European retailer Pepco loses €15.5 million in phishing (possibly BEC?) attack

Pepco Group has confirmed that its Hungarian business has been hit by a “sophisticated fraudulent phishing attack.”

Pepco phishing attack

The European company, which operates shops under the Pepco, Poundland and Dealz brands, said that the company lost approximately €15.5 million in cash as a consequence of the attack.

“It is unclear at this stage whether the funds can be recovered, although Pepco is pursuing various efforts through its banking partners and the police. At this stage, the incident does not appear to have involved any customer, supplier or colleague information or data,” they shared on Tuesday.

Pepco says it’s a phishing attack, but it might also be business email compromise

“Based on the company statement, it sounds like it has been the victim of a social engineering attack, which led to the accidental transfer of money to fraudsters,” Irene Coyle, chief operating officer at OSP Cyber Academy, told Help Net Security.

“If this is the case, this type of attack is called business email compromise and it involves a fraudster spoofing the email address of a legitimate employee within an organization and then sending out correspondence to other people in the business, mostly those who work in accounting or finance departments, and asking them to urgently pay an invoice or process a payment.”

The widespread availability of AI tools could make these attacks easier to execute and likelier to victimize potential targets, she noted, since it allows scammers to deliver emails without spelling errors that mirror the tone of previous email correspondence.

Advice for defenders

According to Abnormal Security, BEC attackers have been targeting European organizations at an increasing rate.

“Organizations must learn from the incident against Pepco and improve their defenses against BEC phishing attacks,” Coyle pointed out, because these attacks can be business-destroying.

“Organizations must train their staff regularly. Employees that work in accounting and finance must be aware of the techniques criminals use to dupe them and be on guard constantly for these types of threats,” she said.

“It is also important to adopt processes which standardize payment verifications. If an email comes in asking for an urgent transfer, double-check its validity. It may delay the payment by a few minutes, but that is a very small price to pay in comparison with the financial losses a company could endure.”

Pepco Group said that it’s taking the necessary steps to investigate and respond to the incident and is conducting a group-wide review of all systems and processes to secure the business more robustly.

“The Group will provide a further update as and when appropriate,” they concluded.

OPIS

Subscribe to the Help Net Security breaking news e-mail alerts:

OPIS

Don't miss