Skip to main content
close
EXPLORE ALL PRODUCTS

Sales

 
CRM

Comprehensive CRM platform for customer-facing teams.

CRM
 
Bigin

Simple CRM for small businesses moving from spreadsheets.

Bigin
 
Forms

Build online forms for every business need.

Forms
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
Sign

Digital signature app for businesses.

Sign
 
RouteIQ

Comprehensive sales map visualization and optimal route planning solution.

RouteIQ
 
Thrive

Complete loyalty and affiliate management platform.

Thrive
 
Suites
CRM Plus

Unified platform to deliver top-notch customer experience.

CRM Plus

Marketing

 
Social

All-in-one social media management software.

Social
 
Campaigns

Create, send, and track targeted email campaigns that drive sales.

Campaigns
 
Forms

Build online forms for every business need.

Forms
 
Survey

Design surveys to reach and interact with your audience.

Survey
 
Sites

Online website builder with extensive customisation options.

Sites
 
PageSense

Website conversion optimization and personalisation platform.

PageSense
 
Backstage

End-to-end event management software.

Backstage
 
Webinar

Webinar platform for webcasting online webinars.

Webinar
 
Marketing Automation

All-in-one marketing automation software.

Marketing Automation
 
LandingPage

Smart landing page builder to increase conversion rates

LandingPage
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Sign

Digital signature app for businesses.

Sign
 
Thrive

Complete loyalty and affiliate management platform.

Thrive
 
NEW
LeadChain

Sync, manage, and convert leads across channels seamlessly.

LeadChain
 
NEW
CommunitySpaces

Online community platform for individuals and businesses to grow their network and brand.

CommunitySpaces
 
Suites
Marketing Plus

Unified marketing platform for marketing teams.

Marketing Plus

Commerce and POS

 
Commerce

eCommerce platform to manage and market your online store.

Commerce

Service

 
Desk

Helpdesk software to deliver great customer support.

Desk
 
Assist

Remote support and unattended remote access software.

Assist
 
Lens

Interactive remote assistance software with augmented reality.

Lens
 
FSM

End-to-end field service management platform for service businesses.

FSM
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
Suites
Service Plus

Unified platform for customer service and support teams.

Service Plus

Finance

 
Books

Powerful accounting platform for growing businesses.

Books
 
FREE
Invoice

100% Free invoicing solution.

Invoice
 
Expense

Effortless expense reporting platform.

Expense
 
Inventory

Powerful stock management and inventory control software.

Inventory
 
Billing

End-to-end billing solution for your business.

Billing
 
Checkout

Collect payments online with custom branded pages.

Checkout
 
Practice

Practice management software for accounting firms.

Practice
 
Sign

Digital signature app for businesses.

Sign
 
Commerce

eCommerce platform to manage and market your online store.

Commerce
 
Suites
Finance Plus

All-in-one suite to manage your operations and finances.

Finance Plus

Email and Collaboration

 
Mail

Secure email service for teams of all sizes.

Mail
 
Meeting

Online meeting software for all your video conferencing & webinar needs.

Meeting
 
Writer

Word processor for focused writing and discussions.

Writer
 
Sheet

Spreadsheet software for collaborative teams.

Sheet
 
Show

Create, edit, and share slides with a sleek presentation app.

Show
 
Notebook

Beautiful home for all your notes.

Notebook
 
Cliq

Stay in touch with teams no matter where you are.

Cliq
 
Connect

Employee experience platform to communicate, engage, and build positive employee relations.

Connect
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
TeamInbox

Shared inboxes for teams.

TeamInbox
 
WorkDrive

Online file management for teams.

WorkDrive
 
Sign

Digital signature app for businesses.

Sign
 
Office Suite

Powerful collaborative work platform for teams.

Office Suite
 
Office Integrator

Built in document editors for web apps.

Office Integrator
 
ZeptoMail

Secure and reliable transactional email sending service.

ZeptoMail
 
Calendar

Online business calendar to manage events and schedule appointments.

Calendar
 
Learn

Knowledge and learning management platform.

Learn
 
ToDo

Collaborative task management for individuals and teams.

ToDo
 
FREE
PDF Editor

Collaborative online PDF editing tool.

PDF Editor
 
Suites
Workplace

Application suite built to improve team productivity and collaboration.

Workplace

Human Resources

 
People

Organize, automate, and simplify your HR processes.

People
 
Recruit

Intuitive recruiting platform built to provide hiring solutions.

Recruit
 
Expense

Effortless expense reporting platform.

Expense
 
Workerly

Manage temporary staffing with an employee scheduling solution.

Workerly
 
Shifts

Employee scheduling and time tracking app.

Shifts
 
Sign

Digital signature app for businesses.

Sign
 
Suites
People Plus

Comprehensive HR platform for seamless employee experiences.

People Plus

Security and IT Management

 
Creator

Build custom apps to simplify business processes.

Creator
 
Directory

Workforce identity and access management solution for cloud businesses.

Directory
 
FREE
OneAuth

Secure multi-factor authenticator (MFA) for all your online accounts.

OneAuth
 
Vault

Online password manager for teams.

Vault
 
Catalyst

Pro-code platform to build and deploy your apps.

Catalyst
 
Toolkit

Complete resource for any admin-related lookup queries.

Toolkit
 
Lens

Interactive remote assistance software with augmented reality.

Lens
 
Assist

Remote support and unattended remote access software.

Assist

BI and Analytics

 
Analytics

Modern self-service BI and analytics platform.

Analytics
 
Embedded BI

Embedded analytics and white label BI solutions, tailored for your needs.

Embedded BI
 
DataPrep

AI-powered data preparation service for your data-driven organization.

DataPrep
 
NEW
IoT

Harnessing IoT analytics for real-time operational intelligence.

IoT

Project Management

 
Projects

Manage, track, and collaborate on projects with teams.

Projects
 
Sprints

Planning and tracking tool for scrum teams.

Sprints
 
BugTracker

Automatic bug tracking software for managing bugs.

BugTracker

Developer Platforms

 
Creator

Build custom apps to simplify business processes.

Creator
 
Flow

Automate business workflows by creating smart integrations.

Flow
 
Catalyst

Pro-code platform to build and deploy your apps.

Catalyst
 
Office Integrator

Built in document editors for web apps.

Office Integrator
 
ZeptoMail

Secure and reliable transactional email sending service.

ZeptoMail
 
NEW
Apptics

Application analytics for all apps.

Apptics
 
Embedded BI

Embedded analytics and white label BI solutions, tailored for your needs.

Embedded BI
 
NEW
IoT

Build, deploy, and scale IoT solutions for connected businesses.

IoT
 
DataPrep

AI-powered data preparation service for your data-driven organization.

DataPrep

IoT

 
NEW
IoT

Low-code IoT platform and solutions for connected businesses.

IoT
 
CRM Plus

Unified platform to deliver top-notch customer experience.

Try now
CRM Plus
 
Service Plus

Unified platform for customer service and support teams.

Try now
Service Plus
 
Finance Plus

All-in-one suite to manage your operations and finances.

Try now
Finance Plus
 
People Plus

Comprehensive HR platform for seamless employee experiences.

Try now
People Plus
 
Workplace

Application suite built to improve team productivity and collaboration.

Try now
Workplace
 
Marketing Plus

Unified marketing platform for marketing teams.

Try now
Marketing Plus
 
All-in-one suite

Zoho One

The Operating System for Business

Run your entire business on Zoho with our unified cloud software, designed to help you break down silos between departments and increase organizational efficiency.

TRY ZOHO ONE
Zoho One
Zoho Marketplace

With over 2000 ready-to-use extensions across 40+ categories, connect your favorite business tools with the Zoho products you already use.

EXPLORE MARKETPLACE
Marketplace

Email breach chronicles: FACC's million-dollar deception - CEO fraud in 2016

  • Published : November 21, 2023
  • Last Updated : November 22, 2023
  • 1.2K Views
  • 8 Min Read

FACC is an Austria-based aerospace manufacturer, whose customers include reputed giants such as Airbus, Boeing, and Rolls-Royce. In 2016, a phisher, posing as FACC's CEO sent an email to an employee in the finance department, instructing them to send close to €50 million for an acquisition project that the company was working on. The cybercriminal had previously broken into the company's email server and studied the CEO's writing habits to make the email appear authentic. In January 2016, the employee made a wire transfer of €42 million to an attacker-controlled bank account. After the company identified the attack, it managed to recoup €10.9 million of the stolen funds from being transferred.

CEO Fraud incident at FACC

Type of attack

CEO Fraud, also referred to as Whaling or Business Email Compromise (BEC), is a type of spear phishing where malicious actors impersonate a high-ranking executive, typically the CEO or another senior executive, within an organization. The perpetrators utilize social engineering techniques to deceive employees into making financial transfers or divulging sensitive information. 

Timeline

  • Unauthorized access: Cybercriminals gained unauthorized access to FACC's email server and studied the writing habits and style of the company's CEO Walter Stephan.
  • Social engineering: The cybercriminals sent a fraudulent email to an employee in the finance department, impersonating the CEO and requesting a transfer of €42 million for an alleged acquisition project.
  • Employee compliance: Unable to detect the fraudulent nature of the email, the employee complied with the request and transferred the funds to an attacker-controlled bank account.
  • Financial impact: FACC's share price dropped significantly, and the company reported a substantial decrease in earnings for the fiscal year.
  • May 2016: The CEO was terminated from his position due to his involvement in the unauthorized transfer. The CFO and the finance department employee who fell for the phishing scam were also dismissed.
  • Lawsuits: FACC sued the former CEO and CFO for $10 million, alleging their failure to adequately protect the company against cyber fraud. However, the Austrian courts dismissed both lawsuits.
  • Hacker's identity: The identity of the hacker remains unknown, but a Chinese citizen was arrested in Hong Kong for money laundering related to the attack. FACC worked on recovering €10 million frozen in different countries, while €32 million remained unrecovered.
  • Increased awareness and security measures: FACC implemented new security measures and conducted a thorough review of internal processes to prevent similar incidents in the future. The company also emphasized cybersecurity training for employees to enhance vigilance in handling sensitive communications.

Origin

The origin of the incident was when a perpetrator after learning the writing style of FACC's CEO, impersonated him and emailed an FACC employee working in the finance department requesting a transfer of €42 million for an "acquisition project".

Initial publication

  • FACC, on their blog, revealed that they had become a victim of "a crime act using communication- information and information technologies."  The blog was later removed by the company. 
  • In May 2016, FACC released its 2015/2016 financial results claiming that they were able to block €10.9 million from being transferred, and dismissed the company's CEO.
  • In July 2016, a 32-year-old Chinese man who was an authorized signatory of a Hong Kong-based firm that received around €4 million from FACC was arrested on suspicion of money laundering.

Geographical spread

The attack did not spread to different countries per se, but as a result of the wire transfer of €42 million by the victim, the money was transferred to many Asian countries and a few European countries such as Slovakia.

Attack vectors

The attack vector is a type of email phishing called the CEO scam or Business Email Compromise (BEC) wherein the perpetrator studied the writing style of the CEO, impersonated him and emailed an employee in the finance department demanding a transfer of €42 million. 

Vulnerability exploited

The attacker exploited the vulnerability in the company's email server and broke into it to study the writing habits of the company's CEO Walter Stephan. The lack of cybersecurity awareness and training among FACC employees was also exploited. 

Perpetrators

The actual perpetrator of the attack has not been found as of this time. The only person who has been found guilty in relation to the attack is a 32-year-old Chinese man, who was supposedly an authorized signatory of a Hong Kong based firm. The firm had received around €4 million from FACC.

Motive

The main motive of the attack was to extort money from FACC's employees by impersonating FACC's CEO. 

Execution and methodology

  • Social engineering and impersonation: The CEO fraud incident at FACC involved sophisticated social engineering techniques. The attackers carefully studied the writing habits and quirks of the company's CEO to craft a convincing email impersonating him. They used this knowledge to create a fraudulent message requesting a significant financial transfer for an alleged "acquisition project." The email was designed to deceive the recipient into believing it was a legitimate communication from the CEO.
  • Phishing and deceptive communication: The attackers utilized phishing tactics to deliver the fraudulent email to an employee in the finance department. They may have used various techniques to make the email appear genuine, such as spoofing the CEO's email address or mimicking the company's communication style. The goal was to deceive the employee into believing the email was legitimate and following the instructions within it.
  • Manipulation of trust and authority: The attackers exploited the employee's trust in the CEO's authority and instructions. By posing as the CEO and using their position of power, they created a sense of urgency and importance around the financial transfer request. This manipulation aimed to override the employee's usual caution and critical thinking, leading to compliance with the fraudulent request.
  • Financial transaction manipulation: The fraudulent email instructed the finance department employee to transfer a substantial amount of €42 million to an attacker-controlled bank account. The attackers likely provided plausible justifications and explanations for the transfer, framing it as a necessary step for an important acquisition project. The employee, unaware of the deception, complied with the instructions and initiated the unauthorized transfer.

Impact

  • Financial losses: FACC suffered significant financial losses as a result of the CEO fraud incident. The fraudulent transfer of €42 million to an attacker-controlled bank account led to a direct financial impact on the company. The loss of such a substantial amount negatively affected FACC's earnings for the 2015-16 fiscal year as they reported an operating loss of €23.4 million, and the company's share price plummeted by 17%.
  • Reputation damage: The CEO fraud incident had a severe impact on FACC's reputation. The fact that cybercriminals were able to breach the company's email server and successfully impersonate the CEO raised concerns about the vulnerabilities in the organization's internal processes and controls, and the effectiveness of FACC's cybersecurity measures.

Mitigation

Here are some of the ways that FACC mitigated the incident:

  • Countermeasures: FACC adopted countermeasures to stop the transfer of €10.9 million on the recipient accounts. However, they were not able to retrieve €32 million which had already been transferred to different accounts in other countries.
  • Dismissals: The company dismissed its CEO (Walter Stephan), CFO (Minfen Gu), and the person in the finance department who fell for the scam.
  • Lawsuits: FACC sued its former CEO and CFO for $11 million in damages, stating they failed to implement adequate controls to prevent the loss. However, the Austrian courts dismissed both lawsuits.
  • Cybersecurity awareness training: In reaction to the attack, the FACC revised all of its internal procedures and put in place new security measures. The company also increased its focus on cybersecurity training for employees at all levels.

Collaborative efforts

Key collaborative actions include:

  • Law enforcement collaboration: FACC collaborated with local law enforcement agencies to report the incident, provide information, and seek assistance in investigating the fraudulent transfer. 
  • Financial institutions cooperation: FACC likely collaborated with the involved financial institutions, including the recipient bank of the fraudulent transfer, to freeze or recover the funds. 
  • Legal and regulatory engagement: FACC engaged legal counsel and regulatory bodies to navigate the legal and compliance aspects of the incident. This resulted in suing its former CEO Walter Stephan and former CFO Minfen Gu for $11 million in damages.

Forensic analysis

  • Exploitation of email server vulnerability: The attacker identified and exploited a vulnerability in FACC's email server, gaining unauthorized access to the system. This allowed the attacker to study the writing habits and style of CEO Walter Stephan, a crucial step in impersonating him effectively.
  • Phishing email impersonating the CEO: Using the knowledge gained from studying the CEO's communication patterns, the attacker crafted a phishing email that appeared to be sent by CEO Walter Stephan. The email was carefully designed to deceive the recipient, an employee in the finance department, into believing that it was a legitimate request from the CEO for an "acquisition project".
  • Request for unauthorized financial transfer: Within the phishing email, the attacker requested the employee initiate a wire transfer of €42 million to a bank account controlled by the attacker. By leveraging the authority and trust associated with the CEO's identity, the attacker attempted to deceive the employee into carrying out the unauthorized transaction.
  • Detection and prevention of transfer: Fortunately, FACC was able to detect the fraudulent activity and intervene before the full transfer was completed. The company was able to stop €10.9 million from being transferred to the recipient accounts. This prompt action helped minimize the financial impact of the attack.

Legal and regulatory implications

  • After the incident was made public in 2016, the supervisory board at FACC decided to fire the CEO Walter Stephan, the CFO Minfen Gu, and the finance department employee who fell for the scam. 
  • In 2018, FACC sued Stephan and Gu for $10 million, claiming inadequate protection against cyber fraud due to their failure to establish proper internal controls and supervision. However, the lawsuits were dismissed by the Austrian courts in 2019 stating that "there was no failure of Dr Stephan to fulfill his supervisory duties".

Lessons learned for organizations

  • Enhanced email security: The FACC incident highlighted the need for organizations to strengthen email security measures. Organizations should implement email authentication protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent spoofing and ensure the authenticity of email communications. This can help detect and mitigate CEO fraud attempts.
  • Two-Factor Authentication (2FA): The incident emphasized the importance of implementing strong authentication mechanisms, such as 2FA, to protect critical systems and accounts. By requiring an additional layer of verification, such as a unique code sent to a mobile device, organizations can reduce the risk of unauthorized access to sensitive information and prevent fraudulent activities.
  • Security awareness and training: The incident brought to light the importance of employee security awareness and training initiatives. Organizations should educate their employees about common social engineering techniques, such as CEO impersonation, and provide guidance on how to identify and report suspicious requests. 

 


 

This article is co-authored by Sandeep Kotla and Vignesh S.

Sandeep is an accomplished inbound marketer at Zoho Corporation, specializing in digital workplace strategies, digital transformation initiatives, and enhancing employee experiences. Previously, he handled analyst relations and corporate marketing for Manage Engine (a division of Zoho Corp) and its suite of IT management products. He currently spends most of his time re-imagining and writing about how work gets done in large organizations, reading numerous newsletters, and Marie Kondo-ing his inbox.

Vignesh works as a Marketing Analyst at Zoho Corporation, specializing in content initiatives and digital workplace strategies. He's a passionate creator with a penchant for marketing and growth. In his free time, you can see him shuffling between books, movies, music, sports, and traveling, not necessarily in the same order.

Related Topics

Leave a Reply

Your email address will not be published. Required fields are marked

The comment language code.
By submitting this form, you agree to the processing of personal data according to our Privacy Policy.

You may also like