Cybercriminals stole $46.7m (£30m) from router company Ubiquiti Networks by pretending to be executives asking staff to make unauthorised international wire transfers. The fraud was discovered in June and since then just $8.1m has been recovered.
Based in San Jose, California, Ubiquiti manufacturers computer networking equipment and revealed the cyberheist had taken place in its quarterly financial report, filed to the US Securities and Exchange Commission on 4 August. The company said the incident "involved impersonation and fraudulent requests from an outside entity targeting the finance department."
The stolen money was transferred from funds held by Ubiquiti's Hong Kong subsidiary to "other overseas accounts held by third parties." Legal proceedings in "various foreign jurisdictions" were started immediately, and as a result, $8.1m has been recovered. Ubiquiti expects a further $6.8m, currently subject to legal injunction, to be returned to the company in due course.
As for the remaining $31.8m, Ubiquiti is unsure about whether it will be recovered. It admitted it "may not be successful in obtaining any insurance coverage for this loss," but added that it doubts the loss will have a material impact on its business operations. The company also said it did not believe its computer systems had been compromised, or any data had been exposed.
The 'business email compromise'
Computer security expert Brian Krebs offered some analysis on the incident on his blog, saying this type of cyberheist is a "sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments." The type of attack is known as 'CEO fraud' and the 'business email compromise'.
At the start of 2015, the FBI warned that criminals stole over $200m from businesses in the previous 14 months through these types of scams. They start when criminals spoof or hijack the email accounts of business executives or employees; they can then orchestrate the wire transfers by talking to the relevant members of staff. As documented by Krebs, con artists stole over $17m from US company The Scoular Co when an executive wired the money in instalments to a bank in China, after receiving emails ordering him to do so.
The FBI advises companies to use two-factor authentication for logging into employee email accounts, and to use a second form of communication - like a telephone call - to authorise larger transactions. Business are also advised to not make public details of employee activities, such as when they are travelling or when they are out of the office.