I’ve written about email-based fraud before. I cover it in every talk I give. It’s in our 20-minute guide to cyber-security. It’s in our October newsletter. It’s made the mainstream news. But whether you call it spear-phishing, whaling or “business email compromise” it seems that all the training in the world just can’t help some people.
In this case the CEO and CFO of the Dutch subsidiary of Pathé were taken in by an elementary email fraud. To the tune of almost 20m€. Twenty. Million. Euros.
What did it take to get this lottery-sized jackpot? Seven emails. Not even a fake lawyer behind a fake phone number – like in the Scoular case. Just seven emails. No hacking. No “penetrating the firewall“. A bit of research on LinkedIn, seven emails, and the astonishing incompetence and credulity of two very senior managers. Managers who even thought it was a bit odd, and emailed each other to say so, but still sent the money.
So if you think you’re too smart to need help, or that you can’t afford to slow down your treasury function by introducing stuctured, mandatory validation processes, then the criminal community thanks you from the bottom of its black and withered heart. After all, someone has to keep them in Cristal and Bentleys.