Throwback Attack: How a single whaling email cost $61 million

Cybersecurity Locks
Courtesy of CFE Media

A poorly worded email or a message sent in anger can be costly to the average person’s professional career. That’s nothing compared to a single email that cost Austria-based airplane component manufacturer FACC close to $61 million in a “fake president” scam.

Cyberattacks on the aerospace industry are nothing new, as evidenced by China’s theft of sensitive plans and data about the American F-35 fighter jet. This was something different, a brazen (and successful) attempt to steal a great deal of money in one clever con.

The attack on FACC — which supplies aerostructures, engines and nacelles, cabin interiors and aftermarket services to major airline customers like Boeing and Airbus — had a damaging cascade effect that precipitated the firing of the company’s chief executive officer (CEO) and chief financial officer (CFO). But it all started with a whaling attack, where a cybercriminal masquerades as a senior executive at the firm with the aim of tricking an employee or department into a specific action. Whaling, also known as CEO fraud, typically uses email and website spoofing to trick a particular target into releasing financial information, making wire transfers or giving up other sensitive data.

In late 2015, a hacker went after FACC’s finance department, requesting they move $56 million into the criminal’s account. This request came in the form of a faux email from company CEO Walter Stephan. The goal of attacks like this is to create a believable message by imitating the CEO’s writing style. The cybercriminal generally breaks into the company’s email server and studies the executive’s writing habits and quirks to make the message look legitimate. The fraudulent email, purportedly from Stephan, requested the money for an “acquisition project.”

The intrusion was made public in 2016, and shortly thereafter, the firm’s supervisory board decided to relieve Stephan of his position for a dereliction of duty.

“The supervisory board came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular, in relation to the ‘fake president’ incident,” read a company statement following the CEO’s firing.

But Stephan was not the only scapegoat of the attack. Both the CFO, Minfen Gu, and the finance department employee who fell for the rouse were also let go.

In 2018, FACC took further action when it sued Stephan and Gu for $10 million, alleging they did not do enough to protect the company against cyber fraud. According to the court statement, the pair failed to institute proper internal controls and supervision. But the Austrian courts threw out both lawsuits in 2019.

“The claim was rejected in full on the basis that there was no failure of Dr. Stephan to fulfil his supervisory duties,” said a spokeswoman for the court after the CEO’s case was thrown out, according to a Reuters article on the matter.

Verizon’s 2018 Data Breach Investigations Report found phishing is involved in 70% of data breaches. Any employee needs to be careful when opening or clicking on attachments or links that come from spam or unsolicited emails. The trick with “fake president” scams is the emails look and feel like they come from a legitimate and powerful source. While these intrusions are considered cybercrime, they don’t really rely on technical expertise or look to exploit weak cyber defenses; they’re all about preying on human fallibility and lack of structure.

“We can only train our employees to be so good,” said Wayne Dorris, a certified information systems security professional (CISSP) and business development manager for cybersecurity with Axis Communications. “Obviously for the attacker, it’s a whole lot easier to get somebody to click on something that goes, ‘Oh, hey, I think I won a new car. Just click on this link and see if I’m the winner.’ The human firewall is, of course, the most important, but it’s also the hardest one to protect.”

To help prevent phishing-style attacks like the one on FACC, all company employees need to be trained on basic cybersecurity hygiene and best practices so they can recognize potential scams — even when they come from high-powered executives. Cybersecurity is not just an information technology (IT) problem or an operational technology (OT) problem. Good cybersecurity hygiene needs to start at the top with company management and trickle down throughout the entire organization.




Keep your finger on the pulse of top industry news