PINDROP BLOG

The $1.5 Million Phone Call

Law enforcement agencies, politicians, and security experts often cite cybercrime as perhaps the largest threat to consumers and businesses right now. Finding an accurate estimate of the annual losses from cybercrime is more difficult than finding an honest politician, but certainly it’s in the hundreds of millions of dollars. Indeed, the disruption of botnets or ransomware operations that are bringing in tens of millions of dollars a year are now commonplace, if not always completely effective.

What’s also becoming common, unfortunately, are massive losses from phone fraud scams. Typically you might think of fraudsters hitting up pensioners for a few hundred dollars or going after a small business for a few thousand. But as their techniques have become more sophisticated in recent years, the amount of money that top-level fraudsters are able to wring out of their victims has increased, too.

In one of the more stunning examples of this phenomenon, fraudsters recently were able to convince a business in Suffolk, England, to hand over more than $1.5 million with a single phone call. The case highlights the difficulty of defending against this kind of crime and how quickly the fraudsters can operate.

The attack began in mid-September with a phone call to an unnamed business in Suffolk, a county on England’s southeast coast. The caller identified himself as being from the business’s bank and said that some malware had infected the company’s online banking facility. It was vital that the company move its money out of its accounts immediately. For safety reasons, you see.

That £1million fraud is believed to be the biggest such theft ever in the U.K., but is by no means unique.

The caller then instructed the firm’s employee to download a remote-access tool, which the fraudster then was able to use to access the company’s bank accounts. He then transferred £1million out of the target company’s account. Quick as you like, the fraudsters had made off with the company’s money, using nothing more than a phone, some spoofing software, and some old fashioned ingenuity.

That £1million fraud is believed to be the biggest such theft ever in the U.K., but is by no means unique. Scams like this are just one piece of the larger cybercrime landscape. The money stolen in these operations flows into accounts at various financial institutions and the scammers’ challenge is then how to get it out and make it usable. There’s an entire underground economy set up to handle this task, some of which involves the use of legitimate banks and financial companies. But much of that money flows through shady payment processors, money mules, and other links in the chain that are used to make stolen money usable for the criminals.

The kind of scam that hit the U.K. business is one that has become an epidemic in some countries in recent years, including the U.K., Jamaica, and the United States. And, like cybercrime, the tools to commit this kind of fraud are readily available and dead simple to use. Spoofing software that allows callers to make any number they wish show up on a target’s caller ID is available with a simple Google search. A few more searches can give fraudsters the other information they need for this kind of attack, including names of employees at the target firm, the name of the company’s bank, and whatever other supporting data they might require.

Police in Suffolk County arrested a suspect in the case, but he has been released on bail.

Photo from Flickr stream of Brook Ward.