Sports team nearly paid a $1.25m transfer fee… to cybercrooks – Naked Security | #employeefraud | #recruitment | #corporatesecurity


If you were about to spend more than a million dollars, how careful would you be about where you sent the money?

More importantly, how would you check with the recipient of the money – and how would they check with you – that both ends of the transaction were lined up correctly, with no treachery in between?

It’s quite likely you’d have been emailing them back and forth for some time, negotiating the deal, agreeing terms and finalising payment…

…and therefore it’s quite likely that you’d email each other one last time before it all went through.

And if there were a last-minute change in payment details, you might be really relieved to hear about that, especially if the deal were time-critical, like a house purchase, a stock offer…

…or a £1,000,000 payment as part of a player transfer in the English Premier League – the richest soccer competition in the world, and the most-watched sports franchise on the planet. (Probably, although NFL, NHL, MLB and IPL fans may wish to disagree.)

After all, transfer windows are short, and transfer negotiations are complicated, so a payment that failed to go through at the last step could ruin a deal that had been months in the offing.

Well, according to a report entitled The Cyber Threat to Sports Organisations, released today by the UK’s National Cyber Security Centre, that almost happened, except that the new account number was fraudulent and rather than saving the deal at the last minute, the club would have lost the lot.

Apparently, one of the UK’s top football clubs – the report doesn’t say which one – almost paid out £1m ($1.25m) to crooks after a genuine-looking but fraudulent email convinced the club to nominate a new account to receive the funds.

Fortunately, the club’s bank flagged the transaction as suspicious, provoking further investigation and uncovering the scam.