14 DAY TRIAL // Belgian Bank Crelan, Crédit Agricole's Belgian subsidiary, has announced that it was the victim of a fraud campaign and lost over €70 million ($75.8 million) in the process.
According to Belgian newspaper De Standaard, the fraudsters used a trick called CEO Fraud, also known as Business Email Compromise, or Whaling Attack.
This attack consists of a simple spear-phishing email sent to one of the company's high-ranking executives or somebody in the financial department.
The sender tries to pose as a business partner or even someone from the company itself, asking the recipient to transfer money to a desired account to finalize an urgent business transaction.
The email uses legitimate graphics and a lookalike domain name, trying to fool distraught employees and have them transfer the money without double-checking with somebody from inside the company first.
CEO Fraud is more common than you think
These types of attacks are quite common, and recently they've also been used to steal €50 million ($54 million) from FACC Operations GmbH, an Austrian firm that produces various airplane parts for companies like Airbus and Boeing.
Last year, the FBI said that companies around the world lost around $1.2 billion / €1.07 billion in the previous two years to CEO Fraud attacks and their various variations. Additionally, Mimecast, a cyber-security vendor specialized in email security, also said that it detected a 55% increase in CEO fraud in the past year.
"Thanks to ample reserves, Crelan can comfortably manage this loss without it affecting any of our clients or partners in anyway," said Luc Versele, Crelan Bank CEO, in a public statement regarding the incident. "The intrinsic profitability of the bank remains unchanged. [...] We are still viable and our total capital is €1,1 Billion."
Law enforcement has been brought in to investigate the case further.
To avoid incidents like these, security experts recommend that all company employees, not just the executive branch, should follow an email security program that includes training in detecting phishing emails.