It was late July in 2018 and the holiday season. Algol’s sales and customer service e-mail account was hacked. The hackers had managed to phish a password to the account. They then cracked the logic behind the advance payment protocol followed by Algol and its suppliers and faked a few such e-mails threads.
“The forgeries were excellent. They included all the necessary information and attachments such as purchase orders. The individuals involved in the correspondence appeared to include our customer service and sales staff. The fake invoices looked completely legitimate”, explains Algol’s CIO Arto Peterzens.
Algol made two payments to the hackers before the scam was discovered. The first was for USD 140,000 and the second for USD 250,000.
Luckily, the company’s bank stopped the second payment. The bank realised that the cyber thief’s bank account had been used for fraudulent activity before.
“A number of unhappy coincidences were at play. Our staff had been sharing e-mail accounts so that many had access to each other’s e-mails. Once the hackers got into one account, they were also able to access others”, Peterzens explains.
“The hackers also used filters so that other recipients of the hacked account did not receive the messages. It looked as if multiple members of our staff were included in the e-mails, but this was not the case.”
The person whose account was hacked was away on holiday. Since staff were known to use each other’s accounts, nothing seemed out of place.
“We knew that our advance payment protocol was risky. Suppliers requiring substantial upfront payments is not uncommon in our business. What makes the system even more vulnerable is the fact that these payments often need to be made quickly.”
Many factors contributed to making the scam possible.
“If, for example, the scammers had invoiced us for EUR 2 million, we would have known not to pay it. The scammers did not get too greedy but instead studied the kinds of orders that we typically place and were able to pick an unsuspicious amount”, Peterzens explains.
“This was not just a technological scam but also a logistical operation. Someone had to monitor the account to learn how we move supplies and money. And they had to learn quickly.”
Algol is a multi-industry group with operations in 11 different countries. The organisation has learnt its lesson.
“All our employees are now required to use two-factor authentication on their accounts. All e-mail accounts that did not use two-factor authentication were disabled as soon as we realised what had happened. Everyone in the organisation was also told to change their network password, which also updated the passwords on their e-mail accounts. We checked the computers, firewall logs and login history of the employees whose accounts had been hacked and informed our partners.”
In addition to these immediate fixes, many of Algol’s financial administration processes have been tweaked.
“We now require more stringent checks before payments are made and vet new suppliers more carefully. Internally, we have begun to double-check the legitimacy of invoices by telephone. The accounts used to make upfront payments to existing suppliers are also checked manually.”
Sharing information about the incident was crucial for ensuring that the same could not happen again. Staff were told about the scam immediately and explained why the scammers had been successful.
“Initially, our employees were mostly concerned about getting around the issue. They wanted to know how they could access their e-mails and grumbled about needing to get back to work. Once the news had sunk in properly, they began to treat every e-mail as a potential threat. We were inundated with questions about suspicious messages and whether they could or could not be trusted.”
The Group CEO Alexander Bargum played an important role in educating employees.
“We wanted to bring the issue out in the open instead of everyone covering their own back. Getting this across successfully was largely thanks to Mr Bargum. He was very outspoken about the incident and took a lead on the investigation”, Peterzens explains.