I follow Verne Harnish’s weekly blog. Verne is the founder and CEO of Gazelles, Inc., a very successful consulting business that provides “executive education” for high-growth companies around the world. He is also one of the original founders of YEO (Young Entrepreneurs’ Organization).
His story below will make you sick to your stomach, especially if you think about it happening to you or someone you know. Here at Hughes Private Capital, we have been aware of these wire scams for quite some time now, and we have changed our wire policy to combat this type of fraud. I encourage you to pass this article along to any business owners that you know, or anyone who may be susceptible. You just may save them $400,000. -Greg
It was a bad night last night, finding out that Gazelles was cyber-attacked and $400k was cleverly “taken” from our Gazelles bank account.
How Was $400k Taken from Us?
We believe the process started in Moscow last Tuesday when I was giving the day’s closing keynote at the Atlas Business Forum – 3,000 leading CEOs and entrepreneurs from around Russia. While on a public network that morning my email was hacked – I have some ideas how and I believe it was “automated” as an algorithm scanned for clues that there was an opportunity to steal funds. Clues? I receive daily alerts from my bank on our bank balances, so they could see we had a substantial amount in the bank. And I had just instructed my assistant to wire some funds to an account in Spain – so it was obvious how we worked together in getting this accomplished by observing our back and forth conversations.
So What Happened Next?
“They” sent an email to my assistant completely imitating my style, subject line, and signature asking her to wire funds to three different places. I’m in the middle of funding several real estate and investment opportunities so this didn’t seem out of place. My assistant responded back to confirm and they responded appropriately for me, the whole time deleting these emails from our server after sending and receiving.
Deleted Bank Alerts
They also deleted my daily bank alerts which I didn’t notice since I was busy with meetings in Moscow or travelling. Anyway, my assistant calls in the wire transfers because our bank had suggested that calling in was less costly in terms of exchange rates and fees when wiring internationally – but much less safe than using our CEO Portal which requires two people with dongles to approve (penny wise, pound foolish). With the call in, my assistant’s voice is verified and then they call her back to confirm. Dumb process – my fault and the bank’s for thinking that this is a sufficient “dual” response.
To the bank’s credit they did flag one of the three transactions to Hong Kong and suggested to my assistant that she call me to verify. She emailed me asking when we could talk while on the road. The perpetrators intercepted this email and replied, again in my style, that I was busy travelling, that the transfer was good, and to get the bank to send. Then these emails were deleted (we were able to recover all the deleted emails on the server to confirm they had been sent and received and the bank alerts erased.)
Expensive Lessons Learned
Anyway, the funds were wired and the likelihood we’ll ever see them again is nil. Hard lesson exposing massive numbers of failures on my part. The big failure was not thinking it could happen to me! The second was falling out of some critical daily and weekly routines with my team, especially when travelling. And it underscored the importance of talking about these large transactions, not just relying on emails. The difference in time zones makes it difficult at times, but not an excuse.
It just so happens we have someone speaking at the Growth Summit on the need for small to mid-size firms to take cybersecurity more seriously. If they can hack into governments, they can hack into you! Lesson learned the hard and expensive way.