Leoni AG, a billion-dollar (market cap) manufacturer of cables and cable harnesses for car manufacturers, announced last month that it had fallen victim to a business email compromise (BEC) scam. The cost? 40 million Euros, or about $45 million.
Leoni announced the fraud on August 16, a few days after it had happened. Upon hearing the news, the stock markets reacted by slicing Leoni’s stock by 8 percent, erasing about $60 million in market value from the company. The stock has since recovered somewhat, but is still lower than it was on August 15, when it was at an 8-month high. And the top headlines on the Google Finance page for Leoni still highlight the fraud — an ongoing public relations headache for the company.
Add the lost cash and the loss in market value together, and Leoni said goodbye to about $100 million in one day — all because of a single email.
That email followed the classic BEC pattern. It was sent to the chief financial officer of the company’s Romanian factory, and appeared to be an email from Leoni’s CEO. Naturally, the CFO responded by following the boss’s instructions and transferring the money as requested. There was just one problem: The account the funds were being transferred into belonged to scammers, who still haven’t been found.
Leoni’s press release noted that the company’s IT infrastructure and data security had not been damaged. This was an impersonation attack, plain and simple.
Why does this keep happening? It’s because Leoni, like most companies, is not taking advantage of available tools that can validate the identity of an email sender. While it does have an SPF record setup, Leoni is not using DMARC, the more complete and more current email authentication technology, as Valimail’s email authentication checker reveals.
In the absence of email authentication (through standards such as SPF, DKIM, and DMARC), it’s all too easy for senders to impersonate executives at a company. Add in some social engineering and a well-crafted email body, and you can see how people keep falling for scams like this.
If there’s any consolation for Leoni’s executives, it’s that they’re not alone. A U.S. company recently lost $98 million through a similar BEC scam. And the FBI estimates that $3.1 billion has been lost through BEC since January, 2015.
But wouldn’t it be better to just stop the scams through effective email authentication?