Investment fund loses $6 million in BEC scam, suspends operations

Victim says fund administrator ignored internal policies and assisted scammers by fixing errors

Investment fund loses $6 million in BEC scam

A lawsuit filed on Friday by Tillage Commodities Fund alleges that SS&C Technology showed an egregious lack of diligence and care, when they fell for an email scam that ultimately led to hackers in China looting $5.9 million.

Tillage says that SS&C didn't follow their own policies, which enabled the theft, but they actually assisted the criminals by fixing transfer orders that had initially failed.

The lawsuit was filed early Friday morning, and the documents were posted online by the law firm representing Tillage in the case.

"That SS&C is outside the purview of regulatory scrutiny and attempts to contractually exculpate itself from all but intentional wrongdoing creates a real issue for the whole industry," said Lisa Solbakken, managing partner of Arkin Solbakken & counsel to Tillage.

CNBC covered the basics, but reading the allegations, it's clear that this case isn't just about the theft, it's about a systemic breakdown in corporate policy with regard to data and asset security.

According to SS&C, who was the administrator for Tillage's fund, access to customer financials and information is "restricted and is controlled by identification, authentication and authorization control processes that are based on least privilege, need-to-do, need-to-know purposes."

Tillage turned to SS&C to act as an independent third-party administrator for their fund. The did so because of the claims made by SS&C that they "own and maintain the best technology in the industry" and that as administrator, SS&C "assumes the operations, staffing, and systems risk from the fund."

SS&C has internal guidelines directed towards detecting and defending against Business Email Compromise scams. Employees are told to check all the usual email fields (e.g., To:, CC:, From:, etc.) for signs of fraud or spoofing.

In addition, SS&C required that four people sign-off on a transfer requests from the Tillage fund, and asked that Tillage verify disbursements by either appending an invoice to support the expense; or in the case of redemption, provide redemption letters and instructions from fund investors.

As documented, the security policies that were in place should have prevented BEC attacks, but on March 3, 2016, something happened and those policies all failed.

Around that time, scammers targeting Tillage's bank account started requesting transfers to the Hong Kong bank account of a "vaguely identified" technology company.

The scheme was amateurish, the lawsuit says, including the use of an email account that spelled Tillage with three 'Ls' instead of two – something that should've been spotted. Further, the emails contained "awkward syntax and grammatical errors – which were wholly inconsistent with prior Tillage communications – and which were entirely unclear in substance."

For example, one of the emails stated simply:

Can you please process the attached International Business Establishment.


Please leave me a mail to confirm this and that the wire will go out today.

Tillage says that three of the six fraudulent transfer requests referred to wiring money to investors, which implies fund redemption, but they were processed without the required redemption letters. Not to mention, the intended recipients were not investors in the Tillage fund.

There were other policy issues, including missing CC requirements on the transfer requests, but the largest deviation was the fact that the transfers were to foreign entities that Tillage had no existing relationship with.

The Tillage fund has never wired money outside of the U.S. SS&C has processed more than sixty legitimate wire requests for the Tillage fund since 2014, so the administrator would be aware of what normal day-to-day business transactions looked like.

What about the policy to have four employees sign-off on a transfer? The lawsuit says that protocol was ignored.

"SS&C’s formal wire approval process as described above requires four employees to sign off before the release of the wire. Yet, records indicate that the fraudulent wire request for $1.5 million processed by SS&C on March 16, 2016, was released at 1:18 EST – a time before the time stamp showing the approval of the last two of the requisite four SS&C employees," the complaint states.

Over twenty-one days, SS&C processed six fraudulent transactions, draining the Tillage fund of $5.9 million.

But there's more to this story. The lawsuit says not only did SS&C fail to stop the theft; they assisted the criminals behind it by fixing flawed wire instructions.

"As if these failures were not enough, SS&C actively and inexplicably assisted the perpetrator of this fraudulent scheme, by helping the perpetrator correct and clarify his or her initially flawed wire instructions," the lawsuit explains.

"In particular, the first fraudulent email of March 3, 2016 had directed that funds be wired directly to a company called 'Haoran Technologies' and its account at Hangseng Bank in Hong Kong. Tom Martocci worked with other SS&C employees to amend and help correct the transaction, adding HSBC Hong Kong as the correspondent bank, and moving Hangseng Bank to be named the beneficiary bank."

When those adjustments didn't correct the transfer problem and the wire was once again rejected, the lawsuit alleges that SS&C employees communicated this failure to the scammers, who amended the instructions and had funds wired to 'Away Technologies' via an account at HSBC Bank in Hong Kong.

"SS&C also neglected to tell the Hong Kong police about its cooperative actions with the fraudster and how the wire recipients were changed through this communication. But for SS&C’s 'help,' the fraudster's effort to steal from SS&C's client would have been thwarted," the lawsuit adds.

SS&C didn't notify Tillage about any possible fraud until March 24, two days after they started an investigation into the transfers. The lawsuit also accuses SS&C of making false statements to Hong Kong police that the transfer requests were made by known Tillage contacts, and that said requests were accompanied by signed letters of authorization.

The lawsuit is seeking $10 million in damages, as well as other punitive damages and legal fees. Salted Hash has reached out to SS&C for comment, and we'll update this story should they respond.

But the lesson here, assuming everything outlined in the lawsuit is true, is that procedures and policies are great, and they might work too – but only if they're followed. Otherwise, they're just pieces of paper with words and boxes to check when it comes to compliance.

Updated on 9/19 2:15pm with comment from counsel to Tillage.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)