BEC attack on the Italian State Mint: €3 million theft foiled

Security Awareness
22 December 2023

The human factor is at the heart of the incident. There is still a lot to do on the training front

The Italian State Mint was caught out because of a typical Business Email Compromise (BEC) attack.
Some skilled scammer managed to wangle 3 million euros from the symbolic coin production institution. Fortunately, the story had a happy ending and the money was returned to the sender. The experience, however, not only led the victims who fell into the trap to suffer several sleepless nights but, in addition to causing damage to the image of a large company that works for the State, it highlighted how the risk of cyberattacks is always lurking just around the corner and depends for the most part on distraction, superficiality, naivety, emotionality, and lack of the necessary checks: in short, on the human factor...

The dynamics of theft

The story began last May when hackers posed as a rebar supplier, communicating a change of IBAN and asking them to make future payments to this new account instead of the previous one. Of course, the hackers had already long since infiltrated the exchanges between the Italian State Mint and the supplier and were aware of the order.

Therefore, the State Mint fell into the trap by making a payment of 3 million euros to the current account of the Hungarian credit institution MBH provided in the fraudulent email. One million left for Budapest on 15 May, and the other two million on the 26th.

The same day at the Mint, they realised they had been scammed, and it was not a pleasant realisation.

As soon as the alarm was triggered, the postal police intervened on time and 2 million euros were blocked before reaching Budapest.

However, the million euros that had left first and in the name of the names associated with the hackers had already been transferred. In addition to the Postal Police, Interpol and the Italian Foreign Exchange Office (Ufficio Italiano dei Cambi – Uif) of the Bank of Italy were thus involved, which limited the damage as much as possible.

Only 50,000 euros were irretrievably lost, while the remaining 950,000 euros were frozen and will soon be returned to the State Mint.

Usually, the hackers’ accomplices withdraw as much money as possible to drain the account. In this case, fortunately, they were not so quick.

BEC scams

This type of scam falls under the category of so-called “Business Email Compromise” (BEC).
These are attacks that have a particular target: employees and managers within a company can move money, either because it is requested directly from a superior or because they have direct relationships with the various suppliers.

This is how hackers can pretend to be managers or suppliers, mainly through false emails (hence the name of the scam) but also through the use of deepfake techniques that reproduce human voices with extreme accuracy. In this way, they can ask victims, through emails or phone calls, to make transfers to current accounts belonging to criminal organisations.

In addition, thanks to sophisticated social engineering techniques, criminals can obtain the information about potential victims, necessary to optimise criminal activities.

The success of BEC scams requires, in fact, in addition to the fake email account, detailed knowledge of the identity of the officials to be contacted, the tone and phrasing of the purchase order and the communication jargon, as well as knowledge of the supplies to be ordered.

The latest data on BEC attacks

The risks arising from this type of attack result in significant data loss, breach of cybersecurity systems and considerable economic damage.

Last year, companies lost more than $2.7 billion to these scams, according to the most recent Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3). That’s $300 million more than in 2021.

These are losses up to 80 times greater than those caused by ransomware.
According to the FBI’s IC3, BEC scams accounted for as much as 27% of all financial losses caused by cybercrime in 2022. In addition, the average cost of an accident increased from $120,000 in 2021 to $124,000 in 2022.

Although fewer complaints were filed with the FBI’s IC3 in 2022 (800,944 vs. 847,376), overall losses increased from $6.9 billion to over $10.2 billion, an increase of 48% over the previous year.

BEC attacks cause fewer victims than phishing, but the financial losses are much higher. These are highly targeted scams and therefore involve higher financial losses, even if their volume is low.

How to defend against BEC attacks?

Criminals are becoming more and more cunning and their techniques more and more refined. However, this should not discourage us, because there are solutions to defend ourselves. It’s a matter of taking the right steps. First of all, we must keep in mind that these days, it is better not to trust anyone, even if it is our boss or the most loyal of our suppliers who are writing to us. Also, never lose focus and awareness of your actions online, and never act in a hurry or when distracted. These human “weaknesses” are, in fact, the cracks that cybercriminals slip through to launch their most vicious attacks. In addition, before making any payment, it is essential to always carry out all the necessary checks.
Above all, however, you should never stop training in and practising cybersecurity.
It is a body of knowledge that must be kept continuously updated and that above all must be exercised through specific quality training programmes, which can be seamlessly tailored to the skills of each student and adapted to the characteristics of the organisation for which they work.


Articoli correlati

Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

read more