Boeing Supplier Lost $54 Million to CEO Fraud

Did you know that Busi­ness Email Com­pro­mise (BEC), also known as CEO Fraud, is still a threat? And, it’s not just the stolen mon­ey that caus­es exec­u­tive headaches. It can dam­age your stock price and rep­u­ta­tion with major cus­tomers. And, in the case of FACC, it cost the CFO, Min­fen Gu, her job.

FACC-12-00x_Jobs4You.indd

Here’s what Com­put­er Week­ly said about the fraud, announced on Jan­u­ary 19th:

A $54m cyber fraud against Austria’s FACC has sent the air­craft supplier’s share price reel­ing. The company’s share price fell near­ly 17% in response to news of the company’s loss, which is one of the great­est loss­es to date caused by cyber fraud, accord­ing to Bloomberg. The loss report­ed by the sup­pli­er to com­pa­nies such as Boe­ing and Air­bus is way above the aver­age cost of the worst breach­es in the UK of between$1.9m and $4.4m, report­ed by Price­wa­ter­house­C­oop­ers (PWC) in 2015.

So, how do you pre­vent these attacks from suc­ceed­ing?

In my expe­ri­ence, most com­pa­nies are over spend­ing on tech­nol­o­gy to pre­vent data and mon­ey theft while down­play­ing the peo­ple, process, and man­age­ment aspects. As with FACC, the recent theft of W‑2 infor­ma­tion from Mon­eytree was suc­cess­ful most­ly because of weak inter­nal process­es and poor­ly trained peo­ple. And there’s a lot you can do in these areas for lit­tle or no added expense.

Train­ing peo­ple to detect and resist attempts to trick them into send­ing mon­ey (or sen­si­tive data) to crim­i­nals is a top action every­one should be tak­ing right now. A good approach is to com­bine a strong inter­nal com­mu­ni­ca­tions cam­paign in con­junc­tion with a soft­ware-as-a-ser­vice anti-phish­ing test­ing ser­vice, such as PhishMe or one of its com­peti­tors. Expect to pay about $20 per user, per year.

On that note, orga­ni­za­tions need to make sure their man­age­ment team ful­ly sup­ports their cyber­se­cu­ri­ty pro­gram, espe­cial­ly first line super­vi­sors. Why? When peo­ple hear about their respon­si­bil­i­ty to pre­vent cyber crime, their first ques­tion will be “is this for real?” and then they will won­der “how will this affect me?” Their super­vi­sor will either encour­age peo­ple to join the pro­gram, or kill it, depend­ing on how they answer.

Final­ly, peo­ple have to feel safe to respect­ful­ly chal­lenge any sus­pi­cious requests. Oth­er­wise, they will be stuck between the fear of being fired for not imme­di­ate­ly com­ply­ing with the request and the fear of mak­ing a big mis­take.

What else would you do to pro­tect your orga­ni­za­tion from CEO Fraud?

Please note: I reserve the right to delete comments that are offensive or off-topic.