The Lazio phishing scam looks to have lead to a €2 million loss for the Italian Serie A football team, which made the final installment of a transfer of a football player to the bank account of a cybercriminal.
The Lazio phishing scam was carried out using some insider knowledge as the cybercriminal was aware that part of the transfer fee for a player still had to be paid. An email was carefully composed and sent to the Italian football team that appeared to have come from the Dutch football club Feyenoord. In the email the outstanding balance for the player Stefan de Vrij was requested. Stefan de Vrij had signed for Lazio from Feyenoord in 2014.
The email appeared to be official and seemed to have been sent from an authentic source. The accounts department at the Italian club replied and proceeded with the transfer of funds – around $2,460,840 – to the bank account as requested. However, the bank account details given in the email were not those of Feyenoord.
When Feyenoord was notified, the club denied all knowledge of any email communication about the player and confirmed that no funds had been transferred to them. The money had been paid to a Dutch bank account, but not one held by any staff at the club, nor the player’s team.
The payment has been investigated and Lazio is attempting to recover the funds. It is not yet known whether the money has been recovered and if that can happen.
The Lazio phishing scam has appeared in new reports, but many similar attacks go unreported. Scams such as this are common, and companies are being tricked into making huge transfers of funds to criminals’ accounts.
While this attack obviously involved some insider knowledge, that information can easily be obtained with a simple phishing email. If the CFO of a group can be tricked into revealing their email login details, the account can be accessed and a treasure trove of information can be located. The account can then be used to issue an email request to a member of the accounts department or a company that is in the process of making a large purchase.
The attacker can match the writing style of the CTO and copy the normal format of email requests. In a lot of cases the recipient is tricked into completing the transfer.
This sort of scam is referred to as business email compromise – or BEC – and it is costing businesses billions. One recent report calculates the total losses to BEC attacks alone is likely to break the $9 billion figure during 2018.
These scams are not the typical phishing scams of years gone by where huge numbers of emails were broadcast in the hope of a few individuals replying. These attacks are highly targeted, the recipient is extensively researched, and a great deal of time is spent carrying out the attack. As the Lazio phishing scam shows, it is certainly worth the time and effort invested.
Businesses need to safeguard themselves against these sorts of phishing attacks, but there is no silver bullet. Layered defenses are vital. Companies need to create an anti-phishing strategy and purchase anti-phishing security solutions. An advanced spam filtering solution is crucial, DMARC should be configured to stop brand abuse, and security awareness training for staff is vital. Policies should also be formulated and implemented that require two-factor verification on any wire transfer over a certain amount.
Even if an email filter could not prevent the Lazio phishing email and the email was so genuine to trick a security aware employee, a quick telephone call to confirm the request could have shown the scam for what it was.
