Email and a phone call enough to secure nine payments.
The local council of the Australian city of Brisbane has been fleeced of A$450,000 (£248,000, US$334,000) from email-whaling scammers who tricked staff into wiring money into their bank accounts.
The scammers phoned and emailed the council posing as one of its suppliers.
Lord mayor Graham Quirk has commissioned Deloitte to conduct a review into how the scam took place.
Quirk told reporters the scammers gained the cash in nine payments made since 13 July.
“It was then checked and it was found that the place where the cheques were going to was different to what the ridgy-didge* account was,” Cr Quirk said.
It was the largest scam against the council, Cr Quirk says.
Business email compromise, a subset of phishing that tricks executives into wiring money to attackers, is estimated by the FBI to have cost US$740 million in the US alone since 2013.
The social engineering scams are a scourge of businesses and result in many millions being plundered by convincing executives to wire money into different accounts.
The best scams are compartmentalised with different teams responsible for various intelligence and social engineering tasks.
Teams will often compromise a business’ email accounts to gather intelligence on the types of services and partners it uses.
Criminal call centre services offer scammers the ability to pay for english-speakers to make follow-up phone calls to further convince targeted businesses.
Scammed funds are often wired between banks on its way to the Chinese port city of Wenzhou, a hub of cybercrime on the East China Sea where money trails run cold.
In April Toy maker Mattel recovered some US$3 million shipped off to Chinese hackers who sent a well-crafted phishing email to a finance executive. ®
* Archaic Australian slang for “genuine”.
Sponsored: Global DDoS threat landscape report