Icon (Close Menu)


Be Careful Out There (Gwen Moritz Editor’s Note)

4 min read


We'd also like to hear yours.
Leave a comment below, tweet to us @ArkBusiness or email us

We don’t put bylines on items in our ever-popular Whispers column, but it was Senior Editor Mark Friedman who got the scoop last week on a $2.4 million scam perpetrated against the Arkansas Department of Transportation.

The U.S. attorney’s office typically sends out press releases on newsworthy indictments — a demoralizing number of them concern child pornography — but no release was issued after the July 7 indictment of Shelly S. Singhal of Newport Beach, California. Instead, Friedman found it the old-fashioned way — by perusing the federal court docket.

It’s a particularly useful case for business executives to consider since it involves a simple, unsophisticated and yet exceptionally effective form of fraud, and any business that pays employees or vendors is vulnerable.

Singhal is accused of impersonating an employee of Crossland Construction Co., a Kansas highway contractor, when in 2016 he requested that ArDOT route payments for work done on three highway projects to a new banking account. The hardest part was filling out a direct-deposit authorization form with a canceled check (or something similar) to verify the new account.

During the next five weeks, ArDOT issued nine checks to Crossland totaling $2.4 million, but the money was deposited into the new account, the one prosecutors say belonged to Singhal. Finally a real Crossland employee called to complain about not being paid, and the fraud was discovered.

Clearly, ArDOT’s procedure for changing vendor accounts was not robust enough, but it’s good to remember that this all happened four years ago. I think most of us have become more sensitive to how pernicious these innocuous-sounding scams can be, whether they originate by phone, which is how Singhal first contacted ArDOT, or by email.

Singhal doesn’t seem to have been a criminal mastermind, and that’s the good news. Most of the money was easily traced and recouped. As of last week, only $316,000 — money Singhal allegedly wired to a friend in Spain — had not been recovered.

In February 2019, Friedman reported on a similar case that happened in 2018 to the Happy Egg Co. of Rogers. A customer in Massachusetts fell nearly $1 million in arrears after someone impersonating a Happy Egg employee sent an email with instructions to pay a new account number. When it is accomplished by email, this kind of fraud is known as BEC — business email compromise.

Unlike the old “Nigerian prince” scams, these new BECs don’t depend on sending out millions of emails in hopes of finding one greedy sucker. These new scammers do their homework. They research an organization and customize their requests. Sometimes that’s as simple as finding out the name of a highway contractor that has current projects underway.

But sometimes it’s more devious. When I was treasurer of a national association of business publishers, I was targeted by emails (and even text messages) that appeared to be from the president and the executive director. I was asked to write a check to a vendor, even though I did not have custody of the organization’s checkbook, or to buy gift cards and be reimbursed. When I became president of the organization, the new treasurer received similar emails that purported to be from me.

Our company has invested in training to spot spoof emails, but there are other techniques to be on the lookout for. Earlier this month, I received an email from a lawyer in northwest Arkansas that said:

“You have received a secure message from [lawyer’s name].

“This message is encrypted in order to protect sensitive information.

“To retrieve this message, simply click where it says ‘SecureMessage’ above and click ‘Read Message’ button.”

Then it helpfully added, in italics for emphasis: “No registration is required.”

It appeared to come from the actual lawyer’s actual email address, and it even had what looked like an actual signature block at the end. But I didn’t click. Instead, I wrote back:

“I’m scared to click on things in emails like this. Can you just paste the message in a reply email?”

The lawyer’s response:

“I was hacked, sorry. Do not open and delete.”

As of this month, I am the immediate past president of the Alliance of Area Business Publishers. The celebration is widespread.

Gwen Moritz is the editor of Arkansas Business.
Send this to a friend