SecureWorld News

$18.6 Million in a Week: Business Email Compromise at a Whole New Level

Written by SecureWorld News Team | Tue | Mar 5, 2019 | 4:22 PM Z

Business Email Compromise (BEC) is heavily tied to social engineering, where criminals con their way into victims' trust.

And our team recently learned about a new and incredible example of BEC that takes this crime to a whole new level.

And those who fell for it, lost their jobs.

Chinese hackers steal $18.6 million in BEC scam

The Economic Times of India is reporting on an Italian company that had its operations in India taken for a ride through Business Email Compromise and more:

The hackers sent emails to the head of Tecnimont Pvt Ltd, the Indian subsidiary of Milan-headquartered Tecnimont SpA, through an email account that looked deceptively similar to that of group CEO Pierroberto Folgiero, according to a police complaint, which ET has seen.

The hackers then arranged a series of conference calls to discuss a possible “secretive” and “highly confidential” acquisition in China. Several people played various roles during these calls, pretending to be the group.

The hackers convinced the India head that the money couldn’t be transferred from Italy due to regulatory issues.

So the Indian arm of this Italian company made three transfers to a Hong Kong bank over the course of a week in the fall of 2018: $5.6 million, $9.4 million, and $3.6 million.

The investigation has since revealed that those Hong Kong accounts were opened with fake identification documents and the money is gone.

Business Email Compromise, more sophisticated than ever

This topic really caught our attention because we just sat in on a SecureWorld web conference on NextGen Business Email Compromise.

This case proves the point made by KnowBe4 Security Awareness Advocate Erich Kron. He says a challenge for organizations now is that many underestimate the sophistication and urgency of these BEC attacks. 

"Sophisticated hackers have moved way beyond misspelled, poorly-formatted emails. Now, they turn the tables on employees, often by using fear as a trigger as if that person needs to act right now to avoid consequences for the organization or the employee."

And when you transfer $18.6 million in a week as part of a BEC scam, clearly, hackers created a sense of urgency.

Someday, someone will probably make a movie out of a heist like this. The orchestration, the planning, the conference calls full of criminals, one of whom even sounded like the company's CEO.

It is not only an incredible story. It's an incredible story of caution for CISOs, CFOs, and anyone who could be a money-making target at organizations around the globe.

The company fired its India chief and the head of accounts and finance because of the scam.