14 DAY TRIAL // An email scam targeting commodities trader Scoular Co. found its victim in an employee in an executive position who transferred $17.2 / €14.992 million of the company money to a bank in China believing the orders came from his CEO.
In June 2014, over the course of three days, Scoular Co. controller Keith McMurtry received three emails instructing him to wire transfer significant funds to Shanghai Pudong Development Bank.
All emails seemed legitimate
The messages appeared to have been sent by Chuck Elsea, the company CEO, although the address used was not the company one.
The cybercriminals set up the trap by informing McMurtry that the money was for the acquisition of a Chinese company and that everything should be done without the knowledge of other parties, so that the U.S. Securities and Exchange Commission (SEC) would not be infringed.
The first wire transfer was for $780,000 / €681,000, followed by a second one of $7 / 6.1 million, and a third of $9.4 / €8.2 million, according to an FBI statement obtained by the Omaha news outlet.
The cybercriminals were skilled enough to lay the perfect trap for McMurtry, as in one of the emails purporting to be from the CEO they told him to contact the employee of a real accounting firm, who would let him know the destination of the money.
Along with the delivery instructions, the email, which looked legitimate, also included a phone number for contacting the accounting firms’ employee. Sure enough, the info was verified and a call to the specified number was answered by an individual identifying himself by the name received in the email purporting to come from the company's chief executive.
FBI is trying to recover the money
It looks like the criminal operation also benefited from some luck, as Scoular had discussed expanding to China some time before, so the money transfer instructions did not raise any suspicion to McMurtry.
At the moment, efforts are made to retrieve the stolen funds through “the central authority of any foreign state for service in accordance with any treaty or other international agreement.” The recipient of the funds is a firm called Dadi Co. Ltd.
Despite the huge loss, Scoular says that the scam did not impact the business. The company has over $6 / €5.241 billion in annual revenue and operates in North and South America from over 90 locations. In 2014, it was ranked by Forbes as the 55th largest privately held company in the US.
Email scams targeting businesses are not uncommon. As per information from the Internet Crime Complaint Center (IC3), 1,198 entities fell victim to this sort of swindles last year, incurring total losses of $180 / €160 million.