UK: Football teams loses £1 million

Spanish Admin

THE Spanish Administrator
Staff member
Sports team nearly paid a $1.25m transfer fee… to cybercrooks

Sports team nearly paid a $1.25m transfer fee… to cybercrooks

23 Jul 2020
by Paul Ducklin

If you were about to spend more than a million dollars, how careful would you be about where you sent the money?

More importantly, how would you check with the recipient of the money – and how would they check with you – that both ends of the transaction were lined up correctly, with no treachery in between?

It’s quite likely you’d have been emailing them back and forth for some time, negotiating the deal, agreeing terms and finalising payment…

…and therefore it’s quite likely that you’d email each other one last time before it all went through.

And if there were a last-minute change in payment details, you might be really relieved to hear about that, especially if the deal were time-critical, like a house purchase, a stock offer…

…or a £1,000,000 payment as part of a player transfer in the English Premier League – the richest soccer competition in the world, and the most-watched sports franchise on the planet. (Probably, although NFL, NHL, MLB and IPL fans may wish to disagree.)

After all, transfer windows are short, and transfer negotiations are complicated, so a payment that failed to go through at the last step could ruin a deal that had been months in the offing.

Well, according to a report entitled The Cyber Threat to Sports Organisations, released today by the UK’s National Cyber Security Centre, that almost happened, except that the new account number was fraudulent and rather than saving the deal at the last minute, the club would have lost the lot.

Apparently, one of the UK’s top football clubs – the report doesn’t say which one – almost paid out £1m ($1.25m) to crooks after a genuine-looking but fraudulent email convinced the club to nominate a new account to receive the funds.

Fortunately, the club’s bank flagged the transaction as suspicious, provoking further investigation and uncovering the scam.

As you can probably guess, that scam was what’s known as BEC, short for business email compromise.

BEC is something of a special category in the world of online crime – in fact, it’s probably better to refer to it as ‘internet-enabled crime’ than simply as cybercrime.

The criminals behind it don’t have to be programming wizards or malware authors; they don’t need elite hacking or exploit creating skills; and they don’t need the know-how to carry out network intrusions, lateral movements and so on.

What they do have is patience, persistence, self-belief and what you might call sociopathic-level skills in social engineering.

In old-school terminology, you’d call them confidence tricksters, though they are generally using the internet to manipulate victims, not their in-person charisma.

The basic idea behind BEC crime is surprisingly simple: get hold of the email password of someone of importance in the organisation, read all their email before they do, learn how they operate, find out what the company is up to and learn when big payments are coming up, in or out…

…and then take on the persona of the employee whose email was compromised in order to misdirect other employees, as well as creditors and debtors....