A CEO Who Lost Million Dollars! A Real Life Cyber Crime Story

3106

SCAM.jpg

MFAME has been featuring tons of case studies from shipboard accidents and fuel problems.  While the main aim is safety awareness and safe handling of fuels onboard, in this write-up, we would like to draw your attention towards cyber crime, an increasing threat to shipping and associated business services.

Ladies and gentlemen, we warn you that fraudulent groups are aiming to scam you on your business.  The growing cases of cyber crime are not just limited to individuals, whereas targeting business organizations are a million-dollar-deal if struck well.  The scenario can be compared with armed robbery and fuel pilferage to major ship hijacks.

On one end of the rope, the evolution of technology paved way for green shipping and reduction in carbon footprint.  While on the other end of the rope is those who suck money out of business organizations, out of which cybercrime is a growing threat in recent days.  No wonder, we are yet to hear cases as portrayed in the movie ‘Speed – 2’, where a cruise ship was hijacked or diverted for precious goods.

Here is a case which will blow your mind out!

Spare Parts SCAM!-

The one which is expected to hit the Shipping Industry more than Ever!

A member has reported an attempt in which a company was defrauded of several hundred thousand dollars through email fraud.  The incident occurred when the company was seeking to legitimately purchase reconditioned equipment from a vendor in a different part of the world.  This was a deliberate attempt to defraud lasting several weeks, involving more than one email.  By using a subtle and difficult to notice a change to email addresses, the fraudster was able to persuade employees of the company to transfer funds into a bank account other than that specified by the true vendor of the equipment.  Whilst the incident was reported to the local police, to the banks involved and to Interpol, the international nature of the fraud meant that the funds could not be recovered.

CEO Scam! – A million-dollar-deal!

You return from a trip to find that hundreds of thousands of dollars has been transferred out of company accounts – apparently at your instruction.

But you have no idea what your accountant is talking about – you didn’t give any instructions.

This is what happened to Carole Gratzmuller, boss of a medium-sized French company called Etna Industrie.  Her firm, which employs 50 people and has been making industrial equipment on the outskirts of Paris for nearly 75 years, was the victim of a specialized email phishing attack dubbed CEO fraud, or “fraude au president” as they call it in France.

‘Confidential transaction’:

“My accountant was called on Friday morning,” she tells BBC.  “Someone said: ‘You’re going to get an email from the president, and she’s going to give you instructions to conduct a very confidential transaction and you’re going to have to respond to whatever instructions she gives you’.”

The accountant was then emailed from an address with Ms. Gratzmuller’s name in it, saying Etna Industrie was buying a company in Cyprus.

The email said the accountant was going to get a phone call from a consultant working with a lawyer, who would then give her instructions as to where to transfer the money.

“Everything happened between 9 and 10 o’clock,” says Ms. Gratzmuller.  “The accountant probably got about 10 emails in that time and three or four different phone calls”.

The fraudsters pressured her into acting quickly, without thinking – a standard feature of this type of phishing fraud.  “They didn’t give her a moment to sit back and think that this was unusual,” she says.  ‘Vulnerable’ Before noon, the accountant had authorized wire transfers totaling €500,000 (£372,000; $542,000) to foreign bank accounts.  Luckily for Etna Industrie, three of the wire transfers were held up by the banks, but one for €100,000 went through.

The many faces of business email fraud:

  1. Someone poses as a boss of a company instructing staff to make a wire transfer to the fraudster’s account
  2. Fraudsters pose as the IT services department of a bank saying they want to make a test transfer – but it’s not a test
  3. Fraudsters claim to be a supplier and ask for outstanding invoices to be paid into a new bank account
  4. Employees click on links within phishing emails containing malware which authorizes many small payments to the fraudster’s account

The company got this money back after the bank in question was found to be at fault by the French courts.  However, the bank is appealing against the decision.  “It’s like when your house or apartment gets broken into,” says Ms. Gratzmuller.  “You feel vulnerable.  People get into your life and they know things about you and you have no clue, and they take things from you.”

Here is one more interesting attempt on Viswa Lab: Click here to read more!

Lessons Learnt:

Members should remain vigilant, liaise with their own IT departments and continue to work to ensure the safety and security of their internal and external email communications.

To reiterate, close attention should be paid to the following:

  1. Changes to bank account numbers, addresses of legal entities or any other significant information;
  2. Details of wording, spelling, grammar, and context – these can often provide clues to the fact that an email is fake;
  3. The use of private or personal email addresses in the business world.  This can sometimes – but not always – be a clue;
  4. Subtle changes to the email address or to the servers or internet domains from which they are sent;
  5. Links provided which may inappropriately divert the user to websites other than those intended for business use.

It is of particular importance to take care when there is unfamiliarity with terminology or when the administration of this sort is being carried out by persons whose first language may not be the same language as that in which the business communication is taking place.

Hackers are Hired Everywhere!

A Prestigious shipping body/Organization appoint hackers to work with their IT team.  The fantastic part is that the hackers get their bonus if they successfully hack the website or their IT system on top of their monthly wages.  At one end, IT engineers reinforce the IT security systems to prevent hacking/phishing whereas on the other end hackers are appointed to break the security system.

Isn’t it interesting?

Share your views and thoughts!

Source: BBC & IMCA