An Austrian aerospace manufacturer that lost €50 million in a business email compromise scam earlier this year has fired its CEO over the incident. FACC, which makes components for the aerospace industry, said its board decided last week to fire Walter Stephan for his involvement in the scheme, after previously firing other employees.
In January, officials at FACC said that the company had been targeted by an email scheme run by outside attackers. The scam is believed to have been a version of the business email compromise scheme, in which attackers impersonate an executive or finance official inside a company in order to trick the victim into transferring a large amount of money from the company’s accounts to accounts controlled by the attackers. The fraudsters typically will spoof the domain name of the target company and ask the victim to move the money for an acquisition or other urgent transaction.
“Today, it became evident that FACC AG has become a victim of a crime act using communication- an information technologies. The management board has immediately involved the Austrian Criminal Investigation Department and engaged a forensic investigation. The correct amount of damage is under review. The damage can amount to roughly EUR 50 million. The cyberattack activities were
executed from outside of the company,” the statement from FACC said in January.
The FACC case is one of the larger examples of this kind of scheme, and has had unusually far-reaching consequences. The company’s board met last week and decided that it was going to remove Stephan, although the CEO’s role in the scam has not been detailed.
“n the supervisory board meeting, held on May 24, 2016, Mr. Walter Stephan (CEO) was revoked by the supervisory board as chairman of the management board of FACC AG with immediate effect for important reason. The supervisory board came to the conclusion, that Mr. Walter Stephan has severely violated his duties, in particular in relation to the ‘Fake President Incident’,” the company’s statement says.
Statistics compiled by the FBI show that the CEO phishing scam cost United States businesses $246 million in 2015. That number is likely well below the actual monetary losses, as it only represents losses that were reported to the FBI. Many companies don’t report these kind of crimes, as they don’t want the information to become public. The amount of money that FACC lost in the attack in January is unusually high, but not unique. A Belgian bank lost $75 million to a similar scheme around the same time.