How One Email Cost a Company $56 Million

By January 29, 2019View All Resources

The following is adapted from Fire Doesn’t Innovate.

A single email could cost you $56 million

At least that’s what happened with Austria-based aerospace company FACC, a mid-market business that supplies spare parts to Boeing and Airbus.

In late 2015, a clever cybercriminal successfully manipulated someone inside FACC’s finance department to move $56 million into the criminal’s account. The offender pulled off this phishing attack, which is a socially engineered attempt to steal your money or your company’s money, by sneaking onto the CEO’s email and imitating the quirks of his writing style to craft a perfectly believable email to a finance department worker.

Months later, in January 2016, the company disclosed the theft publicly: FACC was able to recover about $11 million of their losses, but due in large part to this incident, the company reported a $22 million total loss for 2015.

Their official statement about the incident, and the dismissal of the CEO, said this:

The supervisory board came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular, in relation to the “fake president” incident, and Mr. Robert Machtlinger was appointed as interim CEO of FACC.

FACC’s stock price fell 17 percent when they made the announcement.

It wasn’t just the CEO who took the fall either. FACC also fired the CFO and the person in the finance department who fell for the “fake president” scam.

More than a year after the FACC incident, in May 2017, the FBI issued a notice that these business email compromise scams have cost businesses approximately $5 billion worldwide over the previous three years, and the frequency is only rising.

From October 2013 to May 2018, 78,617 incidents were reported, with total losses of $12.5 billion. In the US alone, 41,058 companies were hit for $2.93 billion in losses.

The business email will look legitimate

The messages in a business email compromise lure will look legitimate because the cybercriminal has been able to either hack into the company’s email server and copy the executive’s style of writing or, if the criminal can’t get into the server, they can technically mask the source of the email so that it doesn’t arouse suspicion.

However, despite the technology involved in a “fake president” scam, it’s not taking advantage of your company’s technology. It’s an attack on people’s emotions.

Look at the FACC example. That breach had nothing to do with technology being exploited. Sure, the cybercriminal used technology to send the email, but none of the company’s technological defenses or controls were compromised.

It was an attack on a person—and a process, not technology. More specifically, it was an attack on the lack of process. FACC didn’t have enough reasonable cybersecurity measures in place to help manage the risk that the cybercriminal posed, such as a training program or a dual-authorization process to move large amounts of cash.

How to Maintain Your Reputation in a Digitally Dangerous World

You probably know that cybersecurity is something you should focus on in your company. Maybe you’ve been putting off dealing with it because there are more important aspects of your business that need your attention.

As an executive, your bread and butter should be having great people who are trained appropriately and have great processes in critical areas of your business, such as sales, order fulfillment, and accounts receivable. Why should cybersecurity be any different?

Just like every other aspect of your job as an executive, you’ll find cybersecurity success by working through other people. Although there is no such thing as a perfect prevention plan, you can enhance your reputation as a company of integrity, one that implements effective practices to protect your stakeholders by safeguarding your organization’s assets, including your customers’ data.

As a result, when your competitors fail to stop cyberthreats and have to close their doors (like promotional products manufacturer Colorado Timberline did in 2018), you’ll be standing strong when the dust settles with your reputation and data intact. You’ll see greater revenues, bigger clients, and have greater control over your company.

For more advice on avoiding email scams, you can find Fire Doesn’t Innovate on Amazon.

Kip Boyle is founder and CEO of Cyber Risk Opportunities, whose mission is to enable executives to become more proficient cyber risk managers. His customers have included the U.S. Federal Reserve Bank, Boeing, Visa, Intuit, Mitsubishi, DuPont, and many others. A cybersecurity expert since 1992, he was previously the director of wide area network security for the Air Force’s F-22 Raptor program and a senior consultant for Stanford Research Institute (SRI).

Leave a Reply

twenty − thirteen =