How Barbie-doll maker Mattel clawed back $3m from cyberthieves

Barbie may well be a pinch-waisted physiological phantasy, but her maker, Los Angeles-based toymaker Mattel, is anything but.

In fact, we’ve just learned that swindlers managed to squeeze $3 million out of the company last year by using the increasingly common “CEO email” scam.

The Associated Press revealed the scam in a report investigating money laundering and other financial crime in Wenzhou, China.

Back on 30 April 2015, according to the AP, a finance executive got a note from the newly installed CEO, Christopher Sinclair, requesting a new vendor payment to China.

At least, she thought it was from the CEO, and she didn’t see anything wrong with the request.

Protocol required that fund transfers be approved by two high-ranking managers: she was one, and the CEO, who’d just started that same month in a time of tumult for the Los Angeles company, was another.

So the financial executive went ahead and wired over $3 million to the Bank of Wenzhou, in China.

Hours later, she mentioned the transfer to Sinclair.

His response: What transfer?!

The company called the police, its US bank, and the FBI.

The bureau’s response: Tough luck! The money’s already in China.

What happened?

The AP spoke to an anonymous source close to the investigation, but no details on the phony email were forthcoming.

We do, however, know of similar cases, because this is a common type of scam.

These fake CEO email scams, or business email compromises in the terminology of the FBI, are costing companies big-time: over $1.2 billion has been lost on a global scale between October 2013 and August 2015, the bureau reported last August.

The FBI described another case that sounds like a carbon copy of Mattel’s ordeal, minus what turned out to be a happy ending for the toymaker.

In this case, a US company’s accountant received an email that looked like it came from her CEO, who was out of the country.

The email instructed her to wire $737,000 to a bank in China, to complete an acquisition. It was time-sensitive, of course, and had to be completed by day’s end.

Besides the “CEO’s” email, the accountant received another email, supposedly from the company’s lawyer. It contained the appropriate letter of authorization, including her CEO’s signature over the company’s seal.

The fraud was uncovered when she spoke to her boss the next day. Only then did she realize that the first e-mail she received from the CEO was missing one letter: instead of .com, the email address read .co.

This was no Nigerian prince fraud. No grammar or spelling mistakes, nothing blatant to raise red flags.

The AP’s source said that he scammers who took on Mattel had likewise done their homework, “mining social media and likely hacking corporate emails to penetrate Mattel’s corporate hierarchy and payment patterns.”

The (all too rare) happy ending

Law enforcement and its US bank told Mattel that it was out of luck, but they were wrong. The company did, in fact, get very lucky.

As it turned out, Friday, 1 May, was Labor Day in China: a bank holiday.

According to a letter from Mattel thanking Chinese authorities, the company notified Chinese police, who launched an investigation.

Come Monday morning, a company executive for Mattel was at the bank’s door, ready to pop into the bank as soon as it opened.

From the AP, based on the accounts of two anonymous people familiar with the investigation:

When the Bank of Wenzhou opened the following Monday, a China-based anti-fraud executive from Mattel strode past the sculpted lions that flank the entrance to the bank’s headquarters, marched upstairs to the International Business Department and presented a letter from the FBI.

Chinese police froze the account that same morning. Mattel got its money back two days later, on 6 May.

The fraudsters haven’t been found, and the investigation is ongoing.

But a lesson was learned as far as working with Chinese law enforcement, the AP reports.

The AP quoted Huang Feng, Director of the Institute for International Criminal Law at Beijing Normal University, who said that Mattel did the right thing by asking Chinese authorities to use Chinese law to help it claw back its money.

If we need help getting corrupt officials or bribes back, we need to offer assistance when other countries need it too. The problem is not that the Chinese authorities have been uncooperative, it’s that we don’t have a relevant legal framework to implement.

The FBI recommends that any company victimized by a CEO email scam act quickly.

Regardless of where you are, you should contact your financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent.

Then, report it to your country’s cybercrime authorities.

If you’re in the US, contact the FBI and file a complaint, regardless of dollar loss, with the Internet Crime Center (IC3).

In the UK, use Action Fraud. In Australia, you can report cybercrime to the Australian Cybercrime Online Reporting Network, or ACORN.

Oh, and consider getting your top executives to use two-factor authentication (2FA) for their email accounts, to make it harder for crooks to dig into their email traffic remotely, or to send emails right from their account.

Your execs will find that it takes very slightly longer to login when they’re on the road, and we all know that time is money…

…but, then, unexpected money transfers of $3m are money, too.