An as yet unknown American company fell victim to nearly $100 million in CEO Fraud. Employees were social engineered by spoofed emails that claimed to be one of its legitimate vendors, U.S. authorities said on Thursday as reported by Reuters.
This scam only surfaced as the U.S. government filed a civil forfeiture lawsuit in federal court in Manhattan seeking to recover about $25 million held in at least 20 bank accounts around the world. Nearly $74 million has been recovered and returned to the American company. The remaining $25 million was laundered through other accounts in locations including Cyprus, Latvia, Hungary, Estonia, Lithuania, Slovakia, and Hong Kong, authorities said.
Foreign governments at the request of U.S. authorities have restrained 20 accounts worldwide that received portions of the remaining stolen funds, which are now the subject of the lawsuit, authorities said.
This is by far the largest case of what the FBI calls "business email compromise," and what IT Security folks call "CEO fraud." The bad guys do research in order to execute a social engineering attack on employees that hold the purse strings on deals with foreign suppliers or regularly perform wire transfers.
The FBI issued an alert to companies last week that businesses had suffered $2.3 billion globally in losses from CEO email fraud from October 2013 to February of this year. There has been a 270% increase in identified victims and exposed loss since January 2015. If the unthinkable does happen always file a complaint with the Internet Crime Complaint Center (IC3).
According to the alert 'Victims range from large corporations to tech companies to small businesses to non-profit organizations.' Organizations of all sizes in all industries are vulnerable to this type of attack, if you have any type of security issue the criminals will find a way to exploit it. With social engineering and email fraud threats, if the people being targeted have proper security training to protect themselves and recognize these attacks when they occur, it reduces the criminals' chances of success dramatically.
Cybercriminals send what appeared to be authentic emails from an actual vendor of the company that was hired to handle details and logistics of their vendor payments. And it looks like again the banks figured out something was wrong, not the (still mysterious) company. The scam was identified after Cyprus-based Eurobank identified suspicious transfers and restrained nearly $74 million of the funds which is how the company got a good portion of their money back. The fraud caused the American firm to send $98.9 million meant for the actual vendor to an account at Eurobank Cyprus Ltd, which discovered the fraud.
And to know that all this could have been prevented with effective security awareness training! Training your employees to always keep security top of mind is one of the single most effective preventative measures against CEO fraud. Any kind of emails regarding financial transactions should be looked at closely before any action is taken. Most fraudulent emails like this create a sense of urgency. A simple phone call could be what keeps your company out of headlines.
Incidents like this show that you really cannot afford not to do this.
Find out how affordable this is and be pleasantly surprised.