Slashdot Mirror

← Back to Stories (view on slashdot.org)

One of Europe's Biggest Companies Loses 40 Million Euros In Online Scam (softpedia.com)

Posted by BeauHD on from the business-email-compromise dept.

An anonymous reader writes from a report via Softpedia: Leoni AG, Europe's biggest manufacturer of wires and electrical cables and the fourth-largest vendor in the world, announced it lost 40 million euros ($44.6 million) following an online scam that tricked one of its financial officers into transferring funds to the wrong bank account. A subsequent investigation revealed that attackers had scouted the company's network and procedures, and identified a weak spot to attack. According to authorities, a young woman working as CFO at Leoni's Bistrita factory in Romania was the target of the scam, when she received an email spoofed to look like it came from one of the company's top German executives asking her to transfer funds to a bank account. According to unconfirmed information, the money stolen from Leoni's Bistrita branch ended up in bank accounts in the Czech Republic. The FBI says this type of attack is known as CEO fraud, whaling, or BEC (Business Email Compromise), and has defrauded companies around the world of over $3 billion since October 2013.

8 of 189 comments (clear)

  1. Encryption and Digital Signatures by The+Other+White+Meat · · Score: 5, Insightful

    If they had used PKI Encryption and Digital Signatures, technology that has been available for DECADES, they could have authenticated that message properly and prevented spoofing. To be performing transfers based on unauthenticated email is absurd.

    --

    --- Generation X: The first generation to have SIG lines inferior to their parents... ---
    1. Re:Encryption and Digital Signatures by Anonymous Coward · · Score: 5, Insightful

      Surely she should at least have called him on the phone to confirm the request?

    2. Re:Encryption and Digital Signatures by dbIII · · Score: 4, Insightful

      The only thing stopping me was balls not made of steel

      I'd say you were also stopped by an upbringing that wasn't completely worthless and didn't turn you into a sociopath.

    3. Re:Encryption and Digital Signatures by Opportunist · · Score: 3, Insightful

      What line? Use digitally signed mails everywhere and the line can as well be drawn at a single cent, it's not like there's any overhead involved.

      The first thing that happened when the first scam hit the papers was that we ensured everyone knows how to spot mails with bogus signatures (we have encrypted+signed mails as a standard for a few years now), that was basically all we had to do.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Encryption and Digital Signatures by gsslay · · Score: 4, Insightful

      Your company is just ripe for this kind of scam, then.

      This is why companies with any sense, and decent financial auditing, has a non-negotiable, set procedure for moving money around. Especially when dealing with large sums like 40 million Euro. All that tedious form filling, signing and authorising is not done just to give the admin staff additional work, and a sense of power. It's to prevent the company being scammed.

  2. IT Contractors by Anonymous Coward · · Score: 5, Insightful

    All those contractors you outsourced to are selling your internal procedures for scams like this.

  3. Sounds like a problem with BPO by ErichTheRed · · Score: 3, Insightful

    The company I work for is a medium size multinational. We're big enough to do business worldwide but not so big that we get the "good" BPO vendors or hire "good" employees to do our offshore work. I've been working there for a while, and it seems to me that routine work is getting shipped to cheaper and cheaper countries every year. First it was Eastern Europe, then India, then the Philippines, now Central American countries. I can definitely see something like this happening with some of our core processes. If it followed the flowchart exactly, with all the right steps completed, and everything was in order, not one question would be raised.

    That said, every company is susceptible to this whether the employees are onshore or off. The problem is knowing when to bother the CEO on his yacht, or the golf course, or the luxury resort he's staying at to ask him a question about routine business...especially when you have a message that looks like it came from right from him. Properly implemented digital signatures would help in this case -- but think about the fact that EV certs turn the entire address bar bright green and no one notices that, and they click "Yes" to every pop-up that comes their way.

  4. Re:Question for finance folks by Hognoxious · · Score: 3, Insightful

    I've worked on accounts payable systems.

    The right way is that (petty cash aside) you don't pay anything that doesn't have an invoice. You wouldn't have an invoice if there's no purchase order. You might also have a delivery note, in which case you'd check the quantities match at least approximately. And you wouldn't have any of the above if there's no vendor master. The vendor master contains the account details to pay into.

    You split the task up so it takes at least two people (ideally three) to do all the steps above.

    Of course that's not agile or webspeed enough for millenials, which is why fuckups happen.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."