In a recent Amsterdam, Holland court decision (registration wall) the details were revealed how this scam went down, and what errors were made along the way.
Thursday, March 8th, the MD of a Dutch movie chain gets an email from the CEO of their holding company: "Did KPMG already call you?" The email was sent from a smartphone. The MD forwards the email to their CFO, but both are puzzled. They decide to email back and ask what the issue is.
The answer is a classic CEO Fraud tactic: "We are in a confidential M&A process with a foreign company in Dubai, and any communications can only be done using the personal email address of the CEO. Please transfer the first 900K and this money will be transferred back to you at the end of the month."
An email thread ensues where the MD wants to make sure that the transaction is legit. "No worries", confirms the holding company CEO. Please transfer the first 10% of the acquisition.
Tuesday March 13 the second transfer gets made: 2.5 million. The two execs wonder what is going on but decide to comply with the CEO's orders. More transfer requests follow, for higher amounts. Tuesday March 27th the "last payment" gets made. A total of 21 million dollars has been transferred over roughly two weeks, and they get assured: "Yes, we'll now transfer this money back right away". That was the last thing they heard.
Finally the HQ wakes up, grabs the phone, and asks about the transfers: "What is going on? What was the money used for?" The penny drops. The two execs have fallen for a CEO Fraud scam and are immediately put on administrative leave, and later fired.
The CFO went to court and contested being fired, he claims he was just following orders and he cannot be blamed for this disaster. However, HQ feels he should have spotted the red flags and never transferred the money in the first place.
The court digs into the matter and concludes that the movie chain has become the victim of a sophisticated gang of cyber criminals. The CFO cannot go back to the office, there are too many trust issues at this point. He's getting a few more months pay and will be cut loose December first. No word if any money has been recovered, but if you do not file claw-back requests in 24 hours, the chances of getting it back are slim.
High-risk employees need to be stepped through new-school security awareness training which takes scenarios like this and does automated simulated attacks combined with immediate remedial training to inoculate them against sophisticated scams like this.
Apparently Pathé did not train these executives at all, or if they did, it was very badly executed. We strongly urge you to prevent disasters like this and create your own, strong human firewall that will spot and block attempts like this. KnowBe4 enables your employees to make smarter security decisions.
These are the free resources you can use right away:
To start with, here's some brand new footage about KnowBe4 and how things look behind the scenes. This shows you who we are. October 2018, Our Series A Venture Capital investor Elephant Partners asked us if it was OK to shoot some footage so that they could show their investors how KnowBe4 was doing as an Elephant portfolio company. They sent a crew, and these 3 minutes are what they created. We were thrilled with the result so we decided to share it with the world! Here you go:
See KnowBe4's platform for yourself and get a live, one-on-one demo.
CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This brand-new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.
PS: Don't like to click on redirected buttons? Copy and paste this link in your browser: