by Mike Masnick

Filed Under:


Phishing Scammers Convince Grocery Store To Give Them $10 Million

from the the-big-phish dept

By now, most people are familiar with how phishing scams work, usually preying on individuals and tricking them into handing over data that allows the scammers access to bank accounts or other useful info. However, scammers have been aiming a bit higher lately. One tactic is commonly referred to as "spear phishing," where scammers focus on business targets, and attempt to convince them that they're actually coming from partners or suppliers. Apparently one such spear phishing attempt nearly worked to the tune of $10 million. The scammers sent two emails to someone at the headquarters of the supermarket chain Supervalu, purporting to be from Supervalu suppliers American Greetings and Frito-Lay. Both emails claimed that their bank account info had changed and Supervalu now needed to deposit payments into different accounts. Someone at Supervalu followed the instructions, leading approximately $10 million to be deposited into the two accounts over a period of about 4 days. At this point, someone from Supervalu figured out there was a problem and alerted the authorities, who were then able to recover most of the money before the scammers withdrew it. However, it appears that no one has yet figured out who opened the accounts, though Supervalu has filed a lawsuit in order to try to get that information.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    Anonymous Coward, 30 Oct 2007 @ 9:54pm

    There is no defence against stupidity.

    reply to this | link to this | view in chronology ]

  • identicon
    Searchâ—Š Engines Web, 30 Oct 2007 @ 10:53pm


    What is so-o frustrating about that news coverage is the lack of information about WHO made the discovery about the fraud - and HOW .

    This could be a valuable lesson for everyone.

    Hopefully that person received some recognition and there were no obstacles or politics preventing their responses to their suspicions.

    One also has to wonder if this was an inside job. Someone would have to have some intimate knowledge of the company to even attempt this with any credibility.

    reply to this | link to this | view in chronology ]

  • identicon
    modest, 30 Oct 2007 @ 11:15pm

    yea so

    I need to alert everyone that their utility bills are now to be sent directly to me through paypal.

    I'm serious.

    reply to this | link to this | view in chronology ]

  • identicon
    peoplegeek, 30 Oct 2007 @ 11:19pm

    The grocery store people were just victims. If the email came to the right business email it could have looked okay.

    The scammers on the other hand..That money should have been transferred twice in the first 24 hours it hit the account.

    First to a neutral uninteresting country, next to an openly uncooperative country.

    At that point it should have been turned into hard money even if it was only .50 on the dollar.

    Lazy stupid scammers

    reply to this | link to this | view in chronology ]

    • identicon
      z, 31 Oct 2007 @ 1:45am


      If you want to transfer $10 million, i can almost guarantee that the bank will sit on that money for a couple of days(and use it in the mean time)

      sometimes it takes days to cash a certefied check if it exceeds like $10,000. Let's say you owned your house and sold it. The lender will give you a check. You want to cash it, you better be prepared to wait for a week.
      These transactions are not as fast (for an average Joe) as we'd like it to be.

      reply to this | link to this | view in chronology ]

    • identicon
      space scooter, 31 Oct 2007 @ 6:02am


      peoplegeek: NO legitimate bank EVER communicates by email to notify you of account changes or required account activity. That person was unbelievably stupid to fall for such a scam. I really hope they were fired.

      reply to this | link to this | view in chronology ]

      • identicon
        .Net Developer, 31 Oct 2007 @ 6:29am

        Re: Re:

        What world do you live in? My bank legitimately sends me emails when the terms of my account change. Also, if you would actually READ the article, a bank did not send the email. The email looked like it came from employees at a company who said their banking info changed. Yes it is different.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 31 Oct 2007 @ 8:40am

          Re: Re: Re:

          What world do you live in?

          Every piece of email I receive from my bank states clearly that I should be aware of fraudlent email and should not give ANY sensitive information through email alone.

          Secondly, it is fantastically moronic to change where you send millions of dollars JUST because SOMEONE sent you an email. To say otherwise means YOU live in some fairy like, idyllic world, that or you're just as stupid as the person who let the 10 million go into another account because an email told him so.

          reply to this | link to this | view in chronology ]

  • identicon
    Paul, 31 Oct 2007 @ 12:57am


    "Someone at Supervalu followed the instructions" without verifying the authenticity first? DUMB! A non-male of the light coloured hair variety maybe?

    reply to this | link to this | view in chronology ]

  • Stupid Criminals can't follow through

    Just think if they were smart criminals. If they were not so greedy they probably could have gotten away with it if they had tried scamming for a lot less.

    This is just an update of the old scam of mailing a business a fake invoice and see if they send a check.

    I have always thought of pulling off the "greatest scam/con of all time" but then reality sets in and I remember all those prison movies.

    It's hard to find a smart criminal these days.

    reply to this | link to this | view in chronology ]

    • identicon
      ehrichweiss, 31 Oct 2007 @ 8:42am

      Re: Stupid Criminals can't follow through

      "I have always thought of pulling off the "greatest scam/con of all time""

      Yeah. I just read in the news that someone was caught doing a scam I conceptualized about 10 or more years ago. The reason they got caught? Greed. My idea was that one could drive all over the country pretty much for free by using 2 vans to steal gas from gas stations through the holes they use to fill the gas in to the LARGE tanks. Park the vans next to each other so that the rear van is the one pumping and the front one is blocking the view and use a pump to fill your tank.

      The guys who got caught were greedy beyond all belief since they decided they wanted to steal 1,000(maybe 2,000 since they had 2 trucks involved) gallons at a time, which as you can imagine would set off the alarms that warn the station they might have gas leaking into the soil since it was losing so much so fast without moving through the gas pumps. They deserved it though because the only reason I can see to steal 1,000 gallons at a time would be to sell it because even if I filled my 3/4 ton van's 22+ gallon tanks every week, I would barely be done with 1,000 gallons in a year...and gasoline starts to go "bad" after 6 months or so.

      FWIW, I only dream up scams so I can use the ideas to teach people about social engineering AKA people hacking.

      reply to this | link to this | view in chronology ]

  • identicon
    Kevin, 31 Oct 2007 @ 4:32am

    Re: by z

    I've transfered over 40k between accounts via official bank wire and its instant.

    reply to this | link to this | view in chronology ]

  • identicon
    Haywood, 31 Oct 2007 @ 5:06am

    I agree with that

    I got a $20K and my bank planned to sit on it for a week. they released 30% in 5 days and it took a phone call to the main office bookkeeping to get the remainder in less than 7 days. I could have however, written checks on it at my risk.

    reply to this | link to this | view in chronology ]

  • icon
    Killer_Tofu (profile), 31 Oct 2007 @ 6:20am

    Its Like

    Those phone calls from the police department or fire department saying that they are asking for money. When you mention that the police & fire groups even mentioned on TV that they will NEVER call people house to house like that, they person just becomes uncooperative and suddenly has to go.

    If somebody sent me something mentioning account change, you can be sure as the sun that I will be calling the company back later to verify stuff, and not at the phone number the person who just called was either.
    And if it came by email, lol, they can forget it.

    reply to this | link to this | view in chronology ]

  • identicon
    Overcast, 31 Oct 2007 @ 6:43am

    It so amazes me how much people believe in their email. Email isn't really too far from a wall you spray graffiti on.

    Particularly before writing a check for 10 million bucks....

    I too get statements from my bank in email, I also get bill notices in email - but if my bank sends an email wanting me to change the account number my payroll deposits go into, I think I'll call them about that. Or if I get an email wanting my password - well, too bad. If I were to get a 'notice' from my water company that they changed accounts and to send a 500 bill payment to them using that account, again, I think I'll call first.

    And allowing the admission of email into court is silly. So many people seem to have this notion of how 'secure' email is... Which is funny indeed!!

    I spent a few years as an Exchange admin, and seen a lot of funny stuff. All to often the server would somehow end up with emails intended for other domains, and would kick them in the Non-Delivery mailbox.. I guess a DNS glitch or something else would cause that. And anyone with a hint of SMTP knowledge and an open relay can spam away, making it look like it came from whomever they choose. Of course, if one takes the time to investigate the email header, they can tell it's a fraud, but how many do? So yes, depending on the configuration of email servers at each end, someone could send you an email addressed like: - or whatever they choose. Of course a reply might bounce, but often that's not the intention.

    reply to this | link to this | view in chronology ]

  • identicon
    yo-yo, 31 Oct 2007 @ 6:57am

    Transferring Money

    I work at a bank as a manager in commercial lending, but I have to take compliance training each month. Each year, I have to repeat it. I know that if your transactions are less than $10,000 the bank will not even blink. Let me take that back, if you have frequent transactions just below $10,000 - then the bank will file a SAR (Suspicious Activity Report) with the Feds. Then you are screwed. Also, just the other day, we had someone wire in $55,000 into an account they opened online and try to wire out $50,000 the next day. Did my people release it? Of course not. They checked with the other banks involved and found out that it was fraud. The crooks never got their money...

    So, one transaction under $10,000 is fine, but if it looks like you are structuring, you are busted. And, if it is over $10,000 - it has to pass the "smell test" before they release it. Usually that means that they have to be familiar with you. Anything online is going to "smell fishy" to most banks. Bankers are scared to death of losing money. Everyone knows that.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Oct 2007 @ 7:05am


    so your telling me, that if i configure outlook express to fake my email address. to say. one of walmart's suppliers, and then send walmart an email telling them their suppliers bank account, or mailing address changed. ... then i could become rich over night....

    wow. it sounds like that somebody at supervalu must be a college graduate. because their lacking commonsense and are using common stupidity to operate.

    Elbert Hubbard once said: "Genius may have its limitations, but stupidity is not thus handicapped."

    reply to this | link to this | view in chronology ]

  • identicon
    datadefender, 11 Nov 2007 @ 12:41am

    the only effective mitigation is electronically signed email. virtually all email programs have the software built in already - all you need is a didgital certificate that attests your identify. You get them at, and many other certificate authorities.

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories


Email This

This feature is only available to registered users. Register or sign in to use it.