French Cinema Chain Fires Dutch Executives Over 'CEO Fraud'$21 Million Lost to Business Email Compromise Fraudsters
Step one for not falling victim to business email compromise schemes: Senior managers must ensure they have a written and tested plan in place to ensure they don't fall victim to the schemes, also known as CEO fraud.
See Also: You've Got BEC!
Such schemes involve attackers pretending to be a senior executive, then instructing others to send money to a designated location, typically via wire transfer (see: CEO Fraud: Barriers to Entry Falling, Security Firm Warns).
But such attacks can be bad for a victim's career. Witness French film production and cinema chain Pathé firing the two-person senior management team for its Amsterdam-based Pathé Theaters BV subsidiary in the Netherlands after the executives fell victim to such a scam, losing €19 million ($21 million).
Their suspension from the board and later firing came to light this week thanks to a lawsuit filed in the Netherlands by the ousted finance director, who reported to the Dutch division's managing director, who also was fired. According to court records, the Dutch division employs 1,900 people and recorded sales of €209 million ($236 million) in 2017, meaning scammers stole nearly 10 percent of the company's annual revenue.
Timeline of Attacks
While the court records only include redacted names, the timeline of attacks reveals that the finance director was on vacation when some of the fraudulent transactions occurred.
- March 8: Managing director receives email that turns out to be part of BEC attack, which she forwards to an assistant, discusses with the financial director and ultimately approves.
- March 9: Pathé transfers €826,521 to an account number associated with Towering Stars General Trading LLC in Dubai.
- March 12-18: Finance director goes on vacation.
- March 13: In response to a further email from the account that originally emailed, the cinema chain transfers €2,479,563 more.
- March 16: €5 million gets paid.
- March 22: Further €5,826,770 gets paid.
- March 27: €5,152,354 gets paid.
- March 28: Pathé finally spots the fraud.
- March 29: Finance director and managing director suspended.
- April 13: Managing director fired following general meeting of shareholders.
- April 20: Internal investigation concludes that no one inside the organization was "actively involved in the fraud."
- April 26: Finance director fired, with Pathé saying he ignored "red flags" that could have stopped the fraud.
Ultimately, the court ruled in the finance director's favor, saying that he was not culpable and that Pathé must pay him his salary through Dec. 1, 2018. The subdistrict court judge noted that the fraudsters had expertly deceived the organization by pretending that the money needed to be moved due to a secret transaction, overseen by KPMG, involving the acquisition of a foreign business in Dubai, designed to give the parent company a competitive advantage over its peers.
A Persistent Threat
Earlier this year, Action Fraud in the U.K. reported that "mandate fraud was criminals' third most popular technique for defrauding organizations.
"Mandate fraud is when someone convinces an organization to change a direct debit, standing order or bank transfer mandate, by purporting to be a company that receives regular payments from them, for example a subscription or membership organization or a business supplier."
In July, the FBI warned that global losses to business email compromise attacks have hit at least $12.5 billion.
In September, the EU's law enforcement intelligence agency, Europol, warned that fraudsters operating out of West Africa that previously ran 419 (Nigerian prince) scams are increasingly running sophisticated BEC attacks (see: Cybercrime: 15 Top Threats and Trends).
David Stubley, CEO of security testing firm and consultancy 7 Elements in Edinburgh, Scotland, told me at Information Security Media Group's recent Security Summit: London that there are a number of defenses that organizations should already have in place to defend themselves against BEC attacks as well as to more quickly recover (see: Business Email Compromise: Must-Have Defenses).
"Clearly, if we can avoid the compromise, that's great, and that's what we should be aiming for, which is why we say MFA [multifactor authentication] is a must from the outset," said Stubley, whose firm has helped organizations investigate and recover from BEC attacks.
Using multifactor authentication helps block the two primary ways that attackers gain access to a target network: phishing attacks as well as brute-forcing their way into cloud-based email accounts.
"It's quite easy to enumerate people that are using cloud-based email services such as Office 365, and then from there, if you've got usernames, you can then just start slowly trying to brute-force those password attacks," Stubley said. "For a malicious agent, they've got all the time in the world; they'll probably have hundreds of thousands of accounts that they're trying to brute-force. And as one pops, they can obviously use that to conduct their fraud."
Fallback: Proper Auditing
With attackers especially gunning for cloud-based email systems - including Office 365 - Stubley said it's imperative to ensure administrators configure it to provide relevant alerts, gather in-depth logs as well as block all mail-forwarding attempts, which BEC attackers regularly use to conduct reconnaissance on a target before attempting to scam them.
"Certainly if there is a compromise, the more auditing you've got, the more alerting you've got and the more blocks you have in place, you're going to frustrate the attacker and you're going to give yourself the opportunity to see it occurring and therefore stop it before ... money being paid out of the business," Stubley said
But attackers with access to a network might also decide to look for valuable data. In such cases, organizations may suffer a data breach, requiring them to notify authorities, for example, per the EU's General Data Protection Regulation.
When Attackers Are Inside Your Email
Stubley said that in one of the successful BEC attacks his firm investigated, attackers - using IP addresses in West Africa - hacked into the cloud-based email accounts of two executives inside an organization, then studied their behavior. At an opportune moment, when both executives were out of the office, the attackers sent communications back and forth between the accounts that appeared to authorize a wire transfer, then forwarded the email chain to an underling, who saw it as proof that the money should be moved, and did just that.
Behind the scenes, the attackers had configured the Office 365 environment to delete their fake emails from the sent folder so the victims would see no evidence of the attack.
Reviewed in reverse, this type of attack seems like it should be easy to block as well as spot. But so many organizations' continuing failure to put common-sense defenses in place suggests they're just waiting to fall victim.
Process Control: Get It
That gets to one of the most essential BEC defenses that organizations should have in place - and it has very little to do with technology. Rather, it's all about business processes. Namely, for any money-moving requests, "process control should be implemented that includes an out-of-band and/or non-electronic method of approval," Stubley told me. That goes whether a money-moving request gets made via email, text, phone or some other medium.
If someone wants to move money, make them jump through preset hoops that are designed to block and identify any BEC scams in progress. Of course, policies aren't worth the paper they're printed on unless employees get trained. Such training also needs to be refreshed to ensure workers don't route around the rules by trying to be helpful when someone claiming to be the CEO sends an email saying she's on vacation and requesting that an overdue invoice be paid immediately to a specified account abroad.
Everyone with the ability to approve or move money must keep asking themselves: Am I being scammed?