Belgian bank Crelan loses €70 million to BEC scammers

Belgian bank Crelan has become a victim of fraudsters. According to a statement (in Dutch) published last week, the bank has lost over 70 million euros (around $75,8 million).

The theft was perpetrated by outsiders (possibly foreigners), and was discovered during an internal audit. The bank has implemented additional security measures to prevent this from happening again.

The Belgian authorities were informed of the matter immediately, and so were the bank’s risk and audit committees.

“Thanks to reserves accumulate in the past, Crelan can sustain this loss without it having consequences for the bank’s clients and partners,” Luc Versele, the bank’s CEO, stated. “The intrinsic profitability of the bank remains intact.”

They do not say so in the statement, but according to Belgian newspaper Het Nieuwsblad (in Dutch), the bank was a victim of so-called CEO fraud (or BEC scam – Business Email Compromise).

In these attacks, the fraudsters usually either manage to compromise the CEO’s or another high-up manager’s email account, or manage to impersonate them by creating a convincingly similar email account, and send an email to someone in the financial department, ordering a payment to be made to a bank account owned by the fraudsters.

Such an order usually comes with a reason why it should be executed immediately and kept quiet from other employees in the department and the organization.

The scammers are betting on the fact that the employee will not question the order and effect it without hesitation.

Law enforcement agencies and security companies around the world have been warning businesses about BEC scams for a while, but companies are still falling for it.

Austrian airplane systems manufacturer FACC has also announced last week that fraudsters stole $50 million from the company by targeting the financial and accounting department.

User education is the most effective means of protecting companies against BEC scams. Companies should implement measures such as verifying changes in vendor payment location and confirming requests for transfer of funds, refraining from posting financial and personnel information to social media and company websites, using two-step verification for confirming significant transactions (and not use the same environment for both), and so on to prevent becoming victims.