Corporate cybercrime on an international scale has hit one of Omaha’s biggest and oldest companies. CEO Chuck Elsea's email address was spoofed and this cost them millions because their controller fell for the scam.
The Scoular Co., an employee-owned commodities trader founded 120 years ago, was a victim of spear-phishing costing them $17.2 million in an international scam, according to federal court documents filed by the FBI last month in U.S. District Court in Omaha.
Scoular's controller McMurtry was the one who was sent spoofed emails, and he wired the money in three installments last summer to a bank in China after receiving emails ordering him to do so.
The three wire transfers, the FBI says, happened in June 2014. They were prompted by emails purported to be from Scoular CEO Elsea, but were sent from an email address that wasn’t his normal company one.
The first email on June 26 instructed McMurtry to wire $780,000, which the FBI statement says he did. The next day, McMurtry was told to wire $7 million, which he also did. Three days later, another email was sent to McMurtry, instructing him to wire $9.4 million. McMurtry again complied.
How the bad guys did it? The first two emails from the spoofed CEO contain the scam's setup, swearing the recipient to secrecy over a blockbuster international deal.
“I need you to take care of this,” read emails from the party pretending to be Elsea. “For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company. ... This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
Well, that was a very expensive social engineering lesson learned. Don't let this happen to you. Get all employees stepped through effective security awareness training. Find out how affordable this is for your organization today.
Hat Tip to Russell Hubbard / World Herald