BEC scammers stole €19m from film company Pathé

The Dutch branch of the French film production and distribution company Pathé has lost over 19 million euros to BEC scammers, Dutch News reported.

Pathe BEC scam

The scam

Information about how the scammers pulled it off has been gleaned from court documents relating to a unfair dismissal lawsuit brought against Pathé France by Edwin Slutter, the Dutch branch’s former chief financial officer.

The attack started on March 8, when Pathé Nederland director Dertje Meijer received an email that was apparently sent by the chief executive of the French parent company. In fact, the email was sent from a spoofed email address that the scammers claimed was the personal email address of the French chied.

The scammers started the interaction with a simple question: “Have you been contacted by Mr. [real name of employee] from KPMG this morning?”

When Meijer replied she had not, the scammers began setting up the stage for the scam: they requested her to send the current “bank position,” explained that they “are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai,” and asked her to contact the aforementioned KPMG employee via an email address they provided, to get the Dubai company’s banking information so that they can send the required money to the account.

“As a security measure for this type of confidential transaction, we must communicate via my personal email so that our discussions are free of any risk of disclosure and respect the transaction’s norm. It is imperative that no matter what, whether orally or by phone. In accordance with the norms of KPMG, my personal email is to be the sole means of communication. Once the transfer orders had been written out, please forward to Mr. [real KPMG employee] or to myself the confirmation by email,” the scammers wrote.

At this point Meijer became suspicious, so she forwarded the email to Slutter, and asked him whether he thought it was strange. He advised her to reply to the email and ask additional confirmation from the Pathé France manager or another highly positioned employee.

The scammers agreed, and sent an email impersonating the Pathé France manager, apparently confirming the need for the transaction, reinstating the need for secrecy, and sending the invoice from the Dubai company with the description “Amount for 10% of the acquisition”, and signed by both the Pathé France manager and chief executive.

Slutter checked the signatures and then the payment was made. In the days that followed, several more payments were effected amounting to over 19 million euros in total. The money was pulled from different sources, one of which was from the so-called “cash pool” of the Pathé group in France.

During the different interactions with the scammers, the latter made a number of small mistakes that should have made Meijer and Slutter suspicious (e.g., an email sent from one spoofed email address was signed by the owner of the other one), but apparently they failed to notice them.

After the last transaction, the fraudsters reassured them that all the withdrawn money would be repaid. But that very same day “questions came from France about the amounts requested from the cash pool. During a telephone consultation that same day, it became clear that Pathé had become a victim of a so-called CEO fraud.”

Pathé commissioned an outside company to investigate whether Meijer and Slutter were involved in the scam. They concluded that they hadn’t, and that the company was targeted by “a professional gang of fraudsters.”

Nevertheless, Meijer and Slutter were dismissed. It’s unknown whether the stolen money was recovered.

BEC scammers’ tactics

Slutter ultimately brought the unfair dismissal lawsuit against the company and argued that he “did what was necessary to verify that the payment orders were authorized,” that Pathé never trained or instructed him to identify fraud, and that the “red flags” Pathé believed he should have recognized were not easy to spot.

The Dutch court agreed with him, and decided the company doesn’t have to give him his job back, but that they should pay the salaries he would have received from March to December 2018.

There is no doubt that this scam was well-thought out. The fraudsters obviously did their homework and managed to get a good idea of the company’s internal workings so as to mount a believable attack.

They also succeeded in preventing Slutter from confirming the transactions via phone by insisting that the communications must be made only via (the spoofed personal) email, “as a security measure for this type of confidential transaction.”

Initiating an email conversation with the target that won’t be flagged by conventional email security solutions because the email does not carry malicious payloads or links is a tactic often used by BEC scammers.

These “conversation starter” emails usually take the form of legitimate payment requests, invoices, document delivery emails, alerts urging “account verification” because emails ostensibly can’t be delivered, urgent requests apparently coming from their colleagues and superiors, and so on.

Are you protecting your users and sensitive O365 data from being leaked? Learn how Specops Authentication for O365 can help.