How to steal $100 million with a fake email

This article is reproduced from and it shows that even some of the very large organisations with all their processes in place to deal with scams can still get it wrong when it comes to cybercrime.

Don’t drop your guard, don’t open emails from people or organisations you don’t know, if the offer sounds too good to be true it probably is, never let your guard down.

One cybercriminal group found it easy to swindle a major corporation.

A lawsuit filed on 14 April by US Attorney for the Southern District of New York Preet Bharra gives an insider's view on how frighteningly easy it is for a company to be duped out of a huge sum of money. In this case almost US$100 million (AU$128 million).

The civil forfeiture lawsuit was filed in federal court in New York City and is being brought on behalf of an unidentified American company that was suckered out of $98.9 million over a four-week period late last northern summer.

Luckily, the majority of the money has already been recovered and this suit is specifically going after the remaining US$25 million that is being held in at least 20 overseas banks, according to court documents.

“This is more than twice as large as any reported loss that we have seen,” Ryan Kalember, senior vice president of Cybersecurity Strategy, told in an email Friday US time.

What this case perfectly illustrates is the step-by-step process a criminal can take implementing such a scam and all of the warnings that were ignored by the victim.

The scam

Considering the massive pile of money involved, the scheme itself was extremely simple and used by cybercriminals every day, albeit to normally steal smaller amounts of plain old data. It was a classic spearphishing attack.

According to Bharra's suit, the scam was initiated around 10 August 2015, when the victimised company received an email purportedly from an Asian-based vendor with which it has frequently done business in the past.

The email in question contained the name D Talan, AR and was not picked up not by the victim company itself. Instead it came to an email address set up and monitored by an outside firm hired by the victim to deal with its vendors and other payees.

The initial email from Talan simply asked for some background information regarding its billing history with the victim. This information was supplied on 11 August and then that same day a follow up email was received by the vendor's partner from Talan informing the company that the “vendor's” banking information would be changing and they wished to know who to contact at the victim company to make the change so any payments would go to the correct account. On 17 August Talan gave the victim's payment partner the new account information and it was placed into the victim's system.

Starting around 21 August the payment partner began sending a series of 16 payments to the new, fraudulent account, as part of its usual business. All appeared to be going well when on 14 September both the victim and its payment company received word from the real vendor that it had not received any payments starting 22 August, or the day after Talan's account information was input into the system.

Warning signs

A quick investigation ensued and when Talan's email was studied it was quickly discovered to have several irregularities, including a domain instead of the vendor's corporate domain name. In addition, it indicated that the domain was hosted in Moldova, far from the vendor's true location in Asia.

The final indicator that something was amiss was that the funds were deposited into a Eurobank facility in Cyprus, and not at a bank in the vendor's home nation.

If any of these indicators had been flagged from the start the entire scam would have been stopped in its tracks.

“Employees should be suspicious if they receive a request for unusual information or a wire transfer via email, even if it appears to come from a high-level executive. Check the reply-to email address and always call to confirm. If a vendor changes their wiring instructions over email, call them to confirm. If the CEO requests a significant transfer that is unusual, call him or her to confirm it. If the email header has a warning from your email security system, such as a subject like [BULK] or [SUSPICIOUS], then contact the vendor directly on the phone, do not enter the invoice for payment,” Kalember said.


A US magistrate working with Eurobank quickly froze the Cypriot account stopping about US$74 million of the stolen money from moving out.

This was an extremely lucky and somewhat rare occurrence as most wire transfers one completed are tough to reverse.

“Recovering money can be difficult if sent by wire. As the transaction may be irreversible within a short time window. There have been many variations of these scams in the past and they have been going on for some time. Luckily, international law enforcement has been taking note of these scams to better monitor, mitigate the financial losses and arrest the criminals responsible,” Terrence Gareau, chief scientist of Nexusguard, told in an email.

The victim was not so lucky with its remaining funds because the bad guys had almost immediately moved them from Eurobank and spread them around to 19 other banks to help duck authorities.

The court document did indicate that US authorities know where those accounts are located with one being in Estonia.

This article originally appeared at

Date posted:
28 April 2016
Authored by :