Skip to main content

Q&A: This is how simple a £35 million phishing scam can be

Earlier this month, it was reported that hackers managed to steal nearly £35 million from Leoni AG, Germany's largest manufacturing firm and one of the largest manufacturers of electrical cables in Europe.

How did they do it? Through a tactic known as 'CEO fraud,' a phishing-style attack where the hackers created fake payment requests made to look like they were from company executives and sent them out to employees.

The report says: "Investigators say the email was crafted in such a way to take into account Leoni’s internal procedures for approving and transferring funds. This detail shows that attackers scouted the firm in advance. The Bistrita factory was not chosen at random either. Leoni has four factories in Romania, and the Bistrita branch is the only one authorised to make money transfers."

We recently spoke to David MacKinnon, Director of Incident Response for PhishMe Triage, to learn more about this technique and the types of industries that may be affected.

How would a hacker, for example, spoof an email to then send a request?

"Attackers leverage free email services to send these requests. There are 2 main tactics that we see being used with those services. First, when the free email service account is setup and the display name is the executive that they wish to impersonate. So when the targeted employee receives the message, it appears to be from the impersonated C-level.

"The second is when the emails are forged to appear from the targeted organisation, but the reply to address for that email would point to an email address outside of their organisation. Most attackers will send these requests from free email services; however, some go through the trouble of registering domains that closely resemble their targets’ DNS records."

What's the most common form of this CEO fraud technique?

"The most common form of this attack is when a malicious actor sends an email masquerading as a C-level employee to another employee which requests that the recipient needs to expedite a wire transfer. These requests are well crafted, and often include a forged signature block with the C-level’s details (name, title, email, phone, etc..)."

Are particular industries affected by it more often? What sorts of businesses do you believe are most at risk?

"No – there is no single industry targeted more than others. Any business who lacks proper business policies for handling wire transfer requests.

"Additionally, organisations that do employ a program to effectively condition their users to detect and report suspicious messages are also at quite a disadvantage."

Image source: Shutterstock/wk1003mike