Tag Archives: Business Email Compromise

Leoni AG Lost $44 Million to CEO Fraud

Leoni makes cables and wiring harnesses for cars, trucks, healthcare systems, appliances and many other products.   They operate worldwide, are publicly traded, have 75,000 employees and in 2015 had sales of over 4 billion euros.  You would think that a company like this would not fall for a business email compromise scam.  But they did.

CEO fraud, AKA Business Email Compromise (BEC) , cost Leoni AG almost 40 million euros to the scammers.  BEC is a huge problem with the FBI saying that it is costing companies worldwide over $2 billion during the last several years.

The scammers had done their homework.  They targeted a subsidiary of the company in Romania.  It turns out Leoni has four factories in Romania, but only one of them is authorized to send wires.  They targeted that one.

They sent an email that looked like it came from the CFO in Germany.

People inside the company said that it was common to send money that way.  Even large amounts of money.  40 million Euros later they hopefully are reconsidering that strategy.

I continue to be amazed that large companies – Leoni has revenues of over $4 Billion Euros – authorize wires via email.  And then they are surprised that they are taken to the cleaners for almost $45 million.

The company’s press release said hackers used falsified documents and identities and electronic communications channels to perpetrate the scam.  This means that they pretended to be the CFO and sent an email requesting the wire transfers.

The good news is that 40 million Euros, while substantial, will not cause the company to go under.  Their profit before taxes in 2015 was around 150 million euros.

Unfortunately, for many companies that fall victim to a business email compromise attack, that isn’t the case.  In some cases, the attack has a very significant financial impact on the business.  I wrote about a company yesterday that went out of business as a result.

This incident makes me ask some questions.  Consider what the answers for your company are.

  1. Can someone send an email, pretending to be, say, the CEO or CFO, to someone in accounting asking to wire some money to some random bank account in a foreign country and no one says anything about it BEFORE sending the payment?
  2. Is there a policy that dictates how employees are supposed to handle requests for payments made via email?  For example, is there a validation process?  Does the request require approval?  Is there a dollar value threshold above which extra authorization is required (such as $40 million)?  What about if the sender says that this is a super-secret hush-hush deal?
  3. Does your company attempt to phish its employees as part of its training program?  If so, how often is that done?  HINT:  Doing it once a year as part of the review of corporate HR policies probably won’t have much of a positive effect.
  4. Does your insurance cover this loss?  Typically cyber insurance does not cover it, nor does general liability.  Since the employees voluntarily sent the money, it is not covered by forgery coverage.  Some insurers are creating a social engineering coverage to address this.  To be sure that you are covered, ask in writing and make sure that the amount of coverage is adequate.

This is a significant business problem that can only be addressed by training people.  This is not a technology problem.  And since it is so profitable, it is not going away any time soon.

 

Information for this post came from Leoni’s press release on the issue.

Business Email Compromise – A Slightly Different Version

While this column is directed at lawyers, it applies equally well to anyone sending or receiving confidential communications via email and expecting those communications to actually be confidential.

We think of business email compromise  as one of those spear phishing emails that pretend to come from the boss telling you to wire money to China for a secret deal;  well here is a different version with a couple of twists and turns.

In this case, it was a lawyer’s email that was hacked AND the lawyer knew that someone was going after his email.  He had just prevailed in a case and the other side was due to pay $63,000 to his client, through him.

He sent opposing counsel the wiring instructions via email, even though he know that his email was under attack.  He had even discussed the attack with his client, but he did not tell the opposing counsel.

As you probably guessed, the hacker sent  another email to the other attorney with new wiring instructions which needless to say, did not send the money to the prevailing attorney’s client.

There are a number of twists to this settlement – weird ones – you can read the article below if you are interested, but one twist was that the prevailing side was supposed dismiss their case in two days, but the other side didn’t have to pay for 15 days, so fundamentally, the dismissal was not conditioned on the prevailing party getting their money.

Both sides went to court – one side to get the losing side to pay another $63k; the other side to get the prevailing side to dismiss their suit without getting paid.

The court said that the side that paid had behaved reasonably.  That side said that the replacement email even used the typical bad grammar that the prevailing attorney use.

Another interesting aspect of this case is that the prevailing counsel claimed that he had no obligation to tell the opposing counsel that his email had been hacked.  The court and counsel could not find any cases that said that counsel had an obligation to  inform the other side of the breach.

The court decided that, in the absence of law or precedent, common sense prevails (which is interesting in itself) and said that the losing side did not have to pay again and the prevailing side had to dismiss their suit.

For attorneys, it is important to understand what their obligations might be with regard to protecting email between themselves and their client.

The American Bar Association issued a formal opinion in 2011 titled “Duty to Protect the Confidentiality of E-mail Communication with One’s Client” .  ABA opinions don’t carry the force of law, but still I would think that if there was a problem, using an ABA formal ethics opinion might carry some weight either in court or in front of the ethics committee, should a client choose to go there.  The summary of the opinion is this:

“A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may
gain access. In the context of representing an employee, this obligation arises, at the very least, when the lawyer knows or reasonably should know that the client is likely to send or receive substantive client lawyer communications via e-mail or other electronic means, using a business device or system under
circumstances where there is a significant risk that the communications will be read by the employer or another third party.”

It seems like you can break this opinion in half.  The first half says that if the attorney thinks there is significant risk of a third party intercepting emails between the client and attorney, the attorney must warn the client of the risk of using that email.

The second part is related to the first – if the client is an employee of a company and the company has the ability to monitor employee email or routinely does monitor employee emails – including ones to the employee’s attorney, that qualifies as a significant risk and the attorney should warn the client.  The opinion goes on to say that this is only one example of a situation where the emails may be intercepted.

The opinion is tied to ABA model ethics rule 1.6(a) which requires a lawyer to refrain from revealing information relating to his or her client.  Comment 16 to that rule says that a lawyer must act competently to safeguard the client’s information and Comment 17 to that rule says that a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.

Back in 1999 the ABA issued opinion 99-413 that said that lawyers could, in general, use email to communicate with clients without violating rule 1.6, but they need to make sure that it was okay with the client.

It is important to remember that the 1999 opinion is 17 years old – pre-Snowden, pre Sony email breach and pre- most of the modern day cyber breaches that we see every day.

This new opinion does not define the terms SUBSTANTIVE, SIGNIFICANT, REASONABLY, ORDINARILY or COMPETENT, which is certainly annoying.  It works both for and against the attorney.  An attorney could argue that they are competent, that the risk wasn’t significant or substantive, but just as easily, the client could argue the other side.

Given the large number of email breaches that we have seen in the last few years, it could certainly be claimed that it is REASONABLE that there is a SIGNIFICANT risk in the eyes of a COMPETENT attorney that email may be compromised and both model ethics clause 1.6 and opinion 11-459 are more recent than the 1999 opinion.  A client could certainly claim if the 1999 opinion was used as a defense, that while that opinion might have been valid in 1999, it likely isn’t today.

Until the legislatures, courts or ABA opine more definitively on the subject, it might be wise for attorneys – and other business professionals handling confidential information – to err on the side of caution and NOT use unencrypted email for confidential communications.

We recommend the use of Absio Dispatch; the low end version of which is free and the enterprise version of which is very reasonably priced.  (full disclosure:  I am one of the founders of Absio and have a stake in the company).

 

Information for this post came from The Lawyerist.

The ABA Formal Opinion 11-459 can be found here.

FBI Says Over $2 Billion Lost To CEO Email Fraud

Wow.  That is an impressive number.  As I have talked about before, what the insurance industry calls business email compromise or BEC and what the FBI is calling CEO email fraud is a very lucrative business at $2.3 billion since January 2015.

The way it works is the attacker does a little research on the “mark” – and this is a classic con job, hence the term mark is appropriate – and then sends the mark an email.  Could be the head of finance, someone in the wire room, something like that, pretending to be the CEO or CFO and needing a wire.  With a little social engineering they get their money from the mark.

And, unlike a check or credit card, it is very difficult to get that money back.  Usually, it is transferred out of the target account almost instantly.

Insurance copies, as I have written about, are also starting to push back saying that this is not a cyber breach.  The employee willingly wired the money.  They will cover it, but it is different policy.

There are many variations on exactly how this works, but the result is the same – someone voluntarily wires money to the bad guy.

There are also well known ways to curb this.  In almost all cases, they add some overhead to the process.  If your employee is asked to wire money to someone that they do not wire to normally, ask a question.  Shouldn’t there be a PO?  Or a contract?  Walk down the hall and ask the CEO.  Require two people to approve the wire.  Stuff like that.

Brian reports on a couple of well known phishes – Mattel toys, $3 million, Ubiquiti, $46 million and Scoular, $17 million, among many others.  None of these companies will go out of business but it is both embarrassing and expensive.

The best one though, is when the company Phish Me, who makes anti-phishing management software, was attempted to be phished.  They, as you might expect, did not fall for the con, but did decide to play with the attacker.  That is all documented in the Phish Me article below, so I am not going to repeat it.  The article is a wonderful tool to use in training, however.

At this point, organizations need to fortify the payments process.  As the bank robber Willy Sutton is reported to have said – that is where the money is.

To do that is pretty simple – one part training, one part process and one part sheer will.  There should be a well documented process on how to get money out of your company and based on the particular business model, you should figure out where the soft underbelly is and armor it up.

For those of you who are interested in the details of how these attackers pull these attacks off, I recommend reading the Phish Me article.

For everyone else, this would be a good time to look at your accounting process.

Information for this post came from Krebs On Security and Phish Me.