As if we needed another reminder of the rising threat of cyber attacks, the estimated EUR 50 million ($55 million) loss arising from a cyber fraud incident targeting Austrian air parts supplier FACC AG made us sit up and take notice.
As Bloomberg reports here, if the damages do indeed amount to $55 million this would be one of the biggest hacking losses by size.
Bloomberg also points out that the incident is made more intriguing because FACC is 55 percent owned by China-based AVIC.
It will take time for the details of this attack to emerge, but in a January 20 press release, FACC acknowledged that the target of the cyber fraud was the financial accounting department of FACC Operations GmbH.
The company also noted that its IT infrastructure, data security, IP rights and the group’s operational business are not affected by the criminal activities.
Further, FACC said the $55 million in damage was an outflow of “liquid funds”.
“The management board has taken immediate structural measures and is evaluating damages and insurance claims,” FACC added in its third quarter report.
According to this report by ComputerWeekly.com, the fact that FACC’s financial accounting department was targeted in the fraud is prompting speculation that the company was likely the victim of a so-called whaling attack, also known as business email compromise (BEC) and CEO fraud.
These sophisticated phishing attacks are when cyber criminals send fake email messages from company CEOs, often when a CEO is known to be out of the office, asking company accountants to transfer funds to a supplier. In fact the funds go to a criminal account.
Last year, the Federal Bureau of Investigation (FBI) described BEC fraud as an emerging global threat.
Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, more than 7,000 U.S. companies have been targeted by such attacks with total dollar losses exceeding $740 million. If you consider non-U.S. victims and unreported losses, that figure is likely much higher.
The rising incidence of BEC and CEO fraud and its intersection with cyber insurance will form the topic of a future blog post.
Find out more about cyber risks and insurance in the I.I.I. white paper Cyber Risk: Threat and Opportunity.