Hackers stole $650k and got away, showing limits to law enforcement’s reach

<a href="https:&#x2F;&#x2F;archive.is&#x2F;ApLtp" rel="nofollow">https:&#x2F;&#x2F;archive.is&#x2F;ApLtp</a>

This happened to someone I know with a reasonably well-run but not super technical small business. Someone compromised the email account of their accounts receivable person, silently monitored it for a while, and then used it to send a few strategic requests to change the payment account. By the time my friend noticed and politely asked their customers (mid-size businesses all) “Why haven’t you paid this $50,000 bill?”, the hackers had made off with a few hundred thousand - a big deal to my friend, but not so much to law enforcement, who pretty much shrugged and said “Sucks to be you.”<p>Luckily, several of those customers theoretically had policies against changing payment directives without phone confirmation, which were not followed, so they are taking some shared responsibility for this.

&gt; On Feb. 25, nearly a month later, the FBI assigned a special agent to the case. On March 3, the agent emailed Ms. Williams to say the U.S. attorney’s office in San Francisco had declined to open an investigation. He didn’t explain and the FBI hasn’t been in contact since, she said.<p>More and more people finally realizing the police don’t help them, one crime at a time.

And here yet again an example of how the system is rigged against the poor and stacked in favor of the rich. If you have enough (and get stolen enough), then you get help, otherwise, too bad.<p>I understand that there’s a resources allocation problem here and the current solution is prioritizing bigger crimes. But given the resources of the victims, maybe the priorities should be inverted. Help the people that can’t pay for their own investigations, or just charge for the investigation services in proportion to the “size of the crime”.

This isn&#x27;t so much a story about the limits of law enforcement as it is about the reality that they don&#x27;t expend much time investigating &quot;small&quot; crimes and their definition of small is surprisingly large to the average person.

I wonder if Frost Bank filed a Suspicious Activity Report for these transfers and whether or not they will face any enforcement actions. Having worked with quite a number of banks at this point, they all talk a big game about compliance but yet very few seem to actively mitigate these events. It&#x27;s not Frost&#x27;s only such issue: <a href="https:&#x2F;&#x2F;www.expressnews.com&#x2F;business&#x2F;local&#x2F;article&#x2F;Former-officer-manager-of-San-Antonio-dermatology-16171788.php" rel="nofollow">https:&#x2F;&#x2F;www.expressnews.com&#x2F;business&#x2F;local&#x2F;article&#x2F;Former-of...</a><p>But they are a fairly large bank so hard to say how they do relative to others for their volume.

Had a similar experience with IC3 and FBI though for a much lesser amount. It&#x27;s nice that both exist but neither seem helpful for amounts that are meaningful to a small business, tens of thousands, but not meaningful at their level. Do any entities exist to try to help find justice for these smaller electronic financial crimes?

I feel like a bounty system for online crime might help. Let the free market figure out whether this is worth investigating &#x2F; solving. Registered bounty hunters &#x2F; investigators could take up the case and operate on it. I sense that a lot of investigation around this case could be done from the comfort of a warm armchair. The rest involves boots on the ground.<p>Its not $650k either, its more like 10 or 20 x 650k. Why? These are criminals operating a business. They will do this again.

I&#x27;m a local law enforcement officer in California who investigates these. I love working on these cases, but there are tons of issues that stop them from being prosecuted successfully other than laziness. Ask me anything.

A similar story from a few years ago:<p><a href="https:&#x2F;&#x2F;www.cbc.ca&#x2F;news&#x2F;canada&#x2F;edmonton&#x2F;macewan-university-phishing-scam-edmonton-1.4270689" rel="nofollow">https:&#x2F;&#x2F;www.cbc.ca&#x2F;news&#x2F;canada&#x2F;edmonton&#x2F;macewan-university-p...</a><p>It looks like they were able to recover much of the money, but at a cost of $250,000 in legal and banking fees:<p><a href="https:&#x2F;&#x2F;www.cbc.ca&#x2F;news&#x2F;canada&#x2F;edmonton&#x2F;macewan-university-recovers-most-of-11-8m-online-phishing-scam-1.4604729" rel="nofollow">https:&#x2F;&#x2F;www.cbc.ca&#x2F;news&#x2F;canada&#x2F;edmonton&#x2F;macewan-university-r...</a>

This is literally fraud and maybe identity theft, isn&#x27;t it?<p>And not even high tech, people used to do the exact same thing with paper cheques by mail.<p>There&#x27;s a sending bank account, a receiving bank account and a digital trail. With the newer KYC laws, it should be easier to find the criminals.<p>Happens a lot in the UK and they don&#x27;t do anything about it because the police has been defunded to hell.

I hate to look at things like this, but by getting a WSJ article and likely other press coverage our of this, there&#x27;s a fairly good chance that the charity could view the loss as &quot;fundraising&quot; and see a positive return of investment.

Seems like an area that needs innovation to improve efficiency. Perhaps all transactions could be made electronic and reversible within 30 days? Maybe instead of mailing a check or doing a wire transfer something with two factor authentication is needed based on a physical token? Doesn&#x27;t seem difficult to give your trusted partners and associates a USB key to make sure funds can not go to anyone else. Why is banking mostly not using 2FA already? Any place that can mail me a debit card can mail me a USB key. The card could BE the USB key.

Time to wake up, ban cryptocurrencies so this never happens again, then go back to sleep!

Interesting that the FBI guy pretty much outlined how to do this and get away with it. Just steal less than $1M from each victim.<p>I suppose the hardest part is recruiting the &quot;money mules&quot; to open the destination bank accounts.

The root problem here is that someone moved money&#x2F;resources on the basis of an anonymous (i.e. unsigned) email. If you can&#x27;t be sure where the email came from you really need to do a manual verification.

&gt; The pair arrived in Odessa, near the border with New Mexico<p>No, it isn&#x27;t.

Good for them.

Where are Anonymous now? [deafening silence]

When Social Engineers become hackers?<p>To me, a hacker is someone who exploit a RCE or something like that.<p>I recall in 90&#x27;s we had this kids who got access to ton of companies all around the world. They would have conquered the earth along with the FBI.

&gt; Authorities are unlikely to pursue a case unless the loss is at least half a million dollars<p>Note to future supervillian self: steal from widows and orphans in increments of $499,999.99.