[bartlettD]

> According to police, the worker had initially suspected he had received a phishing email from the company’s UK office, as it specified the need for a secret transaction to be carried out. However, the worker put aside his doubts after the video call because other people in attendance had looked and sounded just like colleagues he recognized.

Regardless of the sophistication of the deepfake, surely this rings huge alarm bells, right? I'm not even sure I'd be comfortable making secret transactions on instruction from my boss. Even if your boss is actually asking you to do this, how can you have the financial authority to transfer $25M and not the savvy to think that being asked to transfer huge amounts of money in secret isn't going to result in you getting thrown under the bus?

[michaelt]

The scammers usually have a slightly unusual, but plausible (and urgent) story.

For example, that they've just closed a deal to buy a startup - a negotiation which was of course conducted in secrecy. It's a startup in another country, which is why we're all out of the office. Timezones are why you've received the request outside of normal working hours. And we've got to, um, close the deal so we can announce it outside of stock market opening hours, for both countries. To close the deal we've got to pay 10% of the 250M purchase price upfront. If you can't get this done within 2 hours the deal will fall through.

[csomar]

Secret doesn't mean illegal. Unless something is illegal, this guy doesn't have any input and it's up to the auditor to verify the legitimacy of the transactions.

[llamaimperative]

Big transactions happen and it’s some people’s jobs to execute them

[Semaphor]

"in secret" is the issue

[netsharc]

I guess a scammer can sell it as "we're buying something significant [another company?], this will affect our share price if the info goes out, so you need to sign this NDA and keep this quiet, you're only 1 out of 10 people who knows this...".

They could also sell it as payment for an e.g. consulting firm for the above secret deal...

[the8472]

Secret doesn't mean they can't use internal authenticated communication channels, at the very least to send a redacted confirmation.

[llamaimperative]

Most people historically would consider a video call with the person to be sufficiently authenticated. Yeah, that has changed obviously, but it has changed like today.

[the8472]

No, not today. This has already happened a few times. And even before it happened people warned about this predictable use of the technology. There has been enough time to update policies. Even $employer already did, and I consider their security policies so-so.

[dartos]

You can send out free zoom and Google meet links.

Idk if most people would tell the difference

[gregjw]

Arup is a private company

[pjc50]

"Confidentiality" is entirely normal; since many deals such as takeovers rely on your competitors not knowing until it's happened, it's not unusual for this information to be restricted within the company on some sort of need-to-know basis.

Authenticating transactions is going to be an increasing problem in the presence of deepfakes, though.

[ajsnigrutin]

There are many secrets in business, especially in realestate.

Found out, from some "unnamed source" that there will be a new bus stop and a new aldi store across the street from a building where some apartments are for sale? Don't mention it to anyone, secretly buy them, because their value will go up a lot, and do it discreetely, so other companies don't notice.

[Rinzler89]

That should be classified as corruption/insider trading and punished as such.

In my country that's how politicians and their friends get filthy rich. They know ahead of time where a new highway will be planned so they buy up all the rural land in that area for cheap so that the government will have to buy it from them at inflated prices to build the highway. Then, if a new government comes to power before the highway starts construction and realize they don't have any land where the highway will be built, they cancel the project and re-plan it on another route so that this time they can be the ones getting a cut. So this keeps getting repeated and the country ends up with no highways, but at least some people get obscenely rich.

[ajsnigrutin]

Insider trading is only when you're the insider. If you happen to walk past a geodetist (land surveyer?) on the street measuring something, ask him what'll be built there, and he tells you, you're still not the insider.

Otherwise I agree, but in my country they do it differently,... government needs a building for X, someone close to someone in the government buys it for eg. 2mio eur, holds on it for a year or two, before a tender comes out (governments are slow), and 'coincidenetally' that building is the best match and the government buys it for eg. 7mio eur from that guy. (and then they split the difference).

[lesuorac]

Insider Trading is not even a crime (in the US). You can buy and sell stock for companies you have a relationship whether its employer/employee or a contractual relationship.

The actual crime is using "Material Nonpublic Information" [1] and it does not matter how you obtained it. So, asking an employee what they're building and they ignore the confidentiality agreement to tell you - Nonpublic. Stalking surveyers from public land to find the lots they're commonly around - public.

[1]: https://www.investopedia.com/terms/m/materialinsiderinformat....

[lesuorac]

If your business is easily (commonly?) going to wire $25M across 15 transactions you should have a process in place. This is pretty much the whole point of multi-factor; although I'd argue you want the multi to really represent two people. The requester attests that "yes I want $25M" and the sender attests that "yes I am this person".

The wild west ways of the banking sector is finally catching up to them.

[ajsnigrutin]

I co-own a lot smaller company, so it was more in a range of 4 figures (euros), but more than once I've been in a situation where I've just signed a deal for some business with some company, called one of the 'hardware guys' from the car (external companies that eg. import hardware, are distributers for lenovo/dell, whatever), got an offer for a set of hardware that we needed (a few servers, etc.), forwarded the email to our ceo, called him (without faked AI voice in my case... for now), told him "pay this today, so we can get them by the end of the month", and he did.

If someone knew I was negotiating some business that day, phished an email with whatever account number he wanted and AI faked my voice, he'd get the money transfered.

So yeah... another thing to worry about.

[lesuorac]

It would be nice if the article had additional details.

Did the email come from within their own domain? Like a properly set-up domain isn't going to let you spoof their employees so your emails to the CEO will be authoritative since they came from the correct domain (assume your CEO checks its ycombinator.com and not ycombimator.com).

At 4k though I suspect it's not that worthy of a target when you can do the same effort to net 25 million. Although I'm a bit surprised there isn't some internal page to add/remove the hardware requests so that it can be easily accounted for by accounting.

[jfoster]

It's a bit surprising that Aldi (and other supermarket chains) generally don't invest in residential real estate.

[mschuster91]

Over half of Aldi's locations actually belong to them [1]. Keeps them safe from the usual landlord racket.

[1] https://www.lebensmittelzeitung.net/handel/nachrichten/immob...

[ajsnigrutin]

I think op meant more in a way, where Aldi would buy apartments near their new store, since having an aldi nearby raises realestate prices (in some specific cases of course).

[ajsnigrutin]

Who knows, maybe they do :)

[dudinax]

That really would be insider trading.

[jfoster]

Does insider trading apply to real estate in the same way that it does to securities?

It doesn't seem so different to any mixed-use project where a developer might construct a tower that is partly residential, partly commercial. Pretty sure a lot of large companies purchase residential around any major new HQ they intend to open, too.

[amelius]

Doesn't SAP have a workflow for that?

[vintermann]

Maybe high-up workers are asked to do secret/illegal stuff more often than we think.

[helsinkiandrew]

> Regardless of the sophistication of the deepfake, surely this rings huge alarm bells, right?

Its a company with revenues of a couple of billion and that probably sub contracts thousands of other companies on projects around the world. The finance department is probably sending similar payments regularly.

Most payments will be "secret" in that the amounts won't be made public to employees that don't need to know. The company maybe, for example, be repeating work that has been already been done in house so doesn't want it known inhouse what companies are being paid.

[markogrady]

I've heard this happening for a local company with about £9 million with a similar email scam. Supposedly, the person who transferred the money was competent and clever. With that amount of money, saying you don't need to ask questions, in part, is very convincing.

[el_oni]

Yeah, this would at least cause me to email my boss and say "Can you just confirm, you want me to transfer $25 million to this account? I'll hold off until you give me confirmation in writing"

hell i do this if our tester hasn't managed to go over some aspect of our release. That way i get in writing from the product owner that he has OKd it, and if he sends me a teams message i ask him to email me confirmation.

[Tao3300]

Reminds me of that old urban legend about the trader who ordered the coal futures that eventually showed up as actual coal. In that story there's always an element where the subordinates who have to carry out the transactions have been abused to the point of never questioning his decisions.

[agurk]

There is a very well written version of this from many years ago on the Daily WTF:

https://thedailywtf.com/articles/special-delivery

It is written well enough that I could just about convince myself this actually happened!

[chasd00]

Yep sometimes I go so far as printing the email and sticking it in a meatspace folder on my desk. Just depends on how important that sign off really is and the consequences of not being able to produce it.

[miohtama]

If you are a boomer company that does not know how online works, then you can also afford a boomer-style business class flight tickets to do a secret $25M transaction face-to-face.