This is why all staff, whether at a corporation, nonprofit or government that handle money should be put through a two hour anti-phishing training course. There's lots of good free training material out there.
There are also services which you can hire. You give them a list of staff emails, and they send test phishes to everyone. Those who respond or click on links (there's a GUID in each phish) can be sent for further remedial training.
As a person that's been seeing and analyzing spurious SMTP traffic since 1993, this stuff seems obvious, but there's a lot of blithely ignorant people out there in administrative roles.
While I think everyone should be aware of phishing, I don't think any amount of education can reliably prevent this sort of fraud. I see this fundamentally as a process problem, as I assume email was a common way of changing payment information. Email needs to be taken out of the loop.
> I don't think any amount of education can reliably prevent this sort of fraud.
The (possibly remedial) education isn't to prevent the fraud, it's to make your population more resistant to it.
At some point in the far future if it's part of basic education courses, then we may create herd inoculation effect where phishing fraud may become unprofitable enough to further depress likelihood (like highway banditry of days yore).
Email will never go away - it will always be some part of the payment process even if it's just remittance. It's too ubiquitous.
Note that in this particular case the email in question had a signed document attached. So the scam could of been done with regular mail.The problem here was the lack of verification, not the medium of communication.
The ease of forging emails is more of an issue where the spear phish email is trying to disguise itself as coming from inside the company.
OK, but what would you replace it with that was more reliable? If a company takes the time to, say, use GPG then email is probably the most reliable method available.
But the process is broken by people not realizing that invoices are fraudulent. The method of delivery, be that email or some other system, is completely orthogonal.
Running their invoices through SAP or having gpg signed pdf invoices or using more node.js would not help because all of those solutions fail to address the fact that people are dumb and need to be trained to avoid scams.
If a (insert centralized service here) friend tells me about a change of plans, and I know that messages with that contact were successful in the past, then plans indeed changed because it's spoof-proof so long as you didn't make friends with two accounts that end up sharing a name and so long as the sender didn't fall victim to phishing of creds.
If an email from a contact comes in, the from/sender headers can be spoofed without anyone having fallen victim yet, so maybe plans didn't really change.
Yes there are social aspects but there is also this plainly technical aspect.
Yes, the problem is people on the paying side not realizing that payment change requests are fraudulent. So a better process removes people on the paying side routinely changing payment information. Require that payees sign into a separate service and they change the payment information themselves.
Again I think that just slapping a new service in there doesn't address the fundamental problem which is that the university did not conduct sufficient verification of payment details before sending out 12 million dollars.
All it would have taken is a phone call to the company's accounting department confirming the change.
"Verification of changes to banking details as a service" is not the answer. It's a Band-Aid solution.
And my perspective is that as long as you have a process where administrative staff are making the changes, they will cut corners. For them, these transfers are routine. They do dozens every month. You need a process which removes them from the loop.
It only requires one black swan to counter the proposition that all swans are white. Bathing is my swan. Surely it's clear that a direct contradiction is not "innuendo." Nor pedantic - hardly, since everyone is familiar with bathing. (They didn't have to be familiar with the philosopher of science Hempel's writings - the origin of the black swan remark, here - to understand the contradiction.)
So much abuse yet here's what I was replying to: "Taking email out of the loop is a technical solution to a problem that is inherently social, not technical."
The clear implication being that you can't solve social problems with tech, but we do this all the time and have, forever, as my example shows. Q.E.D.
Inherently social problems are commonly solved by technical interventions, e.g. distressing human smells by bathing or perfuming.
Did that really need rererepeating? No, the point was clear the in first instance, you just disagreed and preferred vituperation it to addressing my point. People who just gainsay here annoy me, but you've hit a new low.
It most certainly was not and still isn't. Drop your holier-than-thou attitude and you might actually make some friends on the internet.
Pretty much all you said was "bathing". It was not clear to what you were replying. It was not clear what your point was. It was not clear what you were implying.
Bathing is not a social problem that I'm aware of. We as a species have been bathing for more than 4000 years and have been doing it fundamentally the same way (wash body with water and potentially with soap or other solvent) for most of that time. There have been no major technological advances in bathing that I'm aware of since perhaps the invention of the shower. I would argue that is not a technical solution to a social problem.
In any case, this entire farcical tangent has nothing to do with the social dynamic of fraudsters exploiting weaknesses in the human psyche, and I think you know that.
I am convinced you are just trolling and will not respond again.
When you use Microsoft Safelinks URL rewriter you preclude cryptographic signing. The Safelinks crap is just crap, it obfuscates URLs and you can't sign your messages any longer.
Obviously it could of if applied correctly. That's an interesting point in general. People are still using insecure communications with no sender verification while doing business here in the 21st century.
At IBM they would randomly send people phish mails, if you clicked on them you landed on the site that provided remedial training! I always thought this would be a good service to offer companies. You could call it "Phish for Compliance" :-)
While my mother was in the hospital several weeks ago for an elective surgery, I was walking the halls and noticed the screen savers on the nurse's terminals. There was a rotating screen that warned against phishing and gave a website to report any possible fraudulent inbound emails.
I get incomprehensible bills from the hospital whenever I get a test or see a physical therapist, etc. Sometimes I get bills about a service that happened 2 years ago, don't remember what the service was, and it seems they can't tell me because that would violate my privacy or something.
I've always wondered if I sent an invoice to the hospital for unspecified services if they'd pay it.
I worked for university accounting many, many years ago. We paid late. Ninety day terms and then maybe we'd forget to pay your invoice for a whole month, oops.
And for little one man engineering outfits supplying the science department I was working in this was life-or-death stuff, because you know they've bought those materials on credit, they've done all the work, and then you haven't even the decency to pay on time. They'd phone up, so desperate for their money and I felt really bad for them saying I can't make it happen, some guy I've never met controls actually paying them.
But for a huge chain store, they don't put up with any of that nonsense. Our department as well as all this sophisticated hand-made one-off stuff had bought a dish washer for some project, ordinary dish washer from a famous high street store. The university didn't pay them on time. So they immediately sent a bill for the cost of sending an overdue letter, plus interest.
We paid that.
So that's the lesson to all those little engineering firms, if you have the balls to do it. Just send "Payment overdue" notices with a new additional invoice and that'll go in the same "Paid eventually but not on time" pile and it'll get paid. You won't get paid faster, but maybe the extra money helps take the sting off a bit.
The thing is, they probably could tell the court, if it came to that (nevermind that most people couldn't afford the time or money to take it that far). Just because someone isn't being candid about why you owe them money, doesn't mean you don't still technically owe them money in a way that can be proven. I don't know if a judge would have the discretion to waive a debt that wasn't fairly "divulged".
Apologies if it was mentioned in the article, but I am curious as to how the original attacker acquired the information needed for spear phishing.
I suppose business dealings between the university and contractors is public to some extent, but it seems plausible that this attack came from within the university or the contractor.
The university in question in a public institution. All of that info -- including copies of signed paperwork, names of officials, and ongoing contracts -- is likely available as public records.
Look at the email image in the lower portion of the article. All the attacker needed to know was the accounts-payable email address for MacEwan, the true accounts-receivable address for the builder, a reasonably similar domain (.com -> .us) for spoofing, and a convincing email body.
That is a frighteningly easy bar to clear, so it's reasonable to say this was human error more than a problem with information security.
Bank account numbers weren't leaked - the scammers simply requested the payments be rerouted to a different account. The letterhead could likely be easily reverse engineered, and I doubt the University rep knew what to look for, and the CFO's signature also doesn't carry any weight - any decent signature font could duplicate that signature (especially a digital one).
I agree with the original comment - how did these scammers gain the knowledge that these transactions were ongoing, and know exactly who to target?
If you know that a university is doing construction, then you know they're paying someone. It's not hard to know a university is doing construction because it will be reported on, they will have had to gain permission to do so, and you can just drive by and see the construction. Once you know that, then you just need to figure out the name of the companies involved. That should be simple: often construction companies will put up a sign, or you can just ask some people on site.
That's assuming no prior knowledge, in which case it would be even easier.
> Yangjiang City Jixie Zhulu Engineering made four payments to the Mas totalling ¥6.7 million, which would have been worth approximately $1.2 million. In August, Hoi Fu Enterprises received three wire transfers totalling $1 million.
Interesting to see that a dollar in Canada is worth 16.7% more than the same dollar in China.
And that was for a deal that was too good to be true. I wonder what the real going rate is for getting large amounts of funds out of China.
China has really strict controls on the amount of money that a Chinese citizen can legally wire transfer out of the country, to a foreign domestic bank account, per year. People have come up with all sorts of "creative" grey and black market things involving Vancouver real estate and BC casinos. Google "china money laundering BC" for news about it.
Ya....a coworker of mine recently had to return to China to bring his retirement money back to canada. I'm not sure of the details of how he went about doing that. Does the limit apply to physically bringing currency back also? I'd ask my coworker but he doesn't speak English and I don't speak Cantonese.
They quickly discovered that while the email appeared to have been sent by “accounts.recievable@clarkbuilders.com” the email address had been “spoofed.” The display name of the email was different than the actual originating account.
Isn't this glaring security issue trivially fixable from the perspective of an email client developer?
No, because SMTP "accounts" are trivially spoofable as well. (Edit: Although you wouldn't want to spoof that if you need to get replies, so maybe there is something the client can do here.) Maybe you could try to do some kind of trust-on-first-use on the chain of Received headers but that's going to generate false positives.
We do have several solutions in place for that, though. SPF, DKIM, among others. If this University were running on gmail I suspect this email would have been flagged for phishing (the builder did publish an SPF record), or outright rejected. However they run their own email servers[1].
[1] - They could of course do the same checks and even more, but among self-hosted installs it is common to disregard those additional securities.
MacEwan was in the midst of constructing the $180-million Allard Hall: a state-of-the-art building boasting music studios and dance halls with room for 1,800 students
Why does a college need a building that costs a large fraction of a billion dollars? Early this week we had an article about college education costs being one corner of the "Bermuda triangle" of personal finance. Out of control spending on new, shiny things is part of the problem, I think.
It’s not clear to me that $180 million is an unreasonable amount of money to spend on a state-of-the-art building with multiple music studios and dance halls, necessary for music or dance programs that the school (presumably) offers. Between the tuition the students pay, grants from government, and potential commercial use of the space (for concerts, shows, etc.) it’ll likely pay for itself soon enough.
Also bear in mind - while still pricy, higher education in Canada is leagues cheaper than in the US. My degree from UofT - usually internationally ranked among or at least near the Ivy Leagues - was about $5000 a year.
So I’m not sure this belongs in the same category of educational institution excess or Bermuda Triangle of finance stuff you’re talking about.
You don't need a lot of space for dance halls and music studios for under 2000 students. People add sound insulation to existing rooms at relatively low cost and it's cheaper when your starting from scratch.
So, in terms of education they really could have done the same thing for under 50 million, but why build a utilitarian box when you want to attract students.
The school only has 20k student population and music students are going to other buildings. So, it's not simultaneously unless you mean as an audience.
I mean sure it looks nice, but that price tag is not due to utility. 60 million still pays for a huge building even at 1/3 the cost.
$180m is still $90k/student. If the building lasts 30-40 years without major maintenance, that’s still $2-3k per student year, which is a healthy chunk of what tuition should be.
A building that has studio space for 1800 should be much cheaper, building costs should be on the order of $500/student/year to keep tuition reasonable.
This. The overwhelming majority of machinists learned the trade on clapped out old Bridgeports. Competition shooters started out on 10/22s that had a bajillion rounds put through them. There's no reason to give a student something nice if the student's ability is not yet limited by their resources. Even with crappy facilities and equipment the student's ability is almost always the bottleneck.
As per the article:
>$11.8 million is equal to one-eighth of the total amount the university took in through tuition and fees during the 2016-2017 academic year.
So they are spending 2 approx twice of there tuition revenue on one building. I guess this kind of money could have been put to better use.
I think colleges are doing these things because of federally guaranteed student loans, because of the following chain of events:
1. Students are price insensitive for college if they don't have to pay for it up front.
2. Banks are incentivized to loan unlimited money to students because the federal government guarantees the loans with zero exceptions-- the bank gets repaid no matter what, so it's very low risk.
3. Colleges and universities are incentivized to increase tuition, because the demand curve is almost completely flat because of 1 and 2.
The solution seems obvious to me: stop guaranteeing student loans, and stop subsidizing them. But nobody want to do it because it's political suicide.
> The solution seems obvious to me. But nobody want to do it because it's political suicide.
I like that this works for both readings.
If you say to yourself "Obviously the solution is to eliminate federally backed student loans" that's political suicide because it means most people can't have a tertiary education (even if at some future date this chance means the institutions charge less than today)
If you say to yourself "Obviously the solution is to make tertiary education free at point of use" that's political suicide because it means a big tax hike to pay for it, plus either an unprecedented interference by the state in the operation of non-state entities offering education OR the state builds loads of extra institutions in competition with those pre-existing non-state establishments.
Of course, never say never, twenty years ago who'd have guessed major US politicians would be saying actually maybe we should just have single payer healthcare?
Isnt there a middle ground? Like having tertiary education free for state/city/public universities to ensure the poor arent left without choice. And also eliminating federally backed student loans so eventually all schools normalize price and all schools become increasingly affordable?
Yes there is certainly a middle ground. The poor, middle, and upper class all have a GREAT choice available to them. Instead of spending 10, 20, or 30 years paying back your loans: spend 3 years working and have 0 loans.
Bonus points.. you learn skills/trades/work-ethic/survival-skills/basic-medical-training, and will be useful in an emergency for the rest of your life.
I'd like to eliminate federally backed student loans and replace that spending with federally backed student grants for the best students under a certain household income. That wouldn't make tuition rise in the same way, and it would still help poorer people go to college. AND they wouldn't have to pay back loans.
It's the way our "Developed World" functions now - growth above all else.
My brother recently built a house, and the taxes and fees from the local city council are sky high. Of course, the city council did just build themselves a lavish new office building for $20M that looks like it belongs in a contemporary art museum.
It's no secret if they had just built a nice and functional building with the same office space for $10M everyone would be paying less city rates.
But that's not how our world works.
The year to year vehicle excise tax increases where I used to live almost always were on the same order of magnitude as whatever boondoggle project the taxpayers were refusing to fund.
I am not sure if this completely answers your question, however as a Edmontonian I can give a little feedback. The school has a very active arts and music department. These programs used to be taught in a separate building from the main campus, that was aging, and in a not so nice part of the city. For this reason I think it was consolidated to the main campus, and upgraded. You can read a bit about it here: https://edmontonjournal.com/news/local-news/end-is-nigh-for-...
So although some may think that things like music studios are not a necessity, they are in this case.
It seems logical for out-and-out fraud to muscle in on "pork" situations. The university is building a status symbol, as much for the prestige of the administration as for any use. They're likely sending the contract to "friends" since they're clearly not terribly concerned with cost-benefits. So you wind-up with a bunch of money just bleeding out with little oversight. And so someone takes even more "initiative" and just scams some of those millions away. Maybe that someone even had some acquaintance with the whole scheme.
Yes, overt crime thrives in a situation of "generalized corruption".
It’s a sign of trust and respect to invest heavily into institutions you believe in. You want that building to feel like forever and the costs skyrocket when you no longer use mass market materials.
That said, institutions are quick to exploit this romanticism and things start to lose perspective.
It's unreasonable for a building to last only 20 years regardless of price. I work in a nearly 100 year old building and live in a 120 year old house. Even a modestly-priced building of that scale should last many decades.
>Why does a college need a building that costs a large fraction of a billion dollars?
It's the end result of applying capitalism to all human activities. Schools have to compete for students and they do so with activities that prospective students and parents will respond to. It's also why health care costs are higher when privatized, they're similar "markets".
>It's the end result of applying capitalism to all human activities.
I would argue both extremes work: free education works (see Europe), completely capitalistic education should also work. But America doesn't apply captitalism to education. Schools have all the pressure of competition you describe, but normally the lifetime profitability of gaining a degree as would put a reasonable ceiling on education costs (outside of elite institutions for the rich and gifted). But in the US, student loans with their subsidies and special legal status remove monetary restrictions from the market, allowing most people to pay whatever the schools ask for. And for the supply side of any capitalist market it is only rational to raise prices to what the market is willing and able to pay.
In a free, unsubsidized, unpriviledged market for student loans we wouldn't see massivley rising education costs. Social mobility might be even worse though, so free education is likely still superiour.
That's part of the reason. But why do costs go down for some things and up for other things when capitalism is applied? Because some markets' demand, like education and the current healthcare market, is not sensitive to price.
The technical solution is easy and it is the same solution as when we make bank transactions online: one time pin codes.
If another company wants you to send payments to another bank account, then you mail back the received pin code to that other company via another known email account.
If the known email account responds that the pin is legit, then go ahead and change the payment details.
Also, before changing the payment details, do send a small amount first, have it confirmed with the other company and then proceed with the test of the payment.
This seems like a place where physical security keys could've be useful.
Any invoice would be expected to be signed using a physical security key. The University or a trusted third party would have a list of vendor keys, signed by the university's master key.
Any request to change account details or for payments would require a new signed invoice. Then any user receiving such an email could easily see if the invoice had been signed by a person who can cryptographically prove they have a key that is trusted to be in the vendor's possession.
This is more common than you expect, a friend's company recently suffered a Business Email Compromise where their clientele were emailed and sent invoices to the hackers' bank accounts instead of the actual company's bank account.
Email is definitely a unsafe way to send messages.
> They quickly discovered that while the email appeared to have been sent by “accounts.recievable@clarkbuilders.com” the email address had been “spoofed.” The display name of the email was different than the actual originating account.
It's a clear space where technology has the edge over humans and there's huge network advantages (e.g. you see a new account # for a known entity, especially at a different bank it's a big red flag).
In particular, this kind of low-tech spoofing could have been mitigated if the email client had highlighted the fact that the sender’s “name” was nearly identical to the sending address, and therefore likely a phishing email.
This seems quite simple to accomplish - compare the name and email address in the email header and flag based on even regex matches/mismatches. Perhaps a Chrome plugin for gmail to test out ?
there has to be offerings already out there that address that kind of thing, but maybe not. Either way, I agree, tech has the clear edge on this, so long as the rulesets (or whatever parameters are defined) are correct.
Every major fraud vendor has an AML offering. Be it SAS or FICO or startups such as Feedzai. I am building a startup as well but it is hard to determine how effective these products are. Till date I haven't found data that shows how many money laundering cases were caught by these products and how many of those cases were prosecuted. It's not a very transparent industry, so it's super hard to take on the incumbents. This is just based on a few weeks of conversations I've had with some AML and strategy team members, so by no means this is a generalization.
This seems like a technology problem, not a personnel problem. There should be more checks in a system when you are changing bank accounts where so much money is going to be deposited.
Seems like it should be more of a process and personnel problem, and one that should account for the problem of social engineering.
> As a result, one particular email, sent June 27, didn’t set off any alarms. Sent by a James Ellis of Clark Builders, a construction company working on the project, the email opened with the affable “Hiya” before asking the school’s accounts receivable department to reroute payments to a new National Bank of Canada account.
The order to change bank accounts should not have been trusted without another factor of authorization, such as a phone call (from the CFO's office) or an in-person confirmation. Yes, a software solution could be implemented to enforce this process, but that doesn't seem worth the time or effort and provides yet another vector of attack. The university, being a public institution, likely already has a legacy system of paperwork and manual processes. It should be less work to enforce existing rules or add an old-fashioned verification step than to build a new software system. Especially for something as rare as changing bank account numbers.
edit: at the end of the article, it seems that the university's solution has indeed been to go for old-fashioned verification:
> Employees are now required to verify all changes to vendor files by phone and a followup email, and all financial changes must first be reviewed by a supervisor, manager or director. A supplied audit report system was also implemented, tracking every change made to vendor files. The university has made employee training in social engineering attacks, phishing and other online scams mandatory.
I think the social engineering training is key, though. An employee could still follow the above rules and still be fooled, based on the letter used in the phishing attack:
I'm assuming a supervisor or manager don't have a special ability to know the vendor's actual financial details, and thus a "review" may be little more than a rubber stamp. What's key is that the office person fielding the request not only use a second form of authentication -- such as a phone call -- but that they call the number as recorded on university file and not the phone number listed in the spoofed email.
This scam has been going on in the UK for a few years. It's called "authorised push payment (APP) fraud". Typically you're having some building work done (or any other large project or purchase), and an email will arrive from the builder saying they've changed their account details, could the purchaser please send future bank transfers to the new account. Of course the email is fraudulent and usually happens because the builder has a virus on their computer (or even the customer).
The problems are:
* since cheques are no longer in widespread use, the only good way to send money is by a bank transfer to another account; in the UK these are free and nearly instantaneous
* but every account is identified only by a 6 digit sort code and 8 digit account number[edit 1]; the numbers don't even have parity checking, forget about any sort of way to verify the destination account
* complete insecurity of email and computers in general
Finally, after years of foot dragging, the banks are promising they will introduce an "amazing" new feature, where before you do a bank transfer the name (I think surname only) of the account holder will be displayed. This should, when it finally arrives next year, prevent most of these frauds, although I guess the scammers will quickly adapt.
[edit 1] True story to illustrate what a shitshow this is: When I started working for my current company they asked for my 6 digit sort code and 8 digit account number to pay my salary in. However the first payment was bounced by the bank. When my employer checked with me, it turned out they had only entered the first 7 digits of my account number into the payments system. Surprisingly this was not an error. For example say my a/c number is 12345678, they entered 1234567, and the system assumed that meant 01234567 (this is a feature of all UK banks, not something to do with the payroll, because bank accounts are really just natural numbers, the first customer is given bank account number 1, etc.) Luckily the 01234567 account was dormant or closed so the payment was returned, otherwise several people would have had a bad day (and one person a good day).
As much as people make fun of the widespread use of checks in the US, it actually seems much better for this use case, for at least two reasons:
1) the check will be handed over in person to someone you've met before, or at least mailed to a known postal address which is harder to spoof than email.
2) If you present a check for $12m to a bank, it will get the scrutiny it deserves, and won't clear immediately.
To your second point, my anecdotal experience has shown that once a check makes it past the receiving bank clerk into the electronic clearing system, all manner of errors are allowed. E.g. dates in future, wrong payee, garbage signatures. The simplest way to pass a check with an error is to deposit it with 9 other "good" checks.
Has anyone had a check bounce due to a bad signature?
>This scam has been going on in the UK for a few years.
Now that Brexit is near it doesn't matter anyway, but at least in Italy and Spain (but I presume the rest of EU) a more complex ID for accounts with checksum/validation, called IBAN, is used for both international and national transfers:
In Brazil we see the name of recipient and we must inform the identity of the recipient (11 digits for persons, 14 for businesses) and everything has single or double check digits.
It's a multifaceted problem. Certainly a social engineering problem here. I think anyone that's ever seen how an ACH file works would agree there's room to improve on the technology side.
I believe one unnamed person in China was caught with $5 million or so; but $960,000 CAD was still missing; so maybe not? Even if they only walked away with 8% of the total originally 'stolen', that's still pretty damn good.
Plus, it would probably bring the heat off of you. The investigators and the university get to say 'we successfully recovered 92% of it!' because that makes a great headline where 'justice was served' and have the case take a lower priority.
There are also services which you can hire. You give them a list of staff emails, and they send test phishes to everyone. Those who respond or click on links (there's a GUID in each phish) can be sent for further remedial training.
As a person that's been seeing and analyzing spurious SMTP traffic since 1993, this stuff seems obvious, but there's a lot of blithely ignorant people out there in administrative roles.