by Mark Hill
We tend to think of cybercrime as either the borderline magic "hacking" that’s done in movies, or real life Nigerian prince scams that even your grandpa, who thinks his mouse is a microphone, would never fall for. But there are a lot of thieves out there who know what they’re doing -- cybercrime costs the world an estimated $450 billion a year. And some of the ones that got us to that number sound too made up to even be in the movies.
The One Email That Cost $56 Million And Got A CEO Fired
Most phishing scams are easy to spot. When you get an email from email@example.com claiming that you need to provide your social security number to prevent your Google account from being deleted, you’re not falling for that unless you’ve recently suffered massive head trauma. Like if someone physically manifested Google and hit you with it. But some phishing emails do a far better job of masking their identity and intentions ... and some up the ante by also trying to exploit their target’s ego.
"I am a very important person, as you can tell by my mustache."
That brings us to the saga of FACC, which sounds like a robot swear but is actually an Austrian aerospace parts manufacturer. In 2016, their CEO of 17 years was caught up in a “fake President” scam, which involves someone high up in a company being contacted by someone pretending to be a peer or an even bigger shot. They’ll request a bunch of company money for some big transaction -- the acquisition of another business, a major purchase, a new sex yacht, whatever -- then hope that their target considers themselves too busy and important to confirm the legitimacy of the request (or be too proud to admit that they’ve never heard of the supposedly long running plan to purchase the S.S. Bonedown).
In FACC’s case, 39 million pounds (about $56 million U.S.) were signed off on and transferred to ... well, no one knows. The company managed to recover about a fifth of the money, but the rest of it just vanished into the ether. The CEO got the boot, as did the chief financial officer, because while we may not know every detail of what a CFO does, we’re pretty sure that “not letting $56 million up and disappear like it told you it was going to the gas station for cigarettes” is a key component of the job.
"If you're not my REAL $56 million ... who is?"
If there was any consolation for the newly unemployed, it’s that they’re weren’t alone. A Belgian bank lost $75 million to a similar scheme, also targeting someone with a lot of financial power, while impersonating a bigshot, right down to their signature block. So never hesitate to confirm that a requested transaction is legit, and if you ever need to get yourself good and angry, remember that people have lost more money than you’ll ever have in your lifetime, due to a lack of common sense.
Three People Phished 59 Million Pounds From 30,000 Victims
If you’re phishing and can’t trick one person with access to a lot of money, then you try to trick a lot of people who all have a little money. That’s how most phishers succeed: through sheer, unrelenting volume. Even if your emails that pretend to be from someone’s bank are almost perfect impersonations, you’ll probably only fool one in a thousand people. But that just means you have to email tens of thousands of potential victims. It would be an inspirational lesson about the importance of perseverance if people weren’t, you know, being robbed.
"I have a case of Monster and no ethics. Bring it."
The fruits of this approach can be seen in the three men who fleeced 59 million pounds ($81.5 million U.S.) out of 30,000 people from 14 different countries. Sorry, at least 59 million pounds -- authorities figured there was probably more they couldn’t track down. The scammers had 2600 fake webpages mimicking all sorts of different banks that they’d try to direct their targets toward. Oh, and they had acquired the email addresses of 70 million potential new victims, suggesting that they were getting ready to ramp up their operation even further. That’s how phishing works. If you target over two Canadas worth of people, you’re going to get lucky sooner or later.
The men were each given five to eight years in prison, but not before running one of the most profitable phishing schemes in history. In fact, they were caught when police tracked their operation to a luxury hotel, like they were the villains in a bad ‘90s movie. So the next time some bozo sends you an email in an attempt to steal your banking info, keep in mind that he might be lounging around in a fluffy bathrobe and eating lobster bisque.
The $81 Million Bank Robbery (Possibly Committed By North Korea)
When you hear “bank robbery” you probably picture a couple guys in ski masks, waving guns around and demanding bags with dollar signs on them, but that’s been a sucker’s game for years. Between advancements in high-tech security and the fact that banks just don’t keep that much cash on hand anymore, most criminals would do better trying to knock off a series of lemonade stands.
"Don't be a hero, just hand over the money!"
Anyone who’s serious about robbing a bank these days does it from the comfort of their own home. And in 2016, mysterious people metaphorically walked off with $81 million from Bangladesh’s Central Bank, possibly while not even bothering to wear pants. They did it by gaining access to SWIFT, a secure banking network that pretty much every bank in the world uses as part of their transactions process. Breaking into SWIFT is like breaking into a Fort Knox that’s inside a second Fort Knox, guarded by pissed off wizards. It’s about as close to impossible as you can get. So the perpetrators didn’t break into SWIFT -- they apparently just logged in with an employee’s stolen password. All the security in the world is useless if you leave a key under the mat.
Once the attackers got inside the system, they tried to transfer nearly a billion dollars out. That’s a bit like breaking into a house and then trying to steal the cement foundation, so most of their transactions were flagged as suspicious. But they still managed to move a cool $81 million to bank accounts in the Philippines, and from there the money was probably laundered through Manila casinos and out of sight forever.
"This dealer is fantastic. I would like to purchase him."
While not conclusively proven, it’s generally believed that the robbery was performed by none other than North Korea, as their government is desperate for cash, thanks to international sanctions. The evidence includes the unique code used, which had previously only been seen when South Korean banks and businesses were targeted by hackers, and when Sony was hacked in an attack related to The Interview. So sleep tight, knowing that all the security in the world can’t prevent someone from making a dumb mistake and letting a dictator help himself to your bank’s money.
The $45 Million Debit Card Scam That Involved Nearly 40,000 ATM Transactions
There’s more than one way to rob a bank without ever stepping foot in it. The method that a group of criminals used to steal $45 million from a pair of Middle Eastern banks in 2013 is a complicated and time consuming one, but it’s also the method that would make by far the most entertaining movie heist, so we’ve got to give them credit for that.
"We'll CGI the robots in later."
Their first step was to break into records at credit card processing companies in the United States and India, possibly with the help of insiders. But they didn’t want credit card information. What they did, instead, was raise the limit on prepaid debit cards that their two target banks kept in reserve.
You can probably guess where this is going, but what good are cards with big limits if you don’t actually have them in your possession? Here’s where the first of the two montages this movie would need begins. Cue the techno music. The gang took magnetic stripe encoders, which you can buy online, to rewrite the magnetic stripe information on plastic cards. Gift cards, office ID cards, grocery store loyalty cards, hotel keys ... anything with a stripe on it could be turned into a prepaid debit card. A prepaid debit card with access to a lot of money.
"I'd like 200,000 large Frappuccinos, please."
Then it was just a matter of using the cards, aka montage number two. They hired hundreds of people in 27 different countries, giving the lackeys a cut while collecting most of the money from them via wire transfers. First, they chose a day in December to test their system out and, over the course of two and a half hours, made $5 million from 4500 ATM transactions. Then, when no one showed up to arrest them, they did it again in February, this time going all out. Over the course of 10 hours, they made 36,000 transactions, good for $40 million.
Seven people were arrested in New York City, but they were just part of the army of expendable help. The masterminds, suspected to be a Russian crime ring, went untouched. Even security experts were impressed by the sophistication of the operation, noting that they probably targeted Middle Eastern banks because they were less stringent about monitoring debit transactions. We’re guessing that changed in a hurry.
The 650 Million Pound Virtual Inside Job
You’re all familiar with the idea of an inside job: robbing a business is easier if you’ve worked there long enough to know how everything works. But it’s easy to get caught if you rob your own employer, plus you have to show up on time and sit through boring meetings and do all of the boring work that criminals are actively trying to avoid. So a Russian gang pulled the virtual equivalent by breaking into a bank’s systems with malware and then just ... watching people go about their digital work. For two months.
It's exactly like playing Euro Truck Simulator.
By spending all that time learning how the bank operated, they were eventually able to impersonate employees and initiate transactions without raising any eyebrows. They didn’t make any clerical errors, they used all the right terminology, and for all we know, they said happy birthday to the security guy and consoled one of the tellers about the death of their dog. Two months spent watching bank employees move money around on their computers meant that they could perfectly mimic the employees when it came time to strike.
And strike they did, transferring 650 million pounds (that’s just shy of $900 million U.S.) into their own accounts. They didn’t do it all in one go -- that would have raised a May Day parade’s worth of red flags. Instead, they spent a few months mastering one bank’s methodology, transferred tens of millions in what looked like a humdrum transaction, then moved onto another bank. Alternatively, they would inflate a single account’s balance, then withdraw the “new” money, and no one would ever notice because the account would appear to have been unchanged. So there’s a comforting reminder of how money is just a hallucination that we’re all agreeing to share.
"All I see are Jacksons, Grants, Franklins ..."
They had been at it for two years by the time the scheme was uncovered in 2015, and it was considered the biggest cybercrime ever. And it was only discovered because they also, for some reason, programmed an ATM to randomly spit out cash, which prompted an investigation. That’s admittedly the first thing we would do it we worked at a bank, but that’s why one’s never hired us. Maybe even thieves get bored at their shadow job and need to spice things up.
Like this article? Check out "Rogue Or Criminal? The Important Difference (And Why You Should Know)" and "5 Real Smuggling Schemes That Sound Totally Made Up".