Spearfishing attack costs company $400K

Client sector
Commercial construction
Client challenge
Cybersecurity breach
Services provided
Investigation, cybersecurity consultation
THE CHALLENGES When your boss — the CFO — is out of the office and sends you an email to wire $100K to a bank (not an uncommon occurrence in your range of duties), you usually don’t second-guess the message’s authenticity. If you did that for every request, you wouldn’t get any work done. However, for our client, a $450 million commercial construction company, this message was a fraud — an example of “spearfishing.” And the ruse worked.

The controller, who received the message, followed the orders and initiated the wire transfer after getting the required secondary approval from a co-worker, who also didn’t suspect anything. No one thought further about the matter and some days later another request came in, this time for $300K to an offshore bank. Only after this transaction was completed did the controller suspect foul play.

WHAT THE TEAM DID Grant Thornton LLP was brought in to investigate the incident and use its experience with forensic technology, cybersecurity and incident response to help the client through this difficult process.

First, the team investigated the crime to determine (if possible) where the email originated, if it was external and if internal people were involved. We interviewed the controller and the secondary approver and determined that the breach was externally driven, most likely a social engineering ploy. The perpetrator was familiar enough with names and titles of people at the company to create an authentic-looking email.

Next, we examined the laptops and systems since the email contained a PDF attachment infected with malware — probably ransomware, which holds data hostage for money. After conducting a forensic image of the client’s mail server and several laptops, we detected that the malware wasn’t activated. We performed email traffic analysis and determined that no one else in the company received similar messages.

After getting the infected laptop cleaned and back online, we conducted a security assessment and provided recommendations on improving processes and putting an incident response plan into place.

OUTCOMES This was the first occurrence of cybercrime that our client experienced and they weren’t equipped to handle it. They had no incident response policy in place, and this event uncovered their internal control deficiencies. Their eyes were opened to how unprepared they were.

Although their insurance made them whole fiscally, the company was still exposed. The risk assessment revealed their need for increased cybersecurity, among other changes. The business leaders are now looking to making improvements, such as:

  • Implementing detection software and making overall technology enhancements
  • Conducting detection training; training employees how to spot a fraudulent message
  • Tightening up internal controls
  • Creating an incident response plan and incident response team