Dutch Film Boss Sacked After €19m BEC Loss
The CEO and finance director of film company Pathé’s Dutch operation were sacked after falling victim to a sophisticated BEC scam that netted the criminals €19m ($21m), it has emerged.
Finance boss Edwin Slutter and chief Dertje Meijer are now suing for unfair dismissal, according to reports based on newly released court documents.
The scam followed a tried-and-tested path, with fraudsters spoofing the email address of a higher-up: in this case the CEO of the French film company, back in March.
Emailing Meijer, they claimed the firm was in acquisition talks with a Dubai company and needed to send a confidential payment of €826,521 ($931,600) which would be repaid at the end of the month.
After consulting with Slutter, and receiving an invoice for said amount, Meijer authorized the payment, made to a bank account operated by “Towering Stars General Trading LLC” in Dubai.
Three more payments followed, until by March 27, Pathé Nederland had paid over a total of €19.2m, according to DutchNews.nl.
The Paris HQ eventually caught wind of what happened and the two were sacked by the month’s end.
In the end, the court decided that Slutter should not have been sacked on the spot. It reportedly ordered that he be paid his monthly salary of €13,500 ($15,200) from March until the end of the year, when his contract should be formally dissolved.
The case is yet another warning of the perils of BEC, also known as CEO fraud, which has netted cyber-criminals over $12.5bn since 2013.
Stephen Burke, CEO at Cyber Risk Aware, argued that senior executives should work on the assumption that they are being actively targeted.
“Details on C-Suite executives are often publicly available which makes it incredibly easy for cyber-criminals to customize social engineering attacks on a company. They could send believable phishing emails or call the company to establish an executive’s whereabouts to inform the type of messaging to use in their attack,” he explained.
“To overcome this, organizations must make security awareness a priority, so C-Level executives can learn how to follow best practice, as well as being empowered to report anything suspicious.”
Source: Information Security Magazine