Recently released court documents show that European-based cinema chain Pathé lost a small fortune to a business email compromise (BEC) scam in March 2018. How much? An astonishing US$21.5 million (roughly 19 million euros). The attack, which ran for about a month, cost the company 10 percent of its total earnings.
Business email compromise is a type of phishing attack, sprinkled with a dash of targeted social engineering. A scammer pretends to be an organisation’s CEO, then starts bombarding the CFO with urgent requests for a money transfer. The requests are generally for wire transfers (hard to trace), and are often routed through Hong Kong (lots of wire transfers, even harder to trace).
Scammers will sometimes buy domain names to make the fake emails look even more convincing. These attacks rely on the social importance of the CEO: nobody wants to question the boss. If an organisation has no safeguards in place against these attacks, a scammer will likely be very rich indeed. It only takes one successful scam to generate a huge haul, at which point the scammer simply vanishes into the ether.
This particular BEC scam is of interest because it highlights a slightly different approach to the attack. Scammers abandoned pitting the fake CEO against the real CFO in favour of faking French head office missives to the Dutch management.
It all begins with the following mail:
“We are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai. The transaction must remain strictly confidential. No one else has to be made aware of it in order to give us an advantage over our competitors.”
Even though the CFO and CEO thought it strange, they pressed on regardless and sent over 800,000 in Euros. More requests followed, including some while the CFO was on vacation—both executives were fired after the head office noticed. Although they weren’t involved in the fraud, Pathé said they could—and should—have noticed the “red flags.” They didn’t, and there was no safety net in place, so the business email compromise attempt was devastatingly successful.
Many instances of BEC fraud go unreported because nobody wants to voluntarily admit they fell victim. As a result, the first you tend to hear about it is in court proceedings. It’s hard to guess how much is really lost to BEC fraud, but the FBI have previously floated a $2.1 billion-dollar figure. The actual figure could easily be higher.
Business email compromise continues to grow in popularity among scammers, and it’s up to all of us to combat it. If your organisation doesn’t take BEC seriously, you could easily be on the receiving end of an eye-watering phone call from your bank manager. Keeping your finances in the black is a priority, and BECs are one of the most insidious threats around, whether you distribute movies, IT services, or anything else for that matter. Don’t let malicious individuals decide when to call things a wrap.
The post Business email compromise scam costs Pathé $21.5 million appeared first on Malwarebytes Labs.