Norfund, the Norwegian state-owned investment fund for developing countries, has revealed that it has been swindled out of US $10,000,000 (approximately 100 million Norwegian Krona) intended for an institution in Cambodia.
The fund, which helps the Norwegian government build sustainable businesses and industries in developing countries by providing equity capital, is thought to have had its email system compromised by scammers for several months.
After breaching its infrastructure, the attackers were able to patiently monitor Norfund's email communications with partners, gather information, and create an account impersonating a member of staff authorised to make payments.
As Norfund's press release explains, the fact that the hackers had bade their time, learning how the investment fund operated, helped the fraud succeed:
"The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified."
According to Norfund, as a result, the funds were sent on March 16th to a bank account in Mexico which were in the same name as LOLC, the legitimate microfinance institution in Cambodia.
As local media reports, the scammers cunningly took advantage of the compromise of Norfund's email system to inform LOLC that the payment had been delayed due to the Coronavirus pandemic.
Meanwhile, Norfund itself received fake emails claiming to come from LOLC in Cambodia.
As a result, no-one realised that $10,000,000 loan had gone missing until the criminals attempted to steal yet more money via the same method on April 30th.
Describing the fraud, Norfund's CEO Tellef Thorleifsson said "It was wonderfully done."
Thorleifsson admitted that his organisation had previously sharpened its procedures in light of "similar cases with our partners" but that clearly it had not done enough:
"This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this."
Norfund says it immediately contacted law enforcement agencies, and has brought in an consulting firm PWC to conduct an investigation as to what went wrong, and how similar attacks can be prevented in future.
Fraudsters are said to have attempted to steal a jaw-dropping $9 billion from organisations through Business Email Compromise attacks since September 2016.
All firms need to ensure that they have educated their staff about the significant threats posed by Business Email Compromise, protected email accounts with multi-factor authentication, introduced technology, policies, and procedures to reduce the risk of becoming the next victim of an attack that could cost millions of dollars.