Cloud, computers, datacentres, gmail, its all secure isnt it? Follow this story to have your eyes opened. The names, and other details have been changed so as not to identify the victim, the amount is accurate.
It started with a phone call at 11:54 to our Colchester Office and answered by Rose Burcham (real name). It came from Power Watch a client of ours for two years. The message was passed to Glyn Cheeseman (real too) who was on the phone but was allocated as he was already that clients specialist.
“REGARDING A SECURITY ISSUE SHE NEEDS TO SPEAK TO YOU URGENTLY ABOUT”
Glyn returned the call in seven minutes and after a quick discussion appeared at their site 27 minutes later. The laptop was found to be clear of all viruses and Spyware.
The issue was that they had sent their bank an instruction with a covering letter to transfer some money abroad.
Three hours later the bank received a request to transfer £15,000 to another bank and payee. The first was a real request, the second a fake.
The bank thought it was unusual so they called the client, she verified that it was fake and called us in, hence the original phone call.
The bank wouldn’t send us the email because of confidentiality but we explained how to send the “header” file, this is like an envelope with a stamp and postmark.
When we had this we could trace that the email was sent genuinely from Google mail. The originator used a data center in Stockholm, it’s here on the map, pretending to be the client. We traced it bouncing around inside Stockholm and then the trial went cold.
What had happened was that the clients email or Google were hacked, they intercepted the original money transfer request, copied and altered in and sent it on three hours later, they even had the gall to send a chaser when it wasn’t paid. It was to transfer money into the same bank as the clients.
The bank just closed the transaction and chased after the bank account. The client was told to phone and report the fraud who just took some information and gave it a case number.
The scary part is that no-one wanted to see the email, this is because there isn’t anything they can do to catch the perpetrators. We chased it back to either Google or the clients email being hacked. Their password was a mixture of a name and numbers but it wasn’t strong enough. If it hadn’t been for an ordinary bank staff member at the local bank the client would have lost £14,000 and wouldn’t get it back for a long time if ever, that could be you too.
If you want to know about strong passwords then you’ll have to wait for the next post.