The Dutch branch of the French film production company Pathé has lost over €19 million, Linkeddata reports.
The details of the fraud became public from the court documents of the unfair dismissal lawsuit brought against Pathé France by Edwin Slutter, the Dutch branch’s ex-Chief Financial Officer.
The hacker attack began on 8 March this year. Pathé Nederland director Dertje Meijer has received an email that has allegedly been sent by the French parent company's CEO. However, the email has been sent from a spoofed email address that hackers have falsified to look like an email address of the French company Pathé.
Hackers have started communicating with a simple question:
“Have you been contacted by Mr. (real name of employee) from KPMG this morning?”
Meijer responded that she had not, and the cybercriminals started the plot of their deception.
They asked her to send the current “bank position,” explained that they “are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai,” and asked her to contact the above-mentioned KPMG employee to get the Dubai company’s banking information so that they can send the required money.
“As a security measure for this type of confidential transaction, we must communicate via my personal email so that our discussions are free of any risk of disclosure and respect the transaction’s norm. It is imperative that no matter what, whether orally or by phone. In accordance with the norms of KPMG, my personal email is to be the sole means of communication. Once the transfer orders had been written out, please forward to Mr. (real KPMG employee) or to myself the confirmation by email,” the hacker email reads.
Meijer doubted the letter accuracy, so she forwarded it to Slutter and asked if it seemed odd to him. He advised her to respond to the email and ask for further confirmation from the head of Pathé headquarters in France or from another highly positioned executive.
However, the hackers immediately agreed and sent an email impersonating the Pathé France manager, who not just confirmed the payment but also insisted on the full confidentiality of the deal. The Dubai company had to send a payment invoice with the description “Amount for 10% of the acquisition”, and signed by the manager and chief executive of the Pathé headquarters in France.
Slutter checked the signatures and made the payment. Over the next few days, yet, he has made several more payments, which altogether exceed 19 million Euro in total.
During his communication with the hackers, he had the chance to recognize the scam numerous times as the hackers made several minor mistakes. Meijer and Slutter were able to protect themselves from this cybercrime, but they just did not notice these mistakes and did not doubt the authenticity of the deal.
Pathé film company has hired an outside company to investigate whether Meijer and Slutter were part of the criminal group that has committed this multi-million dollar fraud. According to the results of this independent investigation, the two were not involved, and the company has been the victim of a "professional gang of scammers".
As a result of this cybercrime, Meijer and Slutter were fired, although they were scammed, they are not criminals. Nowadays, each of us personally has the responsibility to maintain our own cyber hygiene level. Not to trust and verify the authenticity of important business emails is our duty, but if Meijer and Slutter had asked for help from cybersecurity experts, they would find that the correspondence was forged, they would save over 19 million Euro of Pathé’s money and this worldwide known shame.
Photo: Help Net Security