A scammer managed to spear phish media giant Conde Nast and walk off with $8 million after he posed as a legitimate business. With the specter of spear phishing looming in the post-Epsilon-and-Silverpop world, the Conde Nast incident is a timely reminder of how easy it is to fall for a scam.
The steps were fairly straightforward. This scammer created a bank account with a name similar to that of another business that Conde Nast worked with frequently. With account details in hand, the scammer sent an email to the publishing company and requested that all future payments be credited to that bank account. Conde Nast signed the “Electronic Payment Authorization” form and faxed it back, essentially giving its bank, JPMorgan Chase, permission to electronically transfer money into that fraudulent account, no questions asked.
Luckily for the company, the U.S. Secret Service intervened and froze the money in the account before the swindler could withdraw the money or transfer it elsewhere.
Just one email, and Conde Nast was out a little more than $8 million in less than six weeks last year, according to court papers relating to the forfeiture lawsuit filed March 30 by the United States Attorney’s Office. Forbes summarized the details of the lawsuit, which tries to retrieve the money for Conde Nast, on April 3.
Phishing now makes up 23 percent of all attacks in the realm of social media, Paul Henry, forensics and security analyst at Lumension, told eWEEK. A recent IBM X-Force Trend and Risk Report found that while phishing attacks have declined since 2009, there was an increase in spear phishing in 2010. Spear phishing has become a significant attack vector, according to IBM X-Force.
As for the scammer, Andy Surface, there wasn’t a lot of effort involved for the big payoff. He opened a bank account at the Alvin, Texas-branch of BBVA Compass Bank for a business called Quad Graph. Surface, who hasn’t been charged with a crime, allegedly presented paperwork showing the business was registered in a different county when opening the account. He then allegedly sent an email to Conde Nast accounts payable in early November with an “Electronic Payment Authorization” form. The form requested that Conde Nast direct payments for Quad Graphics, a printer who publishes Conde Nast magazines, to the Quad Graph account.
Someone in accounts payable filled out the form and faxed it back to the number provided in the form. From Nov. 17 to Dec. 30, Quad Graph received regular payments intended for Quad/Graphics.
The scam could have continued indefinitely, except on Dec. 30, Quad/Graphics contacted Conde Nast to find out why the publishing giant had not paid its printing bills. By this time, Conde Nast had paid $7,870,530.02 into one account belonging to Quad Graph, and $47,137.91 into another account belonging to Andy Surface. The court papers linked both accounts.
Conde Nast alerted the authorities and managed to reverse one transfer of about $36,000. On Jan. 10, federal law enforcement agencies got a court warrant and froze the accounts, pending the results of the forfeiture law suit.
While all’s well that ends well, the lawsuit begs the question: how can a major company not notice funds going to an unknown account and not catch the problem until the provider complained?
A Cond??« Nast representative said the company could not comment on a pending investigation.
“What’s most frightening is the fact that this isn’t just an unknowing private citizen being duped by a phony Facebook friend. This is a multibillion dollar corporation that clearly did not do its homework,” Henry said.
