There are also services which you can hire. You give them a list of staff emails, and they send test phishes to everyone. Those who respond or click on links (there's a GUID in each phish) can be sent for further remedial training.
As a person that's been seeing and analyzing spurious SMTP traffic since 1993, this stuff seems obvious, but there's a lot of blithely ignorant people out there in administrative roles.
The (possibly remedial) education isn't to prevent the fraud, it's to make your population more resistant to it.
At some point in the far future if it's part of basic education courses, then we may create herd inoculation effect where phishing fraud may become unprofitable enough to further depress likelihood (like highway banditry of days yore).
Email will never go away - it will always be some part of the payment process even if it's just remittance. It's too ubiquitous.
The ease of forging emails is more of an issue where the spear phish email is trying to disguise itself as coming from inside the company.
Running their invoices through SAP or having gpg signed pdf invoices or using more node.js would not help because all of those solutions fail to address the fact that people are dumb and need to be trained to avoid scams.
If an email from a contact comes in, the from/sender headers can be spoofed without anyone having fallen victim yet, so maybe plans didn't really change.
Yes there are social aspects but there is also this plainly technical aspect.
Phishing can still pwn you.
All it would have taken is a phone call to the company's accounting department confirming the change.
"Verification of changes to banking details as a service" is not the answer. It's a Band-Aid solution.
Instead of vague implications and analogies, just state your opinion clearly.
Inherently social problems are commonly solved by technical interventions, e.g. distressing human smells by bathing or perfuming.
Did that really need rererepeating? No, the point was clear the in first instance, you just disagreed and preferred vituperation it to addressing my point. People who just gainsay here annoy me, but you've hit a new low.
It most certainly was not and still isn't. Drop your holier-than-thou attitude and you might actually make some friends on the internet.
Pretty much all you said was "bathing". It was not clear to what you were replying. It was not clear what your point was. It was not clear what you were implying.
Bathing is not a social problem that I'm aware of. We as a species have been bathing for more than 4000 years and have been doing it fundamentally the same way (wash body with water and potentially with soap or other solvent) for most of that time. There have been no major technological advances in bathing that I'm aware of since perhaps the invention of the shower. I would argue that is not a technical solution to a social problem.
In any case, this entire farcical tangent has nothing to do with the social dynamic of fraudsters exploiting weaknesses in the human psyche, and I think you know that.
I am convinced you are just trolling and will not respond again.
I've always wondered if I sent an invoice to the hospital for unspecified services if they'd pay it.
I worked for university accounting many, many years ago. We paid late. Ninety day terms and then maybe we'd forget to pay your invoice for a whole month, oops.
And for little one man engineering outfits supplying the science department I was working in this was life-or-death stuff, because you know they've bought those materials on credit, they've done all the work, and then you haven't even the decency to pay on time. They'd phone up, so desperate for their money and I felt really bad for them saying I can't make it happen, some guy I've never met controls actually paying them.
But for a huge chain store, they don't put up with any of that nonsense. Our department as well as all this sophisticated hand-made one-off stuff had bought a dish washer for some project, ordinary dish washer from a famous high street store. The university didn't pay them on time. So they immediately sent a bill for the cost of sending an overdue letter, plus interest.
We paid that.
So that's the lesson to all those little engineering firms, if you have the balls to do it. Just send "Payment overdue" notices with a new additional invoice and that'll go in the same "Paid eventually but not on time" pile and it'll get paid. You won't get paid faster, but maybe the extra money helps take the sting off a bit.
If someone can't tell you why you owe a bill, don't pay it. If they can't tell you, they can't tell a court.
I suppose business dealings between the university and contractors is public to some extent, but it seems plausible that this attack came from within the university or the contractor.
That is a frighteningly easy bar to clear, so it's reasonable to say this was human error more than a problem with information security.
I agree with the original comment - how did these scammers gain the knowledge that these transactions were ongoing, and know exactly who to target?
That's assuming no prior knowledge, in which case it would be even easier.
Interesting to see that a dollar in Canada is worth 16.7% more than the same dollar in China.
And that was for a deal that was too good to be true. I wonder what the real going rate is for getting large amounts of funds out of China.
This is really disturbing.
Lots of evasion tactics:
hiring mules to use their limits.
finding someone that needs to send money to China, then you can make 2 domestic payments and everything is settled.
Buying goods in a China for export, then accepting payment into your western accounts.
Isn't this glaring security issue trivially fixable from the perspective of an email client developer?
 - They could of course do the same checks and even more, but among self-hosted installs it is common to disregard those additional securities.
Why does a college need a building that costs a large fraction of a billion dollars? Early this week we had an article about college education costs being one corner of the "Bermuda triangle" of personal finance. Out of control spending on new, shiny things is part of the problem, I think.
Also bear in mind - while still pricy, higher education in Canada is leagues cheaper than in the US. My degree from UofT - usually internationally ranked among or at least near the Ivy Leagues - was about $5000 a year.
So I’m not sure this belongs in the same category of educational institution excess or Bermuda Triangle of finance stuff you’re talking about.
Thats the problem though right? "Paying for itself" means students paying higher costs which is the problem.
That was the upshot of the second paragraph of my post - in Canada, students don’t pay an absurd amount, so it’s not really a problem.
You don't need a lot of space for dance halls and music studios for under 2000 students. People add sound insulation to existing rooms at relatively low cost and it's cheaper when your starting from scratch.
So, in terms of education they really could have done the same thing for under 50 million, but why build a utilitarian box when you want to attract students.
The school only has 20k student population and music students are going to other buildings. So, it's not simultaneously unless you mean as an audience.
I mean sure it looks nice, but that price tag is not due to utility. 60 million still pays for a huge building even at 1/3 the cost.
A building that has studio space for 1800 should be much cheaper, building costs should be on the order of $500/student/year to keep tuition reasonable.
1. Students are price insensitive for college if they don't have to pay for it up front.
2. Banks are incentivized to loan unlimited money to students because the federal government guarantees the loans with zero exceptions-- the bank gets repaid no matter what, so it's very low risk.
3. Colleges and universities are incentivized to increase tuition, because the demand curve is almost completely flat because of 1 and 2.
The solution seems obvious to me: stop guaranteeing student loans, and stop subsidizing them. But nobody want to do it because it's political suicide.
I like that this works for both readings.
If you say to yourself "Obviously the solution is to eliminate federally backed student loans" that's political suicide because it means most people can't have a tertiary education (even if at some future date this chance means the institutions charge less than today)
If you say to yourself "Obviously the solution is to make tertiary education free at point of use" that's political suicide because it means a big tax hike to pay for it, plus either an unprecedented interference by the state in the operation of non-state entities offering education OR the state builds loads of extra institutions in competition with those pre-existing non-state establishments.
Of course, never say never, twenty years ago who'd have guessed major US politicians would be saying actually maybe we should just have single payer healthcare?
Bonus points.. you learn skills/trades/work-ethic/survival-skills/basic-medical-training, and will be useful in an emergency for the rest of your life.
My brother recently built a house, and the taxes and fees from the local city council are sky high. Of course, the city council did just build themselves a lavish new office building for $20M that looks like it belongs in a contemporary art museum.
It's no secret if they had just built a nice and functional building with the same office space for $10M everyone would be paying less city rates.
But that's not how our world works.
So although some may think that things like music studios are not a necessity, they are in this case.
No one said it was unnecessary; the GP questioned why it needed to be "state of the art".
It seems logical for out-and-out fraud to muscle in on "pork" situations. The university is building a status symbol, as much for the prestige of the administration as for any use. They're likely sending the contract to "friends" since they're clearly not terribly concerned with cost-benefits. So you wind-up with a bunch of money just bleeding out with little oversight. And so someone takes even more "initiative" and just scams some of those millions away. Maybe that someone even had some acquaintance with the whole scheme.
Yes, overt crime thrives in a situation of "generalized corruption".
That said, institutions are quick to exploit this romanticism and things start to lose perspective.
$180MM / (20 yrs x 1800 people) = $5000/yr/person
Is that unreasonable?
It's the end result of applying capitalism to all human activities. Schools have to compete for students and they do so with activities that prospective students and parents will respond to. It's also why health care costs are higher when privatized, they're similar "markets".
I would argue both extremes work: free education works (see Europe), completely capitalistic education should also work. But America doesn't apply captitalism to education. Schools have all the pressure of competition you describe, but normally the lifetime profitability of gaining a degree as would put a reasonable ceiling on education costs (outside of elite institutions for the rich and gifted). But in the US, student loans with their subsidies and special legal status remove monetary restrictions from the market, allowing most people to pay whatever the schools ask for. And for the supply side of any capitalist market it is only rational to raise prices to what the market is willing and able to pay.
In a free, unsubsidized, unpriviledged market for student loans we wouldn't see massivley rising education costs. Social mobility might be even worse though, so free education is likely still superiour.
That's not how you spell "receivable."
If another company wants you to send payments to another bank account, then you mail back the received pin code to that other company via another known email account.
If the known email account responds that the pin is legit, then go ahead and change the payment details.
Also, before changing the payment details, do send a small amount first, have it confirmed with the other company and then proceed with the test of the payment.
Any invoice would be expected to be signed using a physical security key. The University or a trusted third party would have a list of vendor keys, signed by the university's master key.
Any request to change account details or for payments would require a new signed invoice. Then any user receiving such an email could easily see if the invoice had been signed by a person who can cryptographically prove they have a key that is trusted to be in the vendor's possession.
Email is definitely a unsafe way to send messages.
Um, and it was mis-spelled apparently.
The email was sent containing the email address "email@example.com" and the name field "firstname.lastname@example.org"
It's a clear space where technology has the edge over humans and there's huge network advantages (e.g. you see a new account # for a known entity, especially at a different bank it's a big red flag).
I know a great way you can get the funding you need....
> As a result, one particular email, sent June 27, didn’t set off any alarms. Sent by a James Ellis of Clark Builders, a construction company working on the project, the email opened with the affable “Hiya” before asking the school’s accounts receivable department to reroute payments to a new National Bank of Canada account.
The order to change bank accounts should not have been trusted without another factor of authorization, such as a phone call (from the CFO's office) or an in-person confirmation. Yes, a software solution could be implemented to enforce this process, but that doesn't seem worth the time or effort and provides yet another vector of attack. The university, being a public institution, likely already has a legacy system of paperwork and manual processes. It should be less work to enforce existing rules or add an old-fashioned verification step than to build a new software system. Especially for something as rare as changing bank account numbers.
edit: at the end of the article, it seems that the university's solution has indeed been to go for old-fashioned verification:
> Employees are now required to verify all changes to vendor files by phone and a followup email, and all financial changes must first be reviewed by a supervisor, manager or director. A supplied audit report system was also implemented, tracking every change made to vendor files. The university has made employee training in social engineering attacks, phishing and other online scams mandatory.
I think the social engineering training is key, though. An employee could still follow the above rules and still be fooled, based on the letter used in the phishing attack:
I'm assuming a supervisor or manager don't have a special ability to know the vendor's actual financial details, and thus a "review" may be little more than a rubber stamp. What's key is that the office person fielding the request not only use a second form of authentication -- such as a phone call -- but that they call the number as recorded on university file and not the phone number listed in the spoofed email.
Caller ID is trivial to spoof. What you want is a phone call to the CFO's office, not from.
The problems are:
* since cheques are no longer in widespread use, the only good way to send money is by a bank transfer to another account; in the UK these are free and nearly instantaneous
* but every account is identified only by a 6 digit sort code and 8 digit account number[edit 1]; the numbers don't even have parity checking, forget about any sort of way to verify the destination account
* complete insecurity of email and computers in general
Finally, after years of foot dragging, the banks are promising they will introduce an "amazing" new feature, where before you do a bank transfer the name (I think surname only) of the account holder will be displayed. This should, when it finally arrives next year, prevent most of these frauds, although I guess the scammers will quickly adapt.
The fraud: https://www.theguardian.com/money/2018/sep/25/uk-bank-custom...
How the banks propose to solve it: https://www.psr.org.uk/psr-publications/consultations/APP-sc...
[edit 1] True story to illustrate what a shitshow this is: When I started working for my current company they asked for my 6 digit sort code and 8 digit account number to pay my salary in. However the first payment was bounced by the bank. When my employer checked with me, it turned out they had only entered the first 7 digits of my account number into the payments system. Surprisingly this was not an error. For example say my a/c number is 12345678, they entered 1234567, and the system assumed that meant 01234567 (this is a feature of all UK banks, not something to do with the payroll, because bank accounts are really just natural numbers, the first customer is given bank account number 1, etc.) Luckily the 01234567 account was dormant or closed so the payment was returned, otherwise several people would have had a bad day (and one person a good day).
1) the check will be handed over in person to someone you've met before, or at least mailed to a known postal address which is harder to spoof than email.
2) If you present a check for $12m to a bank, it will get the scrutiny it deserves, and won't clear immediately.
Has anyone had a check bounce due to a bad signature?
Now that Brexit is near it doesn't matter anyway, but at least in Italy and Spain (but I presume the rest of EU) a more complex ID for accounts with checksum/validation, called IBAN, is used for both international and national transfers:
that should avoid that kind of typo error.
One small part of why the social hack worked well.
There were many red flags that weren't caught, this being one of them.
Plus, it would probably bring the heat off of you. The investigators and the university get to say 'we successfully recovered 92% of it!' because that makes a great headline where 'justice was served' and have the case take a lower priority.