Phishing scams can prove expensive for businesses, as the Italian Serie A football team Lazio is now knows all too well. A recent phishing scam could have cost the club €2 million Euros ($2,461,990).
Lazio Football Club transferred in defender Stefan de Vrij from the Dutch club Feyenoord in the summer of 2014 for around €8 million Euros. Not all of that transfer fee was paid in one lump sum. There was one outstanding payment left of around €2 million Euros. It is that final transfer of funds that was lost.
Lazio officials responded to an email that demanded the final payment for the player. That email was not sent by his former club or club representatives, which is what was claimed in the email.
The scam was similar to many others received in recent months by other businesses. The email correspondence looked official, a payment was requested, there was urgency, and bank account details were supplied. The payment was made as requested, yet it didn’t arrive at the intended destination. When Lazio contacted Feyenoord, the club denied all knowledge of the email request and it became clear that the Italian club had been scammed.
Lazio Football club has managed to track the funds to a Dutch bank account, but the account has nothing to do with the Dutch club, the player, or any representatives of either. Lazio is currently attempting to recover the funds, although whether that will be possible remains to be seen.
What is clear from this phishing scam is the scammers knew that there were funds outstanding and the amount that was due to be paid. Where that information came from remains a mystery. An email account could have been hacked at either club allowing the attackers to formulate a plan to fraudulently obtain the final transfer payment. Alternatively, someone could have had insider knowledge about the transfer of the player. Scams such as this commonly involve the hacking of an email account. Emails are then trawled looking for valuable information that can be used as the basis for a future scam.
The scam shows just how expensive phishing attacks can be for victims and how lucrative they can be for the scammers. Spray and pray tactics are still used, but these sophisticated spear phishing scams are becoming more common due to the high potential returns.
To reduce risk, businesses need to ensure all company employees from the C-Suite down are provided with security awareness training and are taught cybersecurity best practices and how to identify scams.
Simple policies can also be introduced that prevent scams such as these from working. A policy can be introduced that requires the authenticity of any request to wire transfer funds – above a certain threshold – to be verified by phone before any funds are released. A call to the intended recipient using verified contact information could easily prevent a scam such as this from working.