$2.1 million stolen with clever social engineering

An unnamed fraudster managed to steal $2.1 million from a hospital chain’s Wells Fargo Bank escrow account by faxing a money transfer signed with a copied-and-pasted signature he has taken off the Internet.

The brazen theft was pulled off ingeniously, but the biggest responsibility for its successful realization seems to lay with the Wells Fargo escrow agent who authorized the transfer without thoroughly checking on the legitimacy of the requests.

To understand what happened, you must know that Catholic Healthcare West, the hospital chain in question, signed a contract with Merced County, California, to operate a medical center in the San Joaquin Valley.

In order to be able to do that, the chain had to maintain an escrow account with $7.5 millions in it. At the same time, it decided to change banks, but needed the approval of the county’s Board of Supervisors to do that. They did approve but, unfortunately, the county put a partial copy of this agreement on its official website, complete with the signatures of the chain’s CFO Michael Blaszyk and the Merced County Director of Public Health Tammy Chandler.

Armed with the name of the bank where Catholic Healthcare West had the account and the name and signature of the chain’s CFO, the fraudster put the plan in motion in December 2011, Forbes reports.

First he faxed a request for Wells Fargo to wire $445,000 from the chain’s escrow account to one in the HSBC bank in New York. Although “signed” by Blaszyk and Chandler, the transfer was denied because the account at HSBC was nonexistent.

The escrow agent moved to check with HSBC why the request was rejected – or so he thought. Unfortunately, he called the bank’s number he got off the fax, and got an answering machine. The number actually belonged to the fraudster, who called back after a short period of time, posed as Blaszyk, and told the escrow agent to ignore the wire transfer request.

A week later, the fraudster tried again. This time, a request was made for the same amount to be transferred to an account under the same name in bank in Hong Kong. Again, the request was rejected on same grounds.

Almost a week later, the escrow agent received a third wire transfer request: to send $989,000 to an account in the name of Textil Trading UK Limited at another bank at the Standard Chartered Bank in Hong Kong. And this time, the account existed, the request was approved and the money was transferred.

Seeing that the scheme was finally successful, the fraudster tried again three times. The first request was denied because the transfer of the amount requested would require the bank to sell securities, and the fraudster didn’t indicate which ones. The second one hit another jackpot, and $1.1 million were wired to the Hong Kong account.

And the third one – a request for a transfer of $2.2 million – was when the escrow agent began to suspect something was wrong. He finally called Catholic Healthcare West and found out that all the earlier requests were not sent by them.

Wells Fargo has since reimbursed Catholic Healthcare West for the stolen money, and has engaged a legal team to try to get the stolen money – or what is left of it – back from the hong Kong account. They are also working with law enforcement on finding the individual(s) behind the fraudulent scheme.

It is a given that the escrow agent should have been more careful when checking whether the requests were legitimate, but I can’t help but wonder whether putting that (partial) agreement signed by Merced County and CHW online for everybody to see was really necessary.

In this day and age, when anyone can search and find almost anything on the Internet and use the information for social engineering attacks, I believe we all should be more careful about what really needs to be online. This particular example just goes to show that fraudsters don’t need much – just good googling skills and the knowledge on how to use the found information.

Don't miss