Phishing Scammers Convince Grocery Store To Give Them $10 Million

from the the-big-phish dept

By now, most people are familiar with how phishing scams work, usually preying on individuals and tricking them into handing over data that allows the scammers access to bank accounts or other useful info. However, scammers have been aiming a bit higher lately. One tactic is commonly referred to as “spear phishing,” where scammers focus on business targets, and attempt to convince them that they’re actually coming from partners or suppliers. Apparently one such spear phishing attempt nearly worked to the tune of $10 million. The scammers sent two emails to someone at the headquarters of the supermarket chain Supervalu, purporting to be from Supervalu suppliers American Greetings and Frito-Lay. Both emails claimed that their bank account info had changed and Supervalu now needed to deposit payments into different accounts. Someone at Supervalu followed the instructions, leading approximately $10 million to be deposited into the two accounts over a period of about 4 days. At this point, someone from Supervalu figured out there was a problem and alerted the authorities, who were then able to recover most of the money before the scammers withdrew it. However, it appears that no one has yet figured out who opened the accounts, though Supervalu has filed a lawsuit in order to try to get that information.

Filed Under:
Companies: supervalu

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Phishing Scammers Convince Grocery Store To Give Them $10 Million”

Subscribe: RSS Leave a comment
Search◊ Engines Web (user link) says:


What is so-o frustrating about that news coverage is the lack of information about WHO made the discovery about the fraud – and HOW .

This could be a valuable lesson for everyone.

Hopefully that person received some recognition and there were no obstacles or politics preventing their responses to their suspicions.

One also has to wonder if this was an inside job. Someone would have to have some intimate knowledge of the company to even attempt this with any credibility.

peoplegeek says:

The grocery store people were just victims. If the email came to the right business email it could have looked okay.

The scammers on the other hand..That money should have been transferred twice in the first 24 hours it hit the account.

First to a neutral uninteresting country, next to an openly uncooperative country.

At that point it should have been turned into hard money even if it was only .50 on the dollar.

Lazy stupid scammers

z says:

Re: Re:

If you want to transfer $10 million, i can almost guarantee that the bank will sit on that money for a couple of days(and use it in the mean time)

sometimes it takes days to cash a certefied check if it exceeds like $10,000. Let’s say you owned your house and sold it. The lender will give you a check. You want to cash it, you better be prepared to wait for a week.
These transactions are not as fast (for an average Joe) as we’d like it to be.

.Net Developer says:

Re: Re: Re:

What world do you live in? My bank legitimately sends me emails when the terms of my account change. Also, if you would actually READ the article, a bank did not send the email. The email looked like it came from employees at a company who said their banking info changed. Yes it is different.

Anonymous Coward says:

Re: Re: Re: Re:

What world do you live in?

Every piece of email I receive from my bank states clearly that I should be aware of fraudlent email and should not give ANY sensitive information through email alone.

Secondly, it is fantastically moronic to change where you send millions of dollars JUST because SOMEONE sent you an email. To say otherwise means YOU live in some fairy like, idyllic world, that or you’re just as stupid as the person who let the 10 million go into another account because an email told him so.

Max Powers at (user link) says:

Stupid Criminals can't follow through

Just think if they were smart criminals. If they were not so greedy they probably could have gotten away with it if they had tried scamming for a lot less.

This is just an update of the old scam of mailing a business a fake invoice and see if they send a check.

I have always thought of pulling off the “greatest scam/con of all time” but then reality sets in and I remember all those prison movies.

It’s hard to find a smart criminal these days.

ehrichweiss says:

Re: Stupid Criminals can't follow through

“I have always thought of pulling off the “greatest scam/con of all time””

Yeah. I just read in the news that someone was caught doing a scam I conceptualized about 10 or more years ago. The reason they got caught? Greed. My idea was that one could drive all over the country pretty much for free by using 2 vans to steal gas from gas stations through the holes they use to fill the gas in to the LARGE tanks. Park the vans next to each other so that the rear van is the one pumping and the front one is blocking the view and use a pump to fill your tank.

The guys who got caught were greedy beyond all belief since they decided they wanted to steal 1,000(maybe 2,000 since they had 2 trucks involved) gallons at a time, which as you can imagine would set off the alarms that warn the station they might have gas leaking into the soil since it was losing so much so fast without moving through the gas pumps. They deserved it though because the only reason I can see to steal 1,000 gallons at a time would be to sell it because even if I filled my 3/4 ton van’s 22+ gallon tanks every week, I would barely be done with 1,000 gallons in a year…and gasoline starts to go “bad” after 6 months or so.

FWIW, I only dream up scams so I can use the ideas to teach people about social engineering AKA people hacking.

Killer_Tofu (profile) says:

Its Like

Those phone calls from the police department or fire department saying that they are asking for money. When you mention that the police & fire groups even mentioned on TV that they will NEVER call people house to house like that, they person just becomes uncooperative and suddenly has to go.

If somebody sent me something mentioning account change, you can be sure as the sun that I will be calling the company back later to verify stuff, and not at the phone number the person who just called was either.
And if it came by email, lol, they can forget it.

Overcast says:

It so amazes me how much people believe in their email. Email isn’t really too far from a wall you spray graffiti on.

Particularly before writing a check for 10 million bucks….

I too get statements from my bank in email, I also get bill notices in email – but if my bank sends an email wanting me to change the account number my payroll deposits go into, I think I’ll call them about that. Or if I get an email wanting my password – well, too bad. If I were to get a ‘notice’ from my water company that they changed accounts and to send a 500 bill payment to them using that account, again, I think I’ll call first.

And allowing the admission of email into court is silly. So many people seem to have this notion of how ‘secure’ email is… Which is funny indeed!!

I spent a few years as an Exchange admin, and seen a lot of funny stuff. All to often the server would somehow end up with emails intended for other domains, and would kick them in the Non-Delivery mailbox.. I guess a DNS glitch or something else would cause that. And anyone with a hint of SMTP knowledge and an open relay can spam away, making it look like it came from whomever they choose. Of course, if one takes the time to investigate the email header, they can tell it’s a fraud, but how many do? So yes, depending on the configuration of email servers at each end, someone could send you an email addressed like: – or whatever they choose. Of course a reply might bounce, but often that’s not the intention.

yo-yo says:

Transferring Money

I work at a bank as a manager in commercial lending, but I have to take compliance training each month. Each year, I have to repeat it. I know that if your transactions are less than $10,000 the bank will not even blink. Let me take that back, if you have frequent transactions just below $10,000 – then the bank will file a SAR (Suspicious Activity Report) with the Feds. Then you are screwed. Also, just the other day, we had someone wire in $55,000 into an account they opened online and try to wire out $50,000 the next day. Did my people release it? Of course not. They checked with the other banks involved and found out that it was fraud. The crooks never got their money…

So, one transaction under $10,000 is fine, but if it looks like you are structuring, you are busted. And, if it is over $10,000 – it has to pass the “smell test” before they release it. Usually that means that they have to be familiar with you. Anything online is going to “smell fishy” to most banks. Bankers are scared to death of losing money. Everyone knows that.

Anonymous Coward says:


so your telling me, that if i configure outlook express to fake my email address. to say. one of walmart’s suppliers, and then send walmart an email telling them their suppliers bank account, or mailing address changed. … then i could become rich over night….

wow. it sounds like that somebody at supervalu must be a college graduate. because their lacking commonsense and are using common stupidity to operate.

Elbert Hubbard once said: “Genius may have its limitations, but stupidity is not thus handicapped.”

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...