fix stupid... there's no amount of technical security counter-measures you can put in placeto prevent people from being socially engineered.

    link to this | view in chronology ]

    • icon
      sigalrm (profile), 6 Feb 2015 @ 12:28pm

      Re: And therein lies the real problem...

      No, you can't fix social engineering entirely but I'll tell you what - Give me a $17.2 million dollar (which, btw, is about 0.28% of their reported assets, if I'm not mistaken) budget to spend on OPsec training across their 800 employees and I'm pretty sure I could put together a training program that would have a measurable impact on their organizations exposure to it.

      $17.2 million for a company that size just barely makes it over the rounding error threshold...

      link to this | view in chronology ]

      • identicon
        Baron von Robber, 6 Feb 2015 @ 12:58pm

        Re: Re: And therein lies the real problem...

        I'm sure for that money, they could hire somebody to put in place a program that emails confirmation to the person making the request for money transfers before they are released.

        DUH!

        link to this | view in chronology ]

        • identicon
          Gopher, 6 Feb 2015 @ 1:15pm

          Re: Re: Re: And therein lies the real problem...

          So, how do you deal with the fact that with a company like this, 10% of the employees may be moles? That email confirmation likely goes to the secretary of the person who 'ordered' the money, and then news of the 'deal' will be exposed. That's the (plausible) reason an email like this comes from a non company account in the first place. CSN were right all those years ago when they sang "Paranoia strikes deep"

          link to this | view in chronology ]

          • identicon
            Baron von Robber, 6 Feb 2015 @ 1:33pm

            Re: Re: Re: Re: And therein lies the real problem...

            For such high profile email, send to a mailbox that only the CEO has access to (or should, no secretary involved). If the CEO doesn't like it, he/she deserves to be taken for the fool they are.

            link to this | view in chronology ]

            • icon
              tqk (profile), 6 Feb 2015 @ 2:57pm

              Re: Re: Re: Re: Re: And therein lies the real problem...

              For such high profile email, send to a mailbox that only the CEO has access to ...

              Then you're left with the problem of how to get such self-entitled dinosaurs to accept they need to check their email from time to time. Peons don't even want to do email nowadays, thinking Facebook is bleeding edge tech. Masters of the corporate universe resent being told they have obligations even peons don't want to put up with.

              link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Feb 2015 @ 3:38am

        Re: Re: And therein lies the real problem...

        I'm sure you could have a measureable impact on social engineering losses with a $17.2m budget. I, on the other hand, have a foolproof way to completely eliminate them. Just wire me $17.1 million dollars and I'll explain how my system works.

        link to this | view in chronology ]

    • icon
      sigalrm (profile), 6 Feb 2015 @ 1:13pm

      Re: And therein lies the real problem...

      You can't fix stupid.

      False. Stupidity can be fixed. However, doing so is illegal in most jurisdictions.

      link to this | view in chronology ]

      • identicon
        Pragmatic, 9 Feb 2015 @ 6:27am

        Re: Re: And therein lies the real problem...

        An involves the vigorous application of a two by four.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Feb 2015 @ 11:54am

    The worst part of all of this is that people like McMurtry are directly responsible for the existence of spam in the first place. It just takes one fucking moron to fall for the most transparent of ruses and the next thing you know we all have inboxes stuffed to the limit.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Feb 2015 @ 12:43pm

      Re:

      > people like McMurtry are directly responsible for the existence of spam

      I believe you've confused the victim with the perpetrator. I don't believe McMurtry actually forwarded the spam to anyone.

      ... including his boss.

      link to this | view in chronology ]

      • identicon
        Adam, 6 Feb 2015 @ 1:08pm

        Re: Re:

        Actually, the "victim" in this case is the reason spam still exists. If it didn't work, it wouldn't still be used.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 6 Feb 2015 @ 1:09pm

        Re: Re:

        "I believe you've confused the victim with the perpetrator. I don't believe McMurtry actually forwarded the spam to anyone."

        No, GP was on target. Spam exists because the sender knows that if he/she sends enough spam mails, one of them will reach someone gullible enough to do something that makes money for the spammer. The cost of sending spam is very low, so even a few suckers per ten thousand mail can make the enterprise profitable. By being that gullible recipient, McMurtry reinforced the idea that a spammer can sometimes get a gullible recipient. Spam will end when it is unprofitable. Raising the price of sending spam is a non-starter, so it will only become unprofitable by reducing the number of capable gullible recipients. (A gullible recipient who has no money to give is unprofitable.)

        link to this | view in chronology ]

  • identicon
    Crazy Canuck, 6 Feb 2015 @ 12:08pm

    Anyone happen to have McMurtry's personal email address?

    I am a Nigerian prince who happens to have a couple bridges for sale which also have the added bonus of increasing your manhood and stamina. =P

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Feb 2015 @ 12:09pm

    Who gave someone that clueless access to that much money?

    link to this | view in chronology ]

    • icon
      tqk (profile), 6 Feb 2015 @ 3:02pm

      Re:

      Who gave someone that clueless access to that much money?

      Wall St. and stockholders, usually hands-off institutional investors who don't care about anything but stock price and dividends.

      link to this | view in chronology ]

  • icon
    John Fenderson (profile), 6 Feb 2015 @ 12:25pm

    Just goes to show

    Idiots exist everywhere. Why is it even possible for a single person to wire that amount of money anywhere at all? You'd think that it would require the approval of at least two people. Also, although it only takes a moment of idiocy to fall for a transparent scam like that, it takes someone truly skilled the art to not have the very first action be to call the CEO to confirm.

    link to this | view in chronology ]

    • icon
      sigalrm (profile), 6 Feb 2015 @ 12:41pm

      Re: Just goes to show

      With a company that big ($6.2bn in assets), multi-million dollar signing authorities aren't that uncommon, especially at the executive level.

      I'd be willing to bet that the largest dollar amount wired ($9.4 million) was calibrated to be just under the companies single-signature signing authority.

      Absolutely reeks of inside job, although frankly I doubt the controller was in on it. If he was smart enough to put the job together, he'd (presumably) be smart enough to transfer and hide the money in a way that didn't paint a target on his back.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Feb 2015 @ 12:32pm

    How did this happen? Duh, the guy was promised a piece.

    link to this | view in chronology ]

  • identicon
    OnTheWaterfront, 6 Feb 2015 @ 12:32pm

    I believe the purpose of the controller is track the companies cash flow and mitigate risk. We see how well that worked out.

    link to this | view in chronology ]

  • identicon
    TypoTerrorist, 6 Feb 2015 @ 12:47pm

    Tale of a Tail

    Did you mean to use that first 'tail' as opposed to the second 'tale'?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Feb 2015 @ 1:11pm

    Cultural Failure

    These things happen because corporate culture, especially executive culture, sneers at rules as "for the little people" and/or "somebody else's problem."

    Millions of dollars moved on instructions emailed from a CEO's personal account reeks of a long-standing attitude of "don't bother me, I'm important."

    The tragedy is that the guy who pushed the button will get punished, while the bosses fostered such a scam-friendly environment will skate away, certain they did nothing wrong.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Feb 2015 @ 1:55pm

    Hello 55th largest private company in america, i know this looks like a random comment on a random site, and i know this next bit kinda doesnt make sense, but it is infact china's new email address

    I would kindly ask you to send a bajillion gazillion petrol dolars to china@paypay.com as soon as possible....no, dont think about it, trust me im a friend, just push that "send bajillion gazzilion" buton, dont think about, your boss would totally be fiiiiiine with it.

    Yours sincerly Not China
    Thankyou for your stupidity

    P.S
    Remember china@paypal.com

    link to this | view in chronology ]

  • identicon
    James K, 6 Feb 2015 @ 2:12pm

    LOL

    Money laundering?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Feb 2015 @ 2:30pm

    Ahem...

    I work for a 5 person company and we've had a few "phishing" emails, including one supposedly from IRS. Every one of them got checked and 'bit bucketed'. The IRS stood out because it went to the wrong email to start with. I still recall one that when we looked at the message source the url went to porn.com. We had bets going to see if porn.com had been hacked or if they were behind the scam. (We never did find out the answer to that.)

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Feb 2015 @ 3:03pm

    Are we so that completely sure this is an outside scam rather than a rather clever embezzlement scheme. As in: "Yeah... I can't believe I was so stupid as not to have caught that funky e-mail address. Sheesh! My bad!"

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Feb 2015 @ 7:53pm

    They probably offered him a bribe or payout for himself if he followed through.

    Send us millions and don't bother checking if we are legitimet and in return we will give your a few hundred grand

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Feb 2015 @ 4:37pm

    Must of at least passed the Fed's minds that someone in the company was in cohoots with the scammers and was creating a nice retirement for him or herself. Just sayin'

    link to this | view in chronology ]

  • icon
    jsf (profile), 10 Feb 2015 @ 7:12am

    Not as easy to spot as you might think

    I bet they were using Microsoft Outlook and Exchange for their email. When you use this combo a senders email address is not displayed. Only the friendly person name is displayed by default, and this is easy to fake. Unless you have some technical expertise you wouldn't even know to look.

    Now personally I would double check before sending a single penny somewhere, but I know places where millions, if not tens of millions of dollars are authorized to be moved/paid with just a few emails every day.

    link to this | view in chronology ]

  • icon
    Sheogorath (profile), 11 Feb 2015 @ 8:33am

    In other news, the Scoular Company is lobbying for a bill to ban emailing so phishing becomes illegal.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.