Leoni makes cables and wiring harnesses for cars, trucks, healthcare systems, appliances and many other products. They operate worldwide, are publicly traded, have 75,000 employees and in 2015 had sales of over 4 billion euros. You would think that a company like this would not fall for a business email compromise scam. But they did.
CEO fraud, AKA Business Email Compromise (BEC) , cost Leoni AG almost 40 million euros to the scammers. BEC is a huge problem with the FBI saying that it is costing companies worldwide over $2 billion during the last several years.
The scammers had done their homework. They targeted a subsidiary of the company in Romania. It turns out Leoni has four factories in Romania, but only one of them is authorized to send wires. They targeted that one.
They sent an email that looked like it came from the CFO in Germany.
People inside the company said that it was common to send money that way. Even large amounts of money. 40 million Euros later they hopefully are reconsidering that strategy.
I continue to be amazed that large companies – Leoni has revenues of over $4 Billion Euros – authorize wires via email. And then they are surprised that they are taken to the cleaners for almost $45 million.
The company’s press release said hackers used falsified documents and identities and electronic communications channels to perpetrate the scam. This means that they pretended to be the CFO and sent an email requesting the wire transfers.
The good news is that 40 million Euros, while substantial, will not cause the company to go under. Their profit before taxes in 2015 was around 150 million euros.
Unfortunately, for many companies that fall victim to a business email compromise attack, that isn’t the case. In some cases, the attack has a very significant financial impact on the business. I wrote about a company yesterday that went out of business as a result.
This incident makes me ask some questions. Consider what the answers for your company are.
- Can someone send an email, pretending to be, say, the CEO or CFO, to someone in accounting asking to wire some money to some random bank account in a foreign country and no one says anything about it BEFORE sending the payment?
- Is there a policy that dictates how employees are supposed to handle requests for payments made via email? For example, is there a validation process? Does the request require approval? Is there a dollar value threshold above which extra authorization is required (such as $40 million)? What about if the sender says that this is a super-secret hush-hush deal?
- Does your company attempt to phish its employees as part of its training program? If so, how often is that done? HINT: Doing it once a year as part of the review of corporate HR policies probably won’t have much of a positive effect.
- Does your insurance cover this loss? Typically cyber insurance does not cover it, nor does general liability. Since the employees voluntarily sent the money, it is not covered by forgery coverage. Some insurers are creating a social engineering coverage to address this. To be sure that you are covered, ask in writing and make sure that the amount of coverage is adequate.
This is a significant business problem that can only be addressed by training people. This is not a technology problem. And since it is so profitable, it is not going away any time soon.
Information for this post came from Leoni’s press release on the issue.