A recent Lazio phishing scam has potentially resulted in a €2 million loss for the Italian Serie A football team, which made the final installment of a transfer of a football player to the bank account of a scammer.

The Lazio phishing scam involved some insider knowledge as the scammer was aware that part of the transfer fee for a player was outstanding. An email was carefully crafted and sent to the Italian football team that appeared to have come from representatives of the Dutch football club Feyenoord. In the email the outstanding balance for the player Stefan de Vrij was demanded. Stefan de Vrij had joined Lazio from Feyenoord in 2014.

The email looked official and appeared to have been sent from a legitimate source. The accounts department at the Italian club responded and proceeded with the transfer of funds – approximately $2,460,840 – to the bank account as requested. However, the bank account details supplied in the email were not those of Feyenoord.

When Feyenoord was contacted, the club denied all knowledge of any email communication about the player and confirmed that no funds had been received. The money had been paid to a Dutch bank account, but not one held by any staff at the club, nor any representative of the player.

The payment has been tracked and Lazio is attempting to recover the funds. It is not yet known whether the money has been recovered and if that will be possible.

The Lazio phishing scam has certainly made the headlines, but many similar attacks go unreported. Scams such as this are commonplace, and businesses are being fooled into making huge transfers of funds to criminals’ accounts.

Anti-Phishing Demo
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo

While this attack clearly involved some insider knowledge, that information can easily be gained with a simple phishing email. If the CFO of an organization can be fooled into revealing their email login credentials, the account can be accessed and a treasure trove of information can be found. The account can then be used to send an email request to a member of the accounts department or a company that is in the process of making a sizeable purchase.

The attacker can match the writing style of the CTO and copy the usual format of email requests. All too often the recipient is fooled into making the transfer.

This type of scam is called business email compromise – or BEC – and it is costing businesses billions. One recent report estimates the total losses to BEC attacks alone is likely to reach $9 billion in 2018.

These scams are far different to the typical phishing scams of years gone by where huge numbers of emails were sent in the hope of a few individuals responding. These attacks are highly targeted, the recipient is extensively researched, and a great deal of time is spent conducting the attack. As the Lazio phishing scam showed, it is certainly worth the time and effort.

Businesses need to protect themselves against these types of phishing attacks, but there is no silver bullet. Layered defenses are essential. Businesses need to develop an anti-phishing strategy and purchase anti-phishing security solutions. An advanced spam filtering solution is a must, DMARC should be implemented to prevent brand abuse, and security awareness training for staff is essential. Policies should also be developed and implemented that require two-factor verification on any wire transfer over a certain threshold.

Even if an email filter could not block the Lazio phishing email and the email was so believable to fool a security aware employee, a quick telephone call to confirm the request could have highlighted the scam for what it was.