A recent Lazio phishing scam result in €2 million being stolen from the Italian Serie A football team. The cybercriminals intercepted the last installment of a transfer of a football player to the bank account of a hacker.
The scam involved some insider knowledge as the cybercriminal appeared to be aware that part of the transfer fee for a player was due. An email was carefully composed and sent to the Italian football team that appeared to have come from staff at the Dutch football club Feyenoord. In the email the remaining balance for the player Stefan de Vrij was requested. Stefan de Vrij had joined the club from Feyenoord in 2014.
The email looked like it was sent from a genuine source. The accounts department at the Italian club answered and completed the transfer of funds – approximately $2,460,840 – to the bank account as demanded. However, the bank account details given in the email were not those of Feyenoord.
When Feyenoord was contacted, the club said that they had zero knowledge of any email communication about the player and confirmed that no funds had been transferred to them. The money had been paid to a Dutch bank account, but not one held by any the club, nor the player.
The payment has been investigated and Lazio is attempting to rescue the money that was transferred. It is not yet known whether the money has been recovered and if there is even potential for that to occur.
The Lazio phishing scam has certainly made the newspapers, but many attacks like this remain unreported. Scams such as this are typical, and companies are being tricked into making huge transfers of funds to criminals’ accounts.
While this attack clearly was successful due to some insider knowledge, that information can easily be obtained with a simple phishing email. If the CFO of a company can be tricked into showing their email login credentials, the account can be infiltrated and a treasure trove of information can be found. The account can then be used to share an email request to a member of the accounts department or a company that is in the process of making a large purchase.
The cybercriminal can copy the writing style of the CTO and copy the usual format of email requests. In a lot of cases the recipient is fooled into completing the transfer.
This type of scam is called business email compromise – or BEC – and it is costing companies billions. One recent report suggests the total losses to BEC attacks alone is likely to reach $9 billion in 2018.
These scams are far different to the usual phishing scams of years gone by where huge amounts of emails were sent in the hope of a few individuals answering. These attacks are highly focused, the recipient is extensively looked into, and a great deal of time is spent conducting the attack. As the Lazio phishing scam showed, it is certainly worth the expense.
Companies need to protect themselves against these sorts of phishing attacks, but there is no silver bullet. Layered defenses are crucial. Companies need to develop an anti-phishing strategy and purchase anti-phishing security solutions. An advanced spam filtering solution is vital, DMARC should be put in place to stop brand abuse, and security awareness training for staff is vital. Policies should also be formulated and implemented that require two-factor verification on any wire transfer over a specific threshold.
Even if an email filter could not spot the Lazio phishing email a quick telephone call to confirm the request could have exposed it.