When Susanne Reimer received an email marked “extremely important” from her boss last summer, she was flattered at first. Having spent years keeping the company’s books, Ms. Reimer relished the chance to help out with a high-level deal that, according to the email, would require the “utmost discretion.”
Having promised to help, Ms. Reimer soon received another email telling her about an acquisition in Asia, and asking her about a bank transfer. Only later would she learn there was no such takeover in the works — and that her boss never sent those emails.
Criminals had been casing the firm for months, and chose Ms. Reimer as their target. (Her name has been changed in this story to protect her privacy.) Using a fake email address, they posed as her boss in hope of tricking her into forking over nearly €1 million ($1.2 million) of the company’s money.
Ms. Reimer is one of thousands of people who have found themselves in cyber attackers’ crosshairs. In July, Germany’s federal cyber agency said it had alerted some 5,000 potential targets across the country — including business leaders, managers and accountants — whose names and emails turned up in a police investigation.
For many companies, however, the warnings come too late. In Cologne, state cybercrime authorities are dealing with 158 cases with combined damages of €56 million. If banks hadn’t intervened to stop certain transfers, the total might have been more than triple that.
When the scammers succeed, a company’s very survival might be at stake. “The perpetrators are expertly prepared,” said Arne Schönbohm, head of Germany’s federal cyber agency. “They know who is allowed to authorize payments,” he said, and may even know whether colleagues at the company address one another using formal or informal German.
Criminals use Google and social networks such as Facebook and Xing to collect information that helps them target specific individuals, a type of attack known as spear phishing.
In Ms. Reimer’s case, the attackers’ meticulous research failed to bear fruit. Just two hours after sending the bookkeeper their first email under her boss’s name, they asked her to transfer €998,231 into an account in Hong Kong. After speaking with her company’s bank, Ms. Reimer refused, citing policy requiring two people to sign off on such payments.
The scammers followed up with additional documents — all falsified — to make their case. But by then Ms. Reimer had grown suspicious. Despite the emailers’ warnings not to discuss the matter on the phone, she called her boss.
Business email scams have become a global moneymaker for criminals in recent years. Between October 2013 and February 2016, the FBI counted some 17,642 reports to law enforcement — with damages totaling $2.3 billion in 79 countries.
“The perpetrators are expertly prepared.”
For the former CEO of Austrian aircraft parts-maker FACC, an email phishing scam was particularly devastating. Walter Stephan had successfully run the company for more than a quarter-century. With more than 3,000 employees, FACC reported annual revenues of roughly €590 million.
But when cybercriminals swindled the company out of €42 million, the supervisory board removed Mr. Stephan and his CFO from their posts. “There were tears,” he told the Austrian magazine Trend. “It was a huge blow for me.”
The fraud involved weeks of correspondence between an FACC employee and the scammers, who posed as Mr. Stephan in nearly 50 emails.
A similar case in Germany cost Nuremberg automotive parts supplier Leoni about €40 million. “The amount was transferred via a series of smaller single-digit million euro payments to foreign accounts,” CFO Karl Gadesmann told reporters in March. Leoni fired several employees who were found to have violated company rules.
The company declined to be interviewed for this story; many firms prefer not to talk about cybercrime attacks they’ve sustained. Though Leoni disclosed the scam to investors last August, not all companies are required to provide ad-hoc notices to shareholders, and experts estimate the number of unreported cases is high.
Since companies want to avoid being seen as targets, some are only willing to discuss the issue of cybercrime on condition of anonymity. Handelsblatt spoke to two men in charge of security for two large German industrial companies. Although there were many attempts, an average of two highly professional scammers came their way each month, they reported.
“Before, the approach was often amateur, with emails composed using ridiculous Google-Translate German,” one said. “We’re not seeing grammatical errors anymore.”
Criminals don’t leave much of a trail for investigators to follow and it has proved difficult for authorities to trace the money, or the emails themselves. Only on the rare occasion a company calls in the authorities to handle an ongoing fraud attempt are investigators in a position to catch the scammers.
That’s how French authorities pulled off a major coup earlier this month, arresting the man known as the godfather of CEO email scams in Ukraine. Gilbert Chikli, a 51-year-old dual French-Israeli citizen, made off with some €60 million between 2005 and 2006. His victims include big banks such as HSBC and Crédit Lyonnais, as well as aerospace company Dassault, rail transport company Alstom and the Galeries Lafayette department store.
Though he was detained in France in 2009, Mr. Chikli later fled to Israel. But he didn’t shy away from the limelight, even allowing himself to be photographed in his luxurious home in Ashdod. In 2015, a French court sentenced him in absentia to seven years in prison. Mr. Chikli’s lawyer said his client wants to serve that sentence in Israel.
Christof Kerkmann covers the IT industry for Handelsblatt and is based in Düsseldorf. Lars-Marten Nagel also reported this story for Handelsblatt. Amanda Price in New York City adapted this story to English for Handelsblatt Global. To contact the author: email@example.com