The Dutch branch of the French film production and distribution company Pathé has lost over 19 million euros to BEC scammers, Dutch News reported.
Information about how the scammers pulled it off has been gleaned from court documents relating to an unfair dismissal lawsuit brought against Pathé France by Edwin Slutter, the Dutch branch’s former chief financial officer.
Commenting on the news and offering advice are the following security professionals:
Javvad Malik, Security Advocate at AlienVault:
BEC or CEO scams are very common tactics used by criminals. Because there is no malware, it relies purely on tricking the recipient. Therefore, employees should receive training in learning how to spot such emails, as well as knowing how and who to escalate suspicious emails to.
Segregation of duties would also have helped. The fact that only one employee was able to make such large payments was a process weakness that the criminals exploited.
Tim Sadler, Co-founder and CEO at Tessian:
“As this case indicates, fraudsters have a highly sophisticated understanding of the industry and individuals that they are targeting. This means that the email impersonation methods they use, such as spoofing trusted contacts – Pathé’s chief executive in this case – can be so advanced, that they are indiscernible to unsuspecting employees, including C-level executives.
Instances like this, where the attacker targets high profile employees to steal large sums of money or highly sensitive data, are known as whaling attacks. Senior executives are targeted because they have access to lucrative data, and they have the power to authorise high-value money transfers.
Human error is natural and inevitable. Therefore, if Pathé wishes to prevent whaling and phishing attacks and the significant financial and reputational damage they cause, it is imperative that the company implements a solution that doesn’t rely solely on employee vigilance and/or an existing rule-based security system(s) that has, up to this point, failed to protect the network. Hopefully, this incident will act as a wake-up call to the company: every employee is susceptible, regardless of their seniority, so every employee must be protected. Increasingly, organisations are protecting their people and data by applying machine intelligent technologies that automatically and comprehensively analyse the content and characteristics of inbound email to determine whether it is legitimate or a phishing email.”