We all think that people falling for email scams are really stupid and that we’d never fall for it. But what happens if it happens to you and your company?
On the 12th of August 2016, Europe’s largest electrical cable and wire manufacturer lost a whopping €40 million due to a sophisticated corporate email scam using a combination of spear phishing and whaling attack techniques.
Leoni AG’s headquarters are in Germany and they have four factories in Romania. According to Romanian newspapers, the CFO of the Bistrita factory was deceived into transferring funds due to an instruction from one of the top executives in Germany. What makes this high profile case so interesting is because the hackers somehow knew that the factory in Bistrita is the only one out of the four Romanian factories that has the authority to conduct money transfers.
The Romanian Police are now investigating this shocking cyber crime to find out who did it. However the cost for the company is not only about the loss of capital. Their reputation is damaged and competitors can now gain a competitive edge against them. Shares in Leoni AG fell 5-7% overnight due to this incident.
How the Leoni AG Corporate email phishing scam worked
As only one of the Romanian factories could authorise money transfers and even knew the chain of command of how funds transfers worked, there are several theories of who the culprit is. One theory is that it is an inside job, and another one is that the computer systems were compromised but Leoni AG just didn’t know that they were at the time.
Hackers can exploit many security vulnerabilities, however it can be difficult for some companies to justify computer hacking prevention to tangible monetary returns. The number of hackers who have discovered how to create a successful Business Email Compromise (BEC) is growing. Business Email Compromise techniques trick executives into believing that an invoice or other instruction is real. The Leoni AG case is not isolated, and over the years many companies have fallen prey to such incidents. Mattel almost lost $4 million to a similar scam but were lucky enough that the Chinese Police were able to apprehend the criminals and returned the money to them.
In order for this cyber attack to have occurred at Leoni AG, the hackers would have exploited a vulnerability that had yet been patched in their corporate network. The cyber criminals then sat quietly unnoticed on the exposed network, pretending to be just another user at the company.
The online criminals would then infiltrated the corporate employee email accounts. After reading enough emails, they would have figured out who the important figures are in the company, the chain of command, and how they operate. When the hackers are ready to strike, they impersonate a senior figure such as the CEO, send an email to the person who is in charge of accounting such as the CFO and request a payment to be made. The payment requested is usually to a specific bank account belonging to an third party such as an outsourced contractor or supplier.
As you usually do not question the CEO when your boss tells you to do something that seems straight forward – this is how cyber criminals take advantage. The CFO or financial executive will read an email from the CEO’s real email address and composed in the style that the CEO normally writes in, and carries out the instruction to transfer the funds.
How to Prevent Falling for Email Scams
To prevent your company falling victim to a similar cyber attack, it is important for businesses and non-profits of all sizes to create strong internal policies which include in-person authorisation. In addiiton, your IT department should be active in patching all security vulnerabilities and increase network security.