Hotel CEO Finds Unwelcome Guests in Email Account
Boutique hotel CEO fell for fake IRS email, leading to wire fraud, exposing sensitive business data.
Scenario
The CEO of a boutique hotel realized their business had become the victim of wire fraud when the bookkeeper began to receive insufficient fund notifications for regularly recurring bills. A review of the accounting records exposed a serious problem. At some point a few weeks before, the CEO had clicked on a link in an email that they thought was from the IRS. It wasn’t. When they clicked the link and entered their credentials, the cyber criminals captured the CEO’s login information, giving them full access to intimate business and personal details.
Attack
Social engineering, phishing attack.
A phishing attack is a form of social engineering by which cyber criminals attempt to trick individuals by creating and sending fake emails that appear to be from an authentic source, such as a business or colleague. The email might ask you to confirm personal account information such as a password or prompt you to open a malicious attachment that infects your computer with malware.
Response
The hotel’s cash reserves were depleted. The fraudulent transfers amounted to more than $1 million. The hotel also contacted a cybersecurity firm to help them mitigate the risk of a repeat attack.
Impact
The business lost $1 million to an account in China. The funds were not recovered.
Lesson Learned
Teach staff about the dangers of clicking on unsolicited email links and attachments, and the need to stay alert for warning signs of fraudulent emails. Engage in regular email security training.
Implement stringent wire transfer protocols and include a secondary form of validation.
Have a cyber incident response plan ready to implement!
Discuss
- Knowing how the firm responded, what would you have done differently?
- What are some steps you think the firm could have taken to prevent this incident?
- Is your business susceptible to this kind of attack? How are you going to reduce your risk?