A recent wire fraud attempt caused French film group Pathe to lose an astonishing €19.2 million (around $22 million). The massive loss happened after hackers used a business email compromise scam to target the organization.
The case shows that even huge multinationals can fall victim to wire fraud if they don’t have steps in place to protect themselves. This article will look at what happened to Pathe, and detail how to protect your company from this type of theft.
What Is Business Email Compromise
Business email compromise scams target high-level executives at companies that regularly wire money. Fraudsters send email to their victims from a hacked email account of someone in the target organization. These scammers also send email from fake but legitimate-looking accounts they create.
Criminals will often use information gained from hacks to make a scam seem more convincing. This means business email compromise is difficult to detect — especially if the target organization is unprepared.
Criminals use different techniques to increase the chance of the scam working. They’ll create a sense of urgency in the victim by putting a time limit on when the money needs to be sent. The scammers may also tell the victim not to contact anyone else about the email they have received as the details need to stay confidential.
While these tricks may seem like obvious signs of a scam to those-in-the-know, they play on the victim’s fears and can be convincing. After all, no employee wants to be the cause of their company not closing a deal because they didn’t act upon on instructions.
Business email compromise scams can come in many different forms. Here are five types of fraud you should be on the lookout for.
- Bogus invoice scams are those where fraudsters claim to be foreign suppliers and request money for payments.
- CEO fraud is where the attacker claims to be the CEO of the company and sends emails to employees in finance requesting money. This is similar to what happened to Pathe.
- Account compromise attacks are those where fraudsters hack into email accounts belonging to executives and send out invoices to vendors listed in the executive’s account.
- Attorney impersonation attacks are those where the scammers claim to be from a law firm.
- Data theft is when hackers attack accounts of people in the organization and gain access to sensitive information. While data theft isn’t a type of scam, the data obtained can be used in them.
How The Pathe Scam Played Out
In the Pathe scam, the CEO of Pathe Netherlands was targeted by an email claiming to be from the CEO of the office in France. However, it actually came from a fake email address set up by criminals.
In the emails, the fraudsters told the Dutch CEO that Pathe was planning to take over a Dubai-based company and that they needed money for use in the takeover. The emails warned the victim not to tell anyone about the transfer as it was strictly confidential. Because of this, the scammers said all correspondence must go through the personal email account.
At one point, the CEO became suspicious and emailed the Dutch office’s CFO about what to do. He told her to ask for confirmation about the transfer from another executive at Pathe France. The scammers duly agreed to this, sending her an email from a new fake account confirming the transfer.
This confirmation email appeared to be signed by both the manager of Pathe France and the chief executive. It was enough to convince the Dutch team to send a payment.
However, the fraudsters weren’t happy with just the one payment. They continued the scam and managed to get Pathe to send several more transfers — totaling around €19 million. The victims didn’t find out what had happened until the office in France began asking why they had taken money from a shared account.
How You Can Protect Your Organization From Business Email Compromise
This scam shows that any organization can fall victim to wire fraud if it hasn’t taken steps to protect itself. Here are some things you can do to secure your company.
Educate Your Staff
Perhaps the first thing you should do is educate your employees about wire fraud and the types of scams they should look out for.
The Pathe victims reportedly missed clear signs the emails were part of a scam. This shows that what may be a clear sign to some people, may not be so plain to those without knowledge of wire fraud.
It is also essential to educate employees about what to do if they think criminals are targeting them.
In the Pathe case, there was a time when the victim was suspicious about the instructions she had received. When she asked the CFO what to do, his instructions — asking for confirmation from another executive at the company — played into the hands of the scammers.
The people running the fraud were able to provide this evidence by creating another fake email address. However, if the victims knew how fraud occurs, they would likely have dealt with their suspicions differently.
Use Two-Factor Authentication
Fraudsters sometimes hack email accounts to get the information required to run a scam convincingly.
Two-factor authentication puts another layer of security in front of accounts and makes hacking more difficult. Even if the attacker knows the account’s username and password, they still need the information provided by two-factor authentication to log into the account.
Have a Procedure in Place For Wiring Money
As well as educating staff members, Pathe could have stopped the scam if they had a secure plan in place for verifying wiring information..
The procedure could be anything from calling the person involved and getting them to verify the wiring information, to using a service like CertifID (click here for a free ten-day trial) to ensure the person requesting wiring details is who they say they are.
Awareness is Key
Companies that wire large amounts of money are always likely to be wire fraud targets. However, staying aware of the types of tactics would-be-scammers use can help give your organization the upper hand.