Europe's largest manufacturer of electrical cables and wires Leoni AG has seen its shares fall by between 5-7% after reporting that an email phishing scam caused the company to lose €40m ($44.7m, £33.7m) overnight.
Leoni AG is a German firm, but it has a factory located in Bistrita, a city in northern Romania. According to Romanian newspapers, on 12 August, the funds disappeared because the CFO of the Bistrita factory was tricked into transferring money into an unknown bank account because the email looked like it came from one of the manufacturer's top executives in Germany.
Somehow, the hackers knew that the Bistrita factory was the only one in Romania out of four Leoni factories that was allowed to authorise and make money transfers. The incident is so severe that it has been escalated by Romanian police and is now being investigated by Romania's Directorate for Investigating Organised Crime and Terrorism, according to Softpedia.
But this is not the first high profile case of an email phishing scam targeting corporate entities. In March, it was revealed that in April 2015, Mattel almost lost $3m in a similar fraud in China, but fortunately it was a Bank holiday when the transfer was made to the hackers' bank account, and Chinese police in the province of Wenzhou and the bank in question were able to freeze the funds in time.
How corporate email phishing scams work
There are lots of security vulnerabilities for hackers to exploit, but it is often difficult to get cyberattacks to translate into tangible monetary returns. Nevertheless, there is a growing trend of cybercriminals who have figured out a sophisticated multi-step strategy known as Business Email Compromise (BEC) to trick companies into giving up big bucks, and the bad news is that it is working.
The idea is that the cybercriminals use a vulnerability that has not been patched to hack into a corporate network, and then the hackers sit quietly unnoticed on the network pretending to be just another user.
The hackers infiltrate corporate employee email accounts, and read enough email threads so that they can figure out the chain of command in the company, and specifically, how certain important figures in the company converse.
When they are poised to strike, the cybercriminals impersonate the CEO or another senior figure, and send an email to the person in charge of financing, such as the Chief Financial Officer (CFO), requesting for a payment to be made to a third party contractor by transferring funds to a certain bank account.
The CEO is the CFO's boss, and what do you do when your boss tells you to do something? Usually, you do it, no questions asked, and this is how the hackers win – the poor CFO in question receives an email from the CEO, from the CEO's email address, composed in the style the CEO would write such a correspondence, thinks nothing of it, and complies, transferring the funds to the account number stated in the email.
To prevent your company from suffering a similar fate, it is important for enterprises to set out a policy whereby several employees all have to provide active in-person authorisation where confirmation is provided in real life contexts before funds can be transferred outside the company, rather than permitting funds to be sent via email authorisation.
And of course, it would make sense to ensure that your IT department is keeping up to date with patching all security vulnerabilities and beefing up network security too.