Leonia AG Lost €40 Million ($45M) to Whaling Phishing Scam

Leonia AG is a 100-year-old company headquartered in Nuremberg, Germany, and is a global supplier of wiring systems and cable technology with 76,000 employees in 32 countries and a market cap of €1,015 Million ($1,140 M) listed on the Frankfurt stock exchange.

Yet this behemoth fell prey to a fairly simple spoof email scam in August that cost them €40 Million cash ($45 M) and has unsurprisingly resulted in a profit warning.

The company reported that fraudsters used fake emails and identities to target one individual in a successful attempt to transfer funds from a company bank account to an account controlled by the fraudsters. They picked a factory in Romania, which is only one of the four in that country authorized to handle international money transfers. The spoof emails purported to come from a senior director in Germany and apparently were accepted without question by the officer in Romania.

Whaling is the term used for the type of phishing scam that targets just one individual in a corporation. In order to succeed, the fraudsters carry out in-depth investigation of the company, its mode of operation, styles of communication, security capabilities as well as the target victim’s roles, responsibilities, staff and so on. Whether or not insider assistance was involved is not known at this point but the required information can be obtained and pieced together by clever and patient fraudsters who may use social engineering to ferret out small elements of the overall picture, which may appear innocuous in isolation.

To achieve this level of sophistication, fraudsters often create domain names that are so close to the real company’s domain name that a quick glance does not detect the slight name difference. An email coming from that fake domain, formatted in an identical manner to genuine emails, with similar language style and so on, can easily be accepted as the genuine article.

The core of the problem is that the fatal email was accepted as being genuine without question. The fraudsters invested time and expertise in investigating Leoni AG. Con artists have been honing their email phishing skills for well over 20 years and many have perfected their technique to the extent that their fraudulent emails and other identification instruments are instantly accepted by the victims. Fraud has always moved with the times but the public has usually been slow to cotton on. These attacks have been on the increase, according to reports following a similar attack last year.

What precautions can we take to safeguard against this type of scam?

1. Watch out for email ID with fake domain names. For example, if the official Leonia AG domain is @leoniaag.com, fraudsters might use similar domain names such as @leoniag.com to phish victims.

2. If you receive an email requesting financial transactions, pick up the phone and call the person. Never enter sensitive information into pop-up browser windows.

3. Use an anti-phishing and anti-spam service. It’s easier to get caught when you’re focusing on mission-critical business operations and can’t spare a moment to double check authenticity of the email senders. Security solutions will make your life easier.

4. When you must click through a link, hover the mouse over the link and see the actual URL – bottom right of the browser if you’re using Chrome. Make sure the links you need to access are valid and secure. Check for the HTTPS certificate. Don’t click shortened URLs.

5. Educate employees on all levels to ensure that they are security aware and up to date with latest phishing threats, prevention practices and solutions.

6. Make sure the attachments are valid and secure before downloading.

It does appear unusual that an officer of a company would execute such a huge financial transaction on the basis of one email alone. One might expect some basic security countermeasures, such as at least a phone conversation with the authorizing director, or a second authorization such as when corporate checks are cut. Such sheer common sense precautions are easy to implement.

Phishing and social engineering is now so commonplace that security firms offer training course for company staff, educating them on how to recognize the likely warning signs of a scam. Corporations have no excuse for not engaging in at least an awareness program but, no doubt, some will only realize that when it is too late.