Email breach chronicles: FACC's million-dollar deception - CEO fraud in 2016

FACC is an Austria-based aerospace manufacturer, whose customers include reputed giants such as Airbus, Boeing, and Rolls-Royce. In 2016, a phisher, posing as FACC's CEO sent an email to an employee in the finance department, instructing them to send close to €50 million for an acquisition project that the company was working on. The cybercriminal had previously broken into the company's email server and studied the CEO's writing habits to make the email appear authentic. In January 2016, the employee made a wire transfer of €42 million to an attacker-controlled bank account. After the company identified the attack, it managed to recoup €10.9 million of the stolen funds from being transferred.

Type of attack

CEO Fraud, also referred to as Whaling or Business Email Compromise (BEC), is a type of spear phishing where malicious actors impersonate a high-ranking executive, typically the CEO or another senior executive, within an organization. The perpetrators utilize social engineering techniques to deceive employees into making financial transfers or divulging sensitive information. 

Timeline

• Unauthorized access: Cybercriminals gained unauthorized access to FACC's email server and studied the writing habits and style of the company's CEO Walter Stephan.
• Social engineering: The cybercriminals sent a fraudulent email to an employee in the finance department, impersonating the CEO and requesting a transfer of €42 million for an alleged acquisition project.
• Employee compliance: Unable to detect the fraudulent nature of the email, the employee complied with the request and transferred the funds to an attacker-controlled bank account.
• Financial impact: FACC's share price dropped significantly, and the company reported a substantial decrease in earnings for the fiscal year.
• May 2016: The CEO was terminated from his position due to his involvement in the unauthorized transfer. The CFO and the finance department employee who fell for the phishing scam were also dismissed.
• Lawsuits: FACC sued the former CEO and CFO for $10 million, alleging their failure to adequately protect the company against cyber fraud. However, the Austrian courts dismissed both lawsuits.
• Hacker's identity: The identity of the hacker remains unknown, but a Chinese citizen was arrested in Hong Kong for money laundering related to the attack. FACC worked on recovering €10 million frozen in different countries, while €32 million remained unrecovered.
• Increased awareness and security measures: FACC implemented new security measures and conducted a thorough review of internal processes to prevent similar incidents in the future. The company also emphasized cybersecurity training for employees to enhance vigilance in handling sensitive communications.

Origin

The origin of the incident was when a perpetrator after learning the writing style of FACC's CEO, impersonated him and emailed an FACC employee working in the finance department requesting a transfer of €42 million for an "acquisition project".

Initial publication

• FACC, on their blog, revealed that they had become a victim of "a crime act using communication- information and information technologies."  The blog was later removed by the company. 
• In May 2016, FACC released its 2015/2016 financial results claiming that they were able to block €10.9 million from being transferred, and dismissed the company's CEO.
• In July 2016, a 32-year-old Chinese man who was an authorized signatory of a Hong Kong-based firm that received around €4 million from FACC was arrested on suspicion of money laundering.

Geographical spread

The attack did not spread to different countries per se, but as a result of the wire transfer of €42 million by the victim, the money was transferred to many Asian countries and a few European countries such as Slovakia.

Attack vectors

The attack vector is a type of email phishing called the CEO scam or Business Email Compromise (BEC) wherein the perpetrator studied the writing style of the CEO, impersonated him and emailed an employee in the finance department demanding a transfer of €42 million. 

Vulnerability exploited

The attacker exploited the vulnerability in the company's email server and broke into it to study the writing habits of the company's CEO Walter Stephan. The lack of cybersecurity awareness and training among FACC employees was also exploited. 

Perpetrators

The actual perpetrator of the attack has not been found as of this time. The only person who has been found guilty in relation to the attack is a 32-year-old Chinese man, who was supposedly an authorized signatory of a Hong Kong based firm. The firm had received around €4 million from FACC.

Motive

The main motive of the attack was to extort money from FACC's employees by impersonating FACC's CEO. 

Execution and methodology

• Social engineering and impersonation: The CEO fraud incident at FACC involved sophisticated social engineering techniques. The attackers carefully studied the writing habits and quirks of the company's CEO to craft a convincing email impersonating him. They used this knowledge to create a fraudulent message requesting a significant financial transfer for an alleged "acquisition project." The email was designed to deceive the recipient into believing it was a legitimate communication from the CEO.
• Phishing and deceptive communication: The attackers utilized phishing tactics to deliver the fraudulent email to an employee in the finance department. They may have used various techniques to make the email appear genuine, such as spoofing the CEO's email address or mimicking the company's communication style. The goal was to deceive the employee into believing the email was legitimate and following the instructions within it.
• Manipulation of trust and authority: The attackers exploited the employee's trust in the CEO's authority and instructions. By posing as the CEO and using their position of power, they created a sense of urgency and importance around the financial transfer request. This manipulation aimed to override the employee's usual caution and critical thinking, leading to compliance with the fraudulent request.
• Financial transaction manipulation: The fraudulent email instructed the finance department employee to transfer a substantial amount of €42 million to an attacker-controlled bank account. The attackers likely provided plausible justifications and explanations for the transfer, framing it as a necessary step for an important acquisition project. The employee, unaware of the deception, complied with the instructions and initiated the unauthorized transfer.

Impact

• Financial losses: FACC suffered significant financial losses as a result of the CEO fraud incident. The fraudulent transfer of €42 million to an attacker-controlled bank account led to a direct financial impact on the company. The loss of such a substantial amount negatively affected FACC's earnings for the 2015-16 fiscal year as they reported an operating loss of €23.4 million, and the company's share price plummeted by 17%.
• Reputation damage: The CEO fraud incident had a severe impact on FACC's reputation. The fact that cybercriminals were able to breach the company's email server and successfully impersonate the CEO raised concerns about the vulnerabilities in the organization's internal processes and controls, and the effectiveness of FACC's cybersecurity measures.

Mitigation

Here are some of the ways that FACC mitigated the incident:

• Countermeasures: FACC adopted countermeasures to stop the transfer of €10.9 million on the recipient accounts. However, they were not able to retrieve €32 million which had already been transferred to different accounts in other countries.
• Dismissals: The company dismissed its CEO (Walter Stephan), CFO (Minfen Gu), and the person in the finance department who fell for the scam.
• Lawsuits: FACC sued its former CEO and CFO for $11 million in damages, stating they failed to implement adequate controls to prevent the loss. However, the Austrian courts dismissed both lawsuits.
• Cybersecurity awareness training: In reaction to the attack, the FACC revised all of its internal procedures and put in place new security measures. The company also increased its focus on cybersecurity training for employees at all levels.

Collaborative efforts

Key collaborative actions include:

• Law enforcement collaboration: FACC collaborated with local law enforcement agencies to report the incident, provide information, and seek assistance in investigating the fraudulent transfer. 
• Financial institutions cooperation: FACC likely collaborated with the involved financial institutions, including the recipient bank of the fraudulent transfer, to freeze or recover the funds. 
• Legal and regulatory engagement: FACC engaged legal counsel and regulatory bodies to navigate the legal and compliance aspects of the incident. This resulted in suing its former CEO Walter Stephan and former CFO Minfen Gu for $11 million in damages.

Forensic analysis

• Exploitation of email server vulnerability: The attacker identified and exploited a vulnerability in FACC's email server, gaining unauthorized access to the system. This allowed the attacker to study the writing habits and style of CEO Walter Stephan, a crucial step in impersonating him effectively.
• Phishing email impersonating the CEO: Using the knowledge gained from studying the CEO's communication patterns, the attacker crafted a phishing email that appeared to be sent by CEO Walter Stephan. The email was carefully designed to deceive the recipient, an employee in the finance department, into believing that it was a legitimate request from the CEO for an "acquisition project".
• Request for unauthorized financial transfer: Within the phishing email, the attacker requested the employee initiate a wire transfer of €42 million to a bank account controlled by the attacker. By leveraging the authority and trust associated with the CEO's identity, the attacker attempted to deceive the employee into carrying out the unauthorized transaction.
• Detection and prevention of transfer: Fortunately, FACC was able to detect the fraudulent activity and intervene before the full transfer was completed. The company was able to stop €10.9 million from being transferred to the recipient accounts. This prompt action helped minimize the financial impact of the attack.

Legal and regulatory implications

• After the incident was made public in 2016, the supervisory board at FACC decided to fire the CEO Walter Stephan, the CFO Minfen Gu, and the finance department employee who fell for the scam. 
• In 2018, FACC sued Stephan and Gu for $10 million, claiming inadequate protection against cyber fraud due to their failure to establish proper internal controls and supervision. However, the lawsuits were dismissed by the Austrian courts in 2019 stating that "there was no failure of Dr Stephan to fulfill his supervisory duties".

Lessons learned for organizations

• Enhanced email security: The FACC incident highlighted the need for organizations to strengthen email security measures. Organizations should implement email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent spoofing and ensure the authenticity of email communications. This can help detect and mitigate CEO fraud attempts.
• Two-Factor Authentication (2FA): The incident emphasized the importance of implementing strong authentication mechanisms, such as 2FA, to protect critical systems and accounts. By requiring an additional layer of verification, such as a unique code sent to a mobile device, organizations can reduce the risk of unauthorized access to sensitive information and prevent fraudulent activities.
• Security awareness and training: The incident brought to light the importance of employee security awareness and training initiatives. Organizations should educate their employees about common social engineering techniques, such as CEO impersonation, and provide guidance on how to identify and report suspicious requests. 

This article is co-authored by Sandeep Kotla and Vignesh S.

Sandeep is an accomplished inbound marketer at Zoho Corporation, specializing in digital workplace strategies, digital transformation initiatives, and enhancing employee experiences. Previously, he handled analyst relations and corporate marketing for Manage Engine (a division of Zoho Corp) and its suite of IT management products. He currently spends most of his time re-imagining and writing about how work gets done in large organizations, reading numerous newsletters, and Marie Kondo-ing his inbox.

Vignesh works as a Marketing Analyst at Zoho Corporation, specializing in content initiatives and digital workplace strategies. He's a passionate creator with a penchant for marketing and growth. In his free time, you can see him shuffling between books, movies, music, sports, and traveling, not necessarily in the same order.