A Texas man who got Conde Nast to pay him $8 million last year by sending a single email has relinquished the money, a first step toward giving it back. It's unclear whether he'll face any charges, but the agreement he signed with a Manhattan court is distinctly not an admission of guilt, reports Forbes's William T. Barrett.
Barrett broke the story on April 3 in a pun-filled post about how Condé Nast had been taken for a ride in a "spear-phishing" scam. (Unlike regular old phishing attacks, which use mass email requests for sensitive information like bank passwords, spear-phishing targets specific people, usually under the guise of someone they already know.) Texan Andy Surface wrote to the publisher's accounts receivable last November, posing as the printer Quad/Graphics, with whom Conde Nast contracts. He included an invoice and an electronic payment mechanism, and requested the $8 million payment to a bank account listed under the name Quad Graph.
Some $8 million was wired from a JP Morgan Chase account to Texas before Quad/Graphics–the actual printer–called on December 30 to ask where its money was. A panicked Condé Nast quickly contacted federal authorities. They found $7.92 million–nearly the full amount wired–sitting in two accounts at the BBVA Compass Bank branch in Alvin. The U.S. Attorney’s Office in Manhattan got a court order to seize the money, following that up with the civil forfeiture lawsuit alleging wire fraud that formed the basis for the Forbes story.
Surface this week signed a waiver giving up the money, so it's destined for a return to Condé Nast. He could face fraud charges, but it would be a complicated federal case. Condé Nast may decide to take its money and go back about its business instead of calling any more attention to the embarrassing security breach.