Original post from the Security Awareness Training Blog at Knowbe4 on April 15th
An as yet unknown American company fell victim to nearly $100 million in CEO Fraud. Employees were social engineered by spoofed emails that claimed to be one of its legitimate vendors, U.S. authorities said on Thursday as reported by Reuters.
This scam only surfaced as the U.S. government filed a civil forfeiture lawsuit in federal court in Manhattan seeking to recover about $25 million held in at least 20 bank accounts around the world. Nearly $74 million has been recovered and returned to the American company. The remaining $25 million was laundered through other accounts in locations including Cyprus, Latvia, Hungary, Estonia, Lithuania, Slovakia, and Hong Kong, authorities said.
Foreign governments at the request of U.S. authorities have restrained 20 accounts worldwide that received portions of the remaining stolen funds, which are now the subject of the lawsuit, authorities said.
This is by far the largest case of what the FBI calls “business email compromise,” and what IT Security folks call “CEO fraud”, where the bad guys do research on employees that hold the purse strings on deals with foreign suppliers or regularly perform wire transfers.
The FBI said in an alert issued to companies last week that businesses had suffered $2.3 billion globally in losses from CEO email fraud from October 2013 to February of this year.
And it looks like again the banks figured out something was wrong, not the (still mysterious) company. The scam was identified after a Cyprus-based bank identified suspicious transfers. The fraud caused the American firm to send $98.9 million meant for the actual vendor to an account at Eurobank Cyprus Ltd, which discovered the fraud.
And to know that all this could have been prevented with effective security awareness training!
Incidents like this show that you really cannot afford not to do this. Find out how affordable this is and be pleasantly surprised.