Back to Blog
18 Mar 2023

How a CEO lost €42 million and his job after a cyber-attack

Let’s look at one of the most notorious cyber-attacks of all time. The 2016 phishing email sent to aerospace manufacturer FACC. We’ll explore how it all went down, the impact on the company, and what happened to the people involved.

The attack was a whale-phishing email scam known as a ‘fake president’ attack. In a phishing scam, hackers send numerous generic emails to random individuals hoping to trick them into revealing personal information. Spear-phishing is more targeted, with cybercriminals sending personalised messages to specific individuals to gain access to sensitive data. Whaling, on the other hand, targets high-level executives or ‘big fish’.

So how did it happen?

FACC revealed that the phisher, posing as the company’s CEO, instructed an employee in the finance department to send €42 million to an attacker-controlled bank account. The employee, unable to spot the fraudulent email, complied with the request. It’s unclear exactly what went wrong, but there are suggestions that the CEO was at least partially at fault.

Phishing, Spear-phishing and Whale-phishing

The attack’s goal was to create a believable message by imitating the CEO’s writing style. The cybercriminals broke into the company’s email server and studied the executive’s writing habits and quirks to make the message look legitimate. The email, purportedly from the CEO, requested the money for an “acquisition project.”

The aftermath

The financial impact was substantial, with FACC’s share price plummeting and the company reporting a significant drop in earnings for the fiscal year. The CEO was fired in May 2016 due to his role in the unauthorized transfer. But he wasn’t the only scapegoat. Both the CFO and the finance department employee who fell for the ruse were also sacked.

FACC sued the former CEO and CFO for $10 million, alleging they didn’t do enough to protect the company against cyber fraud. The Austrian courts threw out both lawsuits, but it demonstrated the personal risk to executives of not performing ‘due diligence’ concerning cybersecurity.

The hacker’s identity

The hacker has never been found, although a Chinese citizen was arrested in Hong Kong for money laundering in connection with the attack. A spokesperson for FACC said the company was working on getting back €10 million, which had been found and frozen on accounts in different countries worldwide. The remaining €32 million is out there somewhere.

The FBI reports that businesses worldwide lost an estimated $1.8 billion to fake president scams in 2020 alone. According to a cybersecurity report from Trend Micro, the average loss per attack is around $130,000.

FACC implemented new security measures in response to the attack and thoroughly reviewed its internal processes to prevent future incidents. The company also increased its focus on cybersecurity training for employees at all levels, emphasising vigilance when handling sensitive communications.

It’s also important to stress that the CEO, CFO and finance employee at FACC were knowledgeable people. They just hadn’t been given the right training on a regular basis to ensure constant vigilance. This phishing attack is a cautionary tale for businesses of all sizes and industries, and a reminder that cyber threats continue to pose significant risks to our digital world.

Graham Smith

By Graham Smith