Barbie may well be a pinch-waisted physiological phantasy, but her maker, Los Angeles-based toymaker Mattel, is anything but.
In fact, we’ve just learned that swindlers managed to squeeze $3 million out of the company last year by using the increasingly common “CEO email” scam.
The Associated Press revealed the scam in a report investigating money laundering and other financial crime in Wenzhou, China.
Back on 30 April 2015, according to the AP, a finance executive got a note from the newly installed CEO, Christopher Sinclair, requesting a new vendor payment to China.
At least, she thought it was from the CEO, and she didn’t see anything wrong with the request.
Protocol required that fund transfers be approved by two high-ranking managers: she was one, and the CEO, who’d just started that same month in a time of tumult for the Los Angeles company, was another.
So the financial executive went ahead and wired over $3 million to the Bank of Wenzhou, in China.
Hours later, she mentioned the transfer to Sinclair.
His response: What transfer?!
The company called the police, its US bank, and the FBI.
The bureau’s response: Tough luck! The money’s already in China.
What happened?
The AP spoke to an anonymous source close to the investigation, but no details on the phony email were forthcoming.
We do, however, know of similar cases, because this is a common type of scam.
These fake CEO email scams, or business email compromises in the terminology of the FBI, are costing companies big-time: over $1.2 billion has been lost on a global scale between October 2013 and August 2015, the bureau reported last August.
The FBI described another case that sounds like a carbon copy of Mattel’s ordeal, minus what turned out to be a happy ending for the toymaker.
In this case, a US company’s accountant received an email that looked like it came from her CEO, who was out of the country.
The email instructed her to wire $737,000 to a bank in China, to complete an acquisition. It was time-sensitive, of course, and had to be completed by day’s end.
Besides the “CEO’s” email, the accountant received another email, supposedly from the company’s lawyer. It contained the appropriate letter of authorization, including her CEO’s signature over the company’s seal.
The fraud was uncovered when she spoke to her boss the next day. Only then did she realize that the first e-mail she received from the CEO was missing one letter: instead of .com, the email address read .co.
This was no Nigerian prince fraud. No grammar or spelling mistakes, nothing blatant to raise red flags.
The AP’s source said that he scammers who took on Mattel had likewise done their homework, “mining social media and likely hacking corporate emails to penetrate Mattel’s corporate hierarchy and payment patterns.”
The (all too rare) happy ending
Law enforcement and its US bank told Mattel that it was out of luck, but they were wrong. The company did, in fact, get very lucky.
As it turned out, Friday, 1 May, was Labor Day in China: a bank holiday.
According to a letter from Mattel thanking Chinese authorities, the company notified Chinese police, who launched an investigation.
Come Monday morning, a company executive for Mattel was at the bank’s door, ready to pop into the bank as soon as it opened.
From the AP, based on the accounts of two anonymous people familiar with the investigation:
When the Bank of Wenzhou opened the following Monday, a China-based anti-fraud executive from Mattel strode past the sculpted lions that flank the entrance to the bank’s headquarters, marched upstairs to the International Business Department and presented a letter from the FBI.
Chinese police froze the account that same morning. Mattel got its money back two days later, on 6 May.
The fraudsters haven’t been found, and the investigation is ongoing.
But a lesson was learned as far as working with Chinese law enforcement, the AP reports.
The AP quoted Huang Feng, Director of the Institute for International Criminal Law at Beijing Normal University, who said that Mattel did the right thing by asking Chinese authorities to use Chinese law to help it claw back its money.
If we need help getting corrupt officials or bribes back, we need to offer assistance when other countries need it too. The problem is not that the Chinese authorities have been uncooperative, it’s that we don’t have a relevant legal framework to implement.
The FBI recommends that any company victimized by a CEO email scam act quickly.
Regardless of where you are, you should contact your financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent.
Then, report it to your country’s cybercrime authorities.
If you’re in the US, contact the FBI and file a complaint, regardless of dollar loss, with the Internet Crime Center (IC3).
In the UK, use Action Fraud. In Australia, you can report cybercrime to the Australian Cybercrime Online Reporting Network, or ACORN.
Oh, and consider getting your top executives to use two-factor authentication (2FA) for their email accounts, to make it harder for crooks to dig into their email traffic remotely, or to send emails right from their account.
Your execs will find that it takes very slightly longer to login when they’re on the road, and we all know that time is money…
…but, then, unexpected money transfers of $3m are money, too.
LISTEN NOW: Understand why 2FA can help
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
wkitty42
sounds like they should be using 2FA or even voice contact to validate if these transfer requests are valid… certainly nothing clickable in the emails and that should be corporate policy… type the requester’s email address in to the TO: field or call them on their cell phone (everyone has one right??) and verify if it is a valid transfer request before doing the deed… and time sensitive transfers? there should already be confirmed notifications about them before they land on someone’s desk for action… again, pick up the phone…
Charles M Kindig
Nice blog Lisa. Thanks for the concise info, thanks for the useful links! TFA for execs is a must these days. I always advise a verbal authentication protocol that doesn’t exist in any textual form as well. Don’t be a lazy exec!
Kathy Posey
I was recently scammed on a much smaller scale by someone claiming to be a Mattel distributor.I had googled Barbie Dreamhouse looking for a secondhand toy for my granddaughters. I found a huge ad for Dreamhouse for 49.98
I ordered one and paid 58.00 to the website. It was the bait ansd switch scam. They sent me a small plastic set similiar to like a play Lego set. It fit in my mailbox it was that small. I was brokenhearted
It arrived a couple days before Christmas so I had no gift.for my girls. And no money to buy any as I survive soully off SSDI.I have sent them email to no avail
In their ad they show and describe the Mattel Dreamhouse plus claim to be a destributer for Mattel. The email I got back were from ausiia. They told me to keep the toy and they would give me a 15% discount ..I still cant beleive a corporatiom as big as Mattel lets somebody use their name and picture to defraud people
Paul Ducklin
Unfortunately, Mattel can’t proactively stop other people using their name or images online, any more than (say) Madeup Corporation can stop you saying the words “I work for Madeup Corporation” out loud to other people, or putting up a sign claiming that your house is Madeup Corporation’s official global HQ.
Mattel can try to find people who try to misuse their name, and send them (or their service provider) a takedown notice or a legal threat, but making fake claims in the first place is even easier online than it ever has been in regular life.
Have you tried disputing the charge with your credit card company? If you can show that the product was clearly misrepresented by the seller as the “real thing”, not merely as something “vaguely like it but much cheaper and smaller”, you may be able to get a refund.