The European cinema group, Pathe, recently lost €19.2 million (around US$22 million) in an internet scam (named Mandate fraud). The fraud kicked off in March and targeted their Dutch office. Several emails, apparently sent from the personal account of Pathe CEO Marc Lacan, asked the Dutch office to wire the money in four tranches to a bank account based in Dubai. But these emails came from scammers.
The technique used by the scammers is called “Mandate fraud“. This is when someone convinces an organization to make payments. The scammers claim to be a company that receives regular payments from them, a business supplier, or a senior manager. In the case of Pathe senior managers in the Netherlands received a request to transfer the money to finance a takeover. The request appeared to come from their CEO in France. But it was actually sent by scammers. They were somehow able to make use of the CEO’s e-mail account, or an account that appeared to be his.
It is actually becoming easier for scammers to set up such frauds. This is because many companies now rely on cloud-based mail systems such as Office 365 or Gmail. So if attackers know a few surnames and e-mail accounts within a company, they can use brute-force attacks to guess passwords. Once they have access to an account, they can then use it to attempt frauds such as Mandate Fraud. If you want to avoid such attacks, you need administrators that set up alerts, in-depth logs, and block all email-forwarding attempts. In addition, you need to make your personnel aware of techniques to keep their passwords secure. For example, you can insist on two step-authentication.
Skilled scammers with access to internal mails are known to ‘lurk’ on corporate networks. Firstly they work out the management structure. They follow the business processes. They even check when senior personnel are out of the office, travelling, or are otherwise not easy to reach. That’s when they send their victim an e-mail – that maybe looks like it comes from their manager. The mail asks them to make an urgent payment…
One recent attack hacked into cloud-based email accounts of two executives inside an organization. Using computers located in Africa, the fraudsters first studied their behavior. When both executives were out of the office, the attackers then sent mails back and forth between the executives’ accounts. These mails appeared to authorize a wire transfer. They forwarded the mails to a junior. And this junior saw them as proof that the money should be moved. A mistake that cost several people their jobs. As well as several million dollars.
Within many large organizations, it’s quite common for personnel to receive instructions from colleagues located in other countries. Colleagues they don’t know directly. Or maybe they receive contracts signed by people they’ve never met.
Within ABN AMRO, staff confirm important decisions by means of a Power of Attorney assigned to individual employees. The bank uses POAs to manage transactions between branches. And also between ABN AMRO and third parties. It is therefore essential that bank staff can check the signatures, as well as the authority of these employees. Irrespective of their location. We were therefore asked to design a system to improve this process. Our developers came up with a customized solution: Signature Registration System (SRS).
To ensure its success, we developed SRS to work with existing systems already used within the ABN AMRO infrastructure. We designed SRS to use ABN AMRO authentication for access. In addition, it is hosted within their server infrastructure. More importantly, SRS links personnel information to ABN AMRO’s in-house HR system. As a result, employees can only add data that has already been verified within the bank’s HR/SAP system. SRS provides a web-service that bank employees use to authenticate signatures, and to confirm the authority of the person signing. Whilst we designed this web-service to provide easy access within their network, our developers also ensured the administration of SRS includes a number of security measures to keep their data secure – and accurate.
SRS is available as a web service within the ABN AMRO Intranet. Bank employees use it every day. They can quickly and securely check if instructions, contracts and documents have been correctly authorized. Perhaps if Pathe employees had access to such a system, their money would not have found its way to scammers in Dubai!
SRS is a flexible system, one that we can easily integrate with almost any infrastructure. So if you would like to introduce a similar system within your network, or if your company is faced with a challenge in terms of automation, cost reduction or smarter and more efficient working – get in touch.