One of Europe’s biggest companies just lost $45M in a business email scam

Leoni Group’s office in Bisitra, Romania, targeted by scammers.

Leoni AG, a billion-dollar (market cap) manufacturer of cables and cable harnesses for car manufacturers, announced last month that it had fallen victim to a business email compromise (BEC) scam. The cost? 40 million Euros, or about $45 million.

Leoni’s stock dropped about 8% on news of the fraud.

Leoni announced the fraud on August 16, a few days after it had happened. Upon hearing the news, the stock markets reacted by slicing Leoni’s stock by 8 percent, erasing about $60 million in market value from the company. The stock has since recovered somewhat, but is still lower than it was on August 15, when it was at an 8-month high. And the top headlines on the Google Finance page for Leoni still highlight the fraud — an ongoing public relations headache for the company.

Add the lost cash and the loss in market value together, and Leoni said goodbye to about $100 million in one day — all because of a single email.

That email followed the classic BEC pattern. It was sent to the chief financial officer of the company’s Romanian factory, and appeared to be an email from Leoni’s CEO. Naturally, the CFO responded by following the boss’s instructions and transferring the money as requested. There was just one problem: The account the funds were being transferred into belonged to scammers, who still haven’t been found.

Leoni’s press release noted that the company’s IT infrastructure and data security had not been damaged. This was an impersonation attack, plain and simple.

Why does this keep happening? It’s because Leoni, like most companies, is not taking advantage of available tools that can validate the identity of an email sender. While it does have an SPF record setup, Leoni is not using DMARC, the more complete and more current email authentication technology, as Valimail’s email authentication checker reveals.

In the absence of email authentication (through standards such as SPF, DKIM, and DMARC), it’s all too easy for senders to impersonate executives at a company. Add in some social engineering and a well-crafted email body, and you can see how people keep falling for scams like this.

If there’s any consolation for Leoni’s executives, it’s that they’re not alone. A U.S. company recently lost $98 million through a similar BEC scam. And the FBI estimates that $3.1 billion has been lost through BEC since January, 2015.

But wouldn’t it be better to just stop the scams through effective email authentication?

About Valimail: Valimail is an anti-phishing company that has been driving the global trustworthiness of digital communications since 2016, with the only comprehensive platform for stopping fake email, protecting brands, and helping ensure compliance. Valimail has won multiple cybersecurity technology awards and authenticates billions of messages a month for some of the world's biggest companies, including Uber, Fannie Mae, WeWork, and the U.S. Agency for International Development. Valimail is based in San Francisco. For more information visit www.Valimail.com.

Related Posts