Austrian Aeronautics Company Loses Over €42 Million to BEC Scam
Fischer Advanced Composite Components AG (FACC), an aeronautics company in Austria, is the latest victim to a business email compromise (BEC) scheme after being swindled a record 42 million euros (around $47 million) through a spear-phishing attack.
FACC is a major designer and manufacturer of aircraft components and systems, with a client base that includes Boeing, Airbus, Rolls-Royce, Siemens SAS and Mitsubishi Heavy Industries.
According to reports, the incident occurred last January and involved a fake email that impersonated its then CEO Walter Stephan, conning one of FACC’s financial department employee into wiring 50 million euros that was supposedly for one of the company’s acquisition projects. FACC, realizing that they were tricked, adopted countermeasures and was able to stop the transfer of 10.9 million euros on the recipient accounts. The rest of the money, however, has already disappeared in Slovakia and Asia.
FACC’s case is a classic example of a type of BEC known as ‘CEO Fraud’ where fraudsters pretend to be high-level executives (CEO, CFO, president, senior manager, etc.) or a representative claiming to be handling critical and confidential information. Using email content that can appear legitimate and create a sense of urgency, they instruct the recipient—typically an employee that handles the company’s finances—to conduct a wire transfer to a bank account they control. And contrary to usual phishing attacks that are emailed en masse, BEC scams are socially engineered and more targeted to avoid being detected as spam.
This is also how The Scoular Company in Omaha, Nebraska was fleeced by scammers when one of its executives unwittingly performed a series of wire transfers totaling $17.2 million to a bank in China after receiving emails purporting to be from its CEO. Pomeroy Investment Corporation in Troy, Michigan lost $495,000 to the same scheme.
BEC scams can also target enterprises and organizations for personally identifiable information and financial data deemed valuable enough to be sold to online black markets. This was the case with companies such as Seagate, Sprouts Farmers Market, and Snapchat.
NBA franchise Milwaukee Bucks suffered the same when it was reported last week that the W-2 records of its employees were leaked via an email spoofing attack, revealing information such as player names, Social Security numbers, addresses, dates of birth and compensation figures. The Bucks organization addressed the breach by providing affected employees three years of credit monitoring and non-expiring identity restoration services.
[From the Security Intelligence Blog: Battling Business Email Compromise Fraud]
According to the latest report from the FBI’s Internet Crime Complaint Center (IC3), the agency has received 7,838 BEC-related complaints from U.S. businesses last year, and is considered a serious threat to organizations, along with ransomware and email account compromise. BEC has seen a dramatic surge in identified victims, with losses pegged at $263 million in 2015. The agency also saw BEC schemes using other tactics that use romance (i.e. online dating scams), lottery, check, and employment offers as a hook.
The FBI strongly advises businesses to beware of fund transfer requests made through emails, especially those requested with secrecy and urgency. Employees should also be cautious of mimicked email addresses (i.e. an email address with a .co extension instead of .com). Organizations can also consider adopting a two-step verification process and establishing other communication channels in order to verify transactions that entail moving the company’s financial resources.
In their 2015-2016 financial report, FACC disclosed that although it was able to stop the transfer of 10.9 million euros, “it is expected that the amounts frozen in receiving accounts will not be reimbursed in the short term.” In addition, the “loss incurred by the company as a result of the cyber fraud also led to an outflow of liquid funds totaling EUR 52.8 million” and left FACC with an operating loss of 23.4 million euros.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale