October 22, 2007
Supervalu Gets Scammed
Supervalu was the target of an email scam that resulted in the company sending just over $10 million to bank accounts it believed belonged to American Greetings and Frito-Lay.
According to an Associated Press report on documents obtained from the U.S. District Court for the District of Idaho, Supervalu was contacted by someone who claimed to be an employee of American Greetings and later Frito-Lay. The person requested Supervalu send funds to new accounts established by the companies.
Supervalu sent more than $6.5 million to the account it believed belonged to American Greetings and $3.6 to the fake Frito-Lay account. Within days of transferring the money, Supervalu realized its mistake and contacted the Federal Bureau of Investigation (FBI), which was able to capture the money before the criminal(s) could access it.
While it may have appeared as though Supervalu could just breathe a sigh of relief and move on, the real American Greetings and Frito-Lay have laid claims to the funds along with the wholesaler/retailer. The U.S. District Court is now in the process of deciding who should get the money.
Discussion Questions: What do you make of this story and what are its implications for the broad retailing community? Also, what do you see as the implications for suppliers arising out of this case?
BrainTrust
Recent Discussions
Discussion Questions
Poll
I feel very bad for Supervalu that the story even went public. I wonder where their A/P team is working now? It’s so unbelievable that it’s unbelievable.
I am really surprised that Supervalu did not check with the second and third levels of supervisors of the individual(s) who asked them to transfer money. Surely, accounting/finance people in Supervalu must have some contacts with real employees at appropriate levels in both of the companies in question.
It isn’t unusual for retailers to be scammed through their accounts payable departments. Embezzlement by a retailer’s own a/p staff occurs frequently, without any use of advanced technology or the internet. It wouldn’t be appropriate for RetailWire to publish the simple ways a/p fraud is perpetrated, however, it is critical for every retailer to examine their a/p procedures and perform rigorous audits. The auditors should look at procedures, not just past transactions, and the auditors should be experienced in fraud detection. Furthermore, the retailer should use different fraud auditors from time to time, to get fresh points of view.
I’m speechless.
This type of scam pre-dates email and goes all the way back to the fax machine (I seem to recall Nigerian Ministers of Finance sending emergency faxes).
I suppose the lesson learned is, “pay attention to the sender address on emails.”
I really am speechless.
This kind of incident really is unfortunate, as it creates yet more fear in the hearts and minds of those responsible for IT development and risk management. We are pushing for technological innovation on one side and this fear is mounting on the other. It certainly doesn’t make evolving the store infrastructures and both internal and external functionalities much easier. However, at least it points to the need to set up our systems to be as rock solid as possible.
I find the issue of Frito-Lay and American Greetings laying claim to the funds a bit perplexing and didn’t understand it any better reading the article link. Interesting….
This story emphasizes once again the need for training inside companies. In this day and age every company should have an airtight verification system for both Accounts Receivable and Accounts Payable transactions. That policy needs to be integrated into a training program that insures compliance in this critical area.
I just had my bank receive a fax from my company to transfer $10,000 to an account in Asia. The bank thought it odd that it received multiple requests to send money and contacted my office manager to confirm. The fax had all the right stuff including letter head and my signature. I thought faxing was creative because it was old school. Banks will need to be the gate keeper to our money.
This is fascinating. It seems that corporate identity theft is much more lucrative than consumer identity theft, although harder to get away with, no doubt.
The checks and balances to prevent commercial fraud are legacies of the 19th century and are inadequate for today’s morphing trade practices. Newer, more flexible systems (including encryptions with fast-healing recovery) will need to be established.
This story reminds us once again of the consistent threat to not only consumers and their identities, but to everybody in the retail value chain. It is heartening to see that, in this case, the issue was resolved before it was too late, but for every good ending, there are two or three more unfortunate stories to tell.
Retailers, suppliers, and manufacturers must make security more of a priority than it already is. This security must extend further than just the customer, and further than just data. It must be enterprise-wide and process-wide.
The analyst community has done a good job in uncovering these issues. Steve Rowen from Retail Systems Research (www.retailsystemsresearch.com) has done some great analysis on these topics. Good reading.
Where were the adults when this was happening? While we’re empathizing and sympathizing, can’t we ask the right question?: Who’s in charge here? In our society’s efforts to be unintrusive and gently nondirectional–especially with our children–no one wants to step forward and take control. We beat feet away from confrontation–after all, it requires intestinal fortitude. If a situation is under control, it’s under control. If it’s out of control, steps need to be taken. People who take those steps are labeled “control freaks” by the safely uninvolved who are in the process of beating feet. Thus, many of us avoid stepping up to take control, instead passing the responsibility along to the mythical “someone else” who somehow never shows up. Afraid of being labeled, I suspect, and that’s how situations like this happen.
Supervalu definitely was suckered. Bad things like this can happen especially after there has been a huge acquisition. This is when companies will have their guard down while they go through the learning curves of absorbing a new acquisition. Current and former employees who know where the weaknesses are can sometimes penetrate those vulnerable spots. My guess is that someone knew who was vulnerable in accounts payable by having some inside knowledge. Someone was really bold by going for such a big score. Generally thieves will go for smaller amounts that will go under the radar. I’m wondering two things. Did Supervalu really recover the money before the criminal(s) could access it? Or was this comment made just to prevent poor morale? And just how much does Supervalu, or other retailers, lose each year by being scammed by smaller, less noticeable amounts?
More Discussions
Has Same-Day Delivery Become an Expectation Across Retail?
Are expectations around retail delivery speed in flux?OpenAI Names the Infrastructure Standard for Agentic Commerce
Will OpenAI or Google (or another entity) set the gold standard for agentic commerce?Is Five Below Poised For Even Greater Growth?
Five Below is hitting serious growth numbers. Can this trend continue?
I feel very bad for Supervalu that the story even went public. I wonder where their A/P team is working now? It’s so unbelievable that it’s unbelievable.
I am really surprised that Supervalu did not check with the second and third levels of supervisors of the individual(s) who asked them to transfer money. Surely, accounting/finance people in Supervalu must have some contacts with real employees at appropriate levels in both of the companies in question.
It isn’t unusual for retailers to be scammed through their accounts payable departments. Embezzlement by a retailer’s own a/p staff occurs frequently, without any use of advanced technology or the internet. It wouldn’t be appropriate for RetailWire to publish the simple ways a/p fraud is perpetrated, however, it is critical for every retailer to examine their a/p procedures and perform rigorous audits. The auditors should look at procedures, not just past transactions, and the auditors should be experienced in fraud detection. Furthermore, the retailer should use different fraud auditors from time to time, to get fresh points of view.
I’m speechless.
This type of scam pre-dates email and goes all the way back to the fax machine (I seem to recall Nigerian Ministers of Finance sending emergency faxes).
I suppose the lesson learned is, “pay attention to the sender address on emails.”
I really am speechless.
This kind of incident really is unfortunate, as it creates yet more fear in the hearts and minds of those responsible for IT development and risk management. We are pushing for technological innovation on one side and this fear is mounting on the other. It certainly doesn’t make evolving the store infrastructures and both internal and external functionalities much easier. However, at least it points to the need to set up our systems to be as rock solid as possible.
I find the issue of Frito-Lay and American Greetings laying claim to the funds a bit perplexing and didn’t understand it any better reading the article link. Interesting….
This story emphasizes once again the need for training inside companies. In this day and age every company should have an airtight verification system for both Accounts Receivable and Accounts Payable transactions. That policy needs to be integrated into a training program that insures compliance in this critical area.
I just had my bank receive a fax from my company to transfer $10,000 to an account in Asia. The bank thought it odd that it received multiple requests to send money and contacted my office manager to confirm. The fax had all the right stuff including letter head and my signature. I thought faxing was creative because it was old school. Banks will need to be the gate keeper to our money.
This is fascinating. It seems that corporate identity theft is much more lucrative than consumer identity theft, although harder to get away with, no doubt.
The checks and balances to prevent commercial fraud are legacies of the 19th century and are inadequate for today’s morphing trade practices. Newer, more flexible systems (including encryptions with fast-healing recovery) will need to be established.
This story reminds us once again of the consistent threat to not only consumers and their identities, but to everybody in the retail value chain. It is heartening to see that, in this case, the issue was resolved before it was too late, but for every good ending, there are two or three more unfortunate stories to tell.
Retailers, suppliers, and manufacturers must make security more of a priority than it already is. This security must extend further than just the customer, and further than just data. It must be enterprise-wide and process-wide.
The analyst community has done a good job in uncovering these issues. Steve Rowen from Retail Systems Research (www.retailsystemsresearch.com) has done some great analysis on these topics. Good reading.
Where were the adults when this was happening? While we’re empathizing and sympathizing, can’t we ask the right question?: Who’s in charge here? In our society’s efforts to be unintrusive and gently nondirectional–especially with our children–no one wants to step forward and take control. We beat feet away from confrontation–after all, it requires intestinal fortitude. If a situation is under control, it’s under control. If it’s out of control, steps need to be taken. People who take those steps are labeled “control freaks” by the safely uninvolved who are in the process of beating feet. Thus, many of us avoid stepping up to take control, instead passing the responsibility along to the mythical “someone else” who somehow never shows up. Afraid of being labeled, I suspect, and that’s how situations like this happen.
Supervalu definitely was suckered. Bad things like this can happen especially after there has been a huge acquisition. This is when companies will have their guard down while they go through the learning curves of absorbing a new acquisition. Current and former employees who know where the weaknesses are can sometimes penetrate those vulnerable spots. My guess is that someone knew who was vulnerable in accounts payable by having some inside knowledge. Someone was really bold by going for such a big score. Generally thieves will go for smaller amounts that will go under the radar. I’m wondering two things. Did Supervalu really recover the money before the criminal(s) could access it? Or was this comment made just to prevent poor morale? And just how much does Supervalu, or other retailers, lose each year by being scammed by smaller, less noticeable amounts?