Flipkart CEO's Email Spoofed, But Fraud Attempt FailsReport: Fraudsters Tried to Trick CFO Into Transferring Funds
Fraudsters unsuccessfully attempted to steal $80,000 (U.S.) from Indian e-commerce company Flipkart through an email spoofing scheme.
See Also: Autonomous Response: Threat Report
The company told Bengaluru Police that the email account of CEO Binny Bansal was spoofed, and the fraudsters then sent emails instructing the company's CFO, Sanjay Baweja, to transfer money, according to the Times of India.
The fraudsters sent two spoofed emails with the same message to Baweja on March 1, and investigators discovered that the messages were sent from Hong Kong and Canada and routed via a Russian server, the newspaper reports.
A Flipkart spokesperson confirms to Information Security Media Group that the company was targeted by an attempted email spoofing attack but declined to provide further details around the incident.
"Flipkart's corporate email system leverages the highest standards of security, including, but not limited to, two-factor authentication," Flipkart's spokesperson says. The company immediately detected the email spoofing and then filed a report with the police, she added.
The Times of India reports that the attempt at fraud was discovered when the CFO's suspicions were raised by "the nature and timing" of the messages, prompting him to cross-check with the CEO. The newspaper quotes Bengaluru CID as saying the fraudsters apparently used an "advanced virus" to hack into the email account.
Vigilance, Awareness Key
The head of security at an e-commerce portal in India, who asked to remain unnamed, tells ISMG that companies are vulnerable to email spoofing if they have inadequate perimeter security, which can allow phishing emails to slip through. These messages can carry malware that can stay dormant for a long time, making them difficult to detect.
"Spoofing of your CEO's email should not have happened, as this is the first step in email security - especially in a technology-driven company like Flipkart," he says. Implications can be very severe, including and not restricted to having to revamp the entire security architecture.
But Vivek Chudgar, senior director for consulting, APAC, at FireEye, says there are no technical controls that can prevent spoofing.
"Some spam filters and email security can intercept weak spoofing attempts, but sophisticated attempts can bypass security technology," Chudgar says. As a result, businesses need to train all employees on how detect and report suspicious emails, he says.
Law enforcement officials suggest that users always be suspicious of emails requesting money transfers and report them to authorities.