Abnormal Security, an IT security company, recently uncovered a phishing scam that attempted to steal $36 million from an insurance company. The scammers gained access to a real estate company’s accounting data through a phishing attack and then sent a plausible letter to the insurance company, which the real estate company frequently did business with. The letter included an unpaid account for $36 million but with the scammers’ bank details. Since all other documents were in order, the insurance company paid the account, replenishing the scammers’ coffers.
Mike Britton, Director of IT for Abnormal Security, explained the mechanics of the scam, and warned that if left unsolved, the attacker could defraud many other companies. Fortunately, this attack was thwarted before any money was lost. Britton added that in the field of commercial real estate, a $36 million transaction is not unusual, but a change in bank details should raise a red flag.
Mika Aalto, Co-Founder and CEO of Hoxhunt, a cybersecurity training company, advised all organizations, particularly those involved with finances, to remain vigilant. He urged anyone with even the slightest doubts about an email sender’s intentions to call the person who supposedly sent the request or to contact their leader immediately. Hackers usually avoid interaction, therefore, a simple financial or data request check through an alternative safe channel can save companies large sums of money, said the Hoxhunt Director.