Scoular Company, a $6 Billion, 800 employee commodities trading company got bilked out of a little more that $17 million in a modified spear phishing attack.
Simply put, the attacker generated emails over time last summer to the company’s CFO that looked like they came from the company’s CEO and their Auditor that instructed the CFO to wire installment payments for an acquisition to a bank in China. That seemed plausible since the company was trying to expand in China (see article).
In the setup emails which seemingly came from the Company’s CEO, the attacker said that they were working on a blockbuster international deal, swearing the recipient to secrecy and told him to only communicate though this email address to not infringe on SEC regulations.
Those requests should have sent the CFO RUNNING down the hall to the CEO to confirm the authenticity of the request, but it did not.
In additional emails, the CFO was told to wire $780,000 first, then $7 million and finally $9.4 million to a bank in China. All told, they were out $17 million.
For a company that big, a $7 million wire probably isn’t that out of the ordinary, but the secrecy part as well as using an unusual email address to communicate should have been a tip-off.
Wires, unlike checks, are almost impossible to reverse and international wires are even harder.
The FBI is working on the case, but I would say the odds of them recovering their money are low.
The good news is that this attack will not have a material effect on Scoular’s financials.
If you reduce the size of the request to match the size of your company, would your internal controls detect this form of attack prior to disbursing money? There is an opportunity to learn from an incident like this so your employees do not get sucked in like they did.