Los Angeles-based toy manufacturer Mattel was recently caught up in a phishing scam which saw the firm almost hand over the tidy sum of $3 million to Chinese cyber-criminals.
Luckily for Mattel, whose brands include Hot Wheels, Barbie and WWE, although the hackers were cunning enough to attempt the con during a period of corporate change for the company with new CEO Christopher Sinclair only just officially taking charge, they did not account for one significant detail which turned out to be the saving grace for the toy giant – a bank holiday.
The scammers targeted an unnamed executive with the simple phishing email which appeared to have come from Sinclair, but as is often the case, it was bogus. The message requested the funds to be wired to the Bank of Wenzhou for a vendor and as the exec, a high-ranking manager herself, thought she had complied with company protocol she carried out the transfer.
It did not become apparent that something was wrong until hours later, by which time the money was already on its way to China and Mattel’s efforts to stop the process appeared to be in vain.
However, because the transfer took place on a bank holiday, in this case Good Friday, the money could not be retrieved on the day and the hackers had to wait until the bank reopened on the following Monday. This slice of luck bought Mattel precious time to work with Chinese authorities to recover the cash before the perpetrators could claim the spoils.
Some good fortune for the toy company on this occasion then, but that does not mask the fact that phishing scams like this are now not only all too common, but more worryingly, too easy for hackers to carry out.
Companies have to realize that social engineering is a major issue that can be used to bypass even the very strongest, sophisticated security infrastructure.
In a statement to Infosecurity Quentyn Taylor, Director of EMEA Security at Canon, explained that we are now seeing a huge rise in phishing attacks because the cost of execution is low, whereas the possible payouts can be huge – and to successfully defend them companies must ensure they couple sufficient processes with employee education.
“Successful companies don't simply tell executives what they should do to keep company data safe, they exercise them in detecting and responding to incidents – not just once but continually," he said.
"Mindset is harder, but it requires making sure that executives and employees understand that it's OK to question and check if they are suspicious. The attackers depend on staff blindly following orders, being unable to pick up the phone to confirm – by changing this mind set, employees become a much harder target, helping to keep your company data secure.”
Similarly Mark Logsdon, cyber resilience expert at AXELOS, warns that if companies do not implement widespread changes we will continue to see more and more organizations fall victim to similar socially-engineered attacks.
“We need to understand a little about why phishing attacks are used by criminals,” he argued, saying they use simple techniques that manipulate “very basic instincts” which lead to “momentary lapses in concentration.”
Finally, like Taylor, Logsdon believes that better user awareness is a key factor in managing phishing risks.
“It’s important therefore to make everyone in the organization aware about what a phishing email is, what it does, what it looks like and importantly what one can do to prevent them from working. To be effective the messages contained in the awareness material must be engaging, relevant and importantly, ongoing,” he added.