> Chan said the worker had grown suspicious after he received a message that was purportedly from the company’s UK-based chief financial officer.
It wasn't just a fake call, and he had a paper trail of the order...at this point it's pretty hard to prevent this from happening, short of having every order double checked by some other independent entity.
it’s trivial to avoid. Do not accept instructions outside of the standard instruction channels. The only reason this scheme works is because of bad processes, bad training or a culture of fear (where employees feel compelled to comply with any demand regardless of process for fear of losing their job).
If an employee routinely receives email or zoom instructions to transfer $25m without any sort of sign off then the company is completely at fault for terrible process.
> Do not accept instructions outside of the defined company processes
Most non-enterprise companies have fairly loose wire protocols. That said, outgoing phone calls to two separate signers is a good, simple best practice.
The standard instruction channels are so reliably shit, nobody bats an eye if they get an email saying ”Teams is on the fritz again, please join us on Zoom instead”
Don't know the details here, but email is still very much broken, and a number of large companies, including in the financial sector, are spoofable even after checking the usual boxes.[0]
Perhaps I'm reading too much between the lines, but this part makes it look like he got suspicious and checked for clues. It would have been pretty bad if the email was actually marked as internal.
Sam deal for the call as well. I'd expect the video client to warn that some members of the call
are external to the organization (Google Meet does that). Or the CFO is expected to be outside (from another org) from the get go.
> Initially, the worker suspected it was a phishing email, as it talked of the need for a secret transaction to be carried out.
That's how I almost lost £100k. I got an email from my lawyer instructing me to pay an amount that I was expecting to have to pay, but to the wrong account. The email "from:" was definitely my lawyser's email address. It satisfied Gmail's spoofing checks. But it was not my lawyer who sent it.
It wasn't just a fake call, and he had a paper trail of the order...at this point it's pretty hard to prevent this from happening, short of having every order double checked by some other independent entity.