[makeitdouble]

Where it hurts is it can be a PITA to get hold of the CFO from the mere employee side, especially as the CFO was UK based.

Basically, it was a well thought and well executed scam that perfectly fit the employee's situation.

[dools]

The CFO was on the call. You just say "cool I'm sending a 4 digit code to your mobile phone, read it back to me".

[makeitdouble]

The CFO already separately sent him a message before the call, and I wonder if they'd get access to the CFO's number in a central directory (leaving aside the fact that you're asking to message them while they're live "in front" of you).

I fthe CFO gave a number on the call, it wouldn't also be much of a check.

I think the real improvement would be to have the CFO file a ticket, but obviously that company was used to play it loose and fast.

[pavel_lishin]

With $25 million on the line, I'd argue that the company could afford an airline ticket to fly to the UK and back to verify in person.

[Detrytus]

They might be able to afford ticket price, but not the time it takes to fly to the UK. Some things are time-sensitive.

[rijx]

It would detect number spoofing. Spoofing is easy, hacking phones is hard(er).

[greenyoda]

> it can be a PITA to get hold of the CFO from the mere employee side

I'm guessing that someone who can authorize a $25M transaction is fairly high up in the corporate hierarchy, not that many levels away from the CFO.

[makeitdouble]

For a finance worker I actually wonder how much it means to transfer $25M.

I have no idea, but I suppose moving funds from one subsidiary to another for instance wouldn't be for a few thousands only, and he's seeing money fly around day in day out. Would it feel the same as an infra engineer rebalancing a few millions of access from a cluster to another ?