How one company lost $40M from an increasing popular email scam

Hackers are leveraging a simple yet evidently lucrative form of email spoofing to scam companies out of millions of dollars; making it clear that malware isn’t the only exploit at their disposal.

(CEO fraud email prompt example / Image courtesy of PhishMe)

Hackers are leveraging a simple-yet-lucrative form of email spoofing to scam companies out of millions of dollars; making it clear that malware isn’t the only exploit at their disposal.

A cleverly crafted email aimed at the chief financial officer of Leoni AG — a publicly traded German company who is one of the world’s largest manufacturers of electrical cables — caused the company to lose $40 million in minutes, investigators revealed late last month.

The perpetrators responsible for the cyber attack used a “CEO Fraud”-style email phishing technique, experts diagnosed.


CEO Fraud scams target a person’s judgement rather than a company’s network defenses. Such scams are usually conducted by an attacker who impersonates a C-level employee and instructs a subordinate via email to wire funds to an account under the attacker’s control.

Investigators disclosed that Leoni AG’s CFO originally received a cloned email that appeared written by an executive with a request carefully designed to comply with existing, company specific policy. Local press reports suggested the attackers were familiar with the organization’s wire transfer protocol.

An investigation into the incident remains, open though no suspects are in custody.

CEO Fraud brings a “rampant form of social engineering” to the email phishing game, Paul Burbage, a security researcher for Leesburg, Va.-based firm PhishMe, told FedScoop. And these specially tailored scams are becoming increasingly effective against enterprises who “fail to have robust policies in place to verify wire transfer requests,” he added.

In June, the FBI published a public service announcement warning citizens about the growing threat of CEO fraud and other similar wire transfer style email phishing scams.


Many of the accounts used to receive the “ill-gotten wires [usually] belong to ‘money mules’ — people recruited by attackers — who [typically] act as a transfer proxy for the actors conducting these attacks,” explained Burbage.

CEO Fraud — also defined as a “business e-mail compromise” by the FBI — traditionally uses a free email service with a display name customized to mimic an actual company executive, said PhishMe Director of Research David MacKinnon.

“Since January 2015, there has been a 1,300 percent increase in identified exposed losses. The scam has been reported by victims in all 50 states and in 100 countries,” the FBI PSA reads. “Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.”

Most compromises, MacKinnon explained, do not seek to intercept legitimate email messages in transit. Rather, the attackers follow a much easier path that begins with creating a fake email that appears authentic. Scammers might also forge an email signature to make their messages appear more legitimate — including personal contact information and other style characteristics shared across a target organizations. More rarely, these operations will register a domain name that closely resembles their targets’ DNS records.

In March, American data storage company Seagate was similarly duped by a CEO fraud scheme that compromised sensitive employee information. A lawsuit filed in July by a group of former and current employees claims that the tech company’s human resources department acted irresponsible by falling to recognize the scam before inadvertently sharing W2 forms with a hacker. The attacker pretended to be Seagate CEO Stephen Luczo.


Any business lacking proper policies for handling wire transfers and other data requests are at risk of these attacks. No one industry is more at risk than another, said MacKinnon. Generally, however, organizations that ignore programs to help “users … detect and report suspicious [email] messages are at quite a disadvantage,” he said.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts