How One Email Cost a Company $56 Million
(The following is adapted from my new book Fire Doesn’t Innovate. It originally appeared on my blog.)
A single email could cost you $56 million
At least that’s what happened with Austria-based aerospace company FACC, a mid-market business that supplies spare parts to Boeing and Airbus.
In late 2015, a clever cybercriminal successfully manipulated someone inside FACC’s finance department to move $56 million into the criminal’s account. The offender pulled off this phishing attack, which is a socially engineered attempt to steal your money or your company’s money, by sneaking onto the CEO’s email and imitating the quirks of his writing style to craft a perfectly believable email to a finance department worker.
Months later, in January 2016, the company disclosed the theft publicly: FACC was able to recover about $11 million of their losses, but due in large part to this incident, the company reported a $22 million total loss for 2015.
Their official statement about the incident, and the dismissal of the CEO, said this:
The supervisory board came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular, in relation to the “fake president” incident, and Mr. Robert Machtlinger was appointed as interim CEO of FACC.
FACC’s stock price fell 17 percent when they made the announcement.
It wasn’t just the CEO who took the fall either. FACC also fired the CFO and the person in the finance department who fell for the “fake president” scam.
More than a year after the FACC incident, in May 2017, the FBI issued a notice that these business email compromise scams have cost businesses approximately $5 billion worldwide over the previous three years, and the frequency is only rising.
From October 2013 to May 2018, 78,617 incidents were reported, with total losses of $12.5 billion. In the US alone, 41,058 companies were hit for $2.93 billion in losses.
The business email compromise will look legitimate
The messages in a business email compromise lure will look legitimate because the cybercriminal has been able to either hack into the company’s email server and copy the executive’s style of writing or, if the criminal can’t get into the server, they can technically mask the source of the email so that it doesn’t arouse suspicion.
However, despite the technology involved in a “fake president” scam, it’s not taking advantage of your company’s technology. It’s an attack on people’s emotions.
Look at the FACC example. That breach had nothing to do with technology being exploited. Sure, the cybercriminal used technology to send the email, but none of the company’s technological defenses or controls were compromised.
It was an attack on a person—and a process, not technology. More specifically, it was an attack on the lack of process. FACC didn’t have enough reasonable cybersecurity measures in place to help manage the risk that the cybercriminal posed, such as a training program or a dual-authorization process to move large amounts of cash.
How to Maintain Your Reputation in a Digitally Dangerous World
You probably know that cybersecurity is something you should focus on in your company. Maybe you’ve been putting off dealing with it because there are more important aspects of your business that need your attention.
As an executive, your bread and butter should be having great people who are trained appropriately and have great processes in critical areas of your business, such as sales, order fulfillment, and accounts receivable. Why should cybersecurity be any different?
Just like every other aspect of your job as an executive, you’ll find cybersecurity success by working through other people. Although there is no such thing as a perfect prevention plan, you can enhance your reputation as a company of integrity, one that implements effective practices to protect your stakeholders by safeguarding your organization’s assets, including your customers’ data.
As a result, when your competitors fail to stop cyberthreats and have to close their doors (like promotional products manufacturer Colorado Timberline did in 2018), you’ll be standing strong when the dust settles with your reputation and data intact. You’ll see greater revenues, bigger clients, and have greater control over your company.
For more advice on avoiding email scams, you can download the first chapter of Fire Doesn’t Innovate for free.
Scaling Cyber SaaS series A-C | Helping security leaders reduce, manage and understand manage human risk | Average Golfer, Runner, Cyclist & part-time snowboarder
6 年Great article! Having visibility in to the mailbox level to spot anomalies (like BEC) is what most organisations lack and should focus on.
Glad the report included the fact that the CEO was fired. Makes me wonder whether the HR manager also was held responsible for failure to train employees (including the finance department employee who fell victim to the scheme) to recognize and avoid such attacks.
Cyber Resilience Thought Leader | CEO, Cyber Risk Opportunities | Cybersecurity LinkedIn Learning Course Instructor | Co-host Cyber Risk Management Podcast | Amazon Best Selling Author | International Keynote Speaker
6 年Kelly Teemer?Zach Obront
Cyber Resilience Thought Leader | CEO, Cyber Risk Opportunities | Cybersecurity LinkedIn Learning Course Instructor | Co-host Cyber Risk Management Podcast | Amazon Best Selling Author | International Keynote Speaker
6 年Here's a serious story about a #CEO and #CFO who lost their jobs to a phishing attack. It shouldn't be this easy for cyberattackers, but it is... #cio #cto #ciso #cybersecurity #cyberriskmanagement Jake Bernstein, CISSP Melissa Van Buhler Carmen Marsh Karen Worstell, MA, MS Chris W. Raymond Pompon Michael Riemer Jonathan Clarke Cary Pool Christophe Foulon, CISSP Mark Petersen Shawn Kearney Peter C. Versnel Chris Wood