You might want to wash down this kind of bad news with a cold one.
Ontario-based Waterloo Brewing says it has lost $2.1 million in a social engineering cyberattack.
The attack occurred earlier this month and involved fraudulent wire transfer requests, a typical modus operandi in Business Email Compromise (BEC) cases.
CBC news covered the loss:
"The Ontario brewery says the incident occurred in early November and involved the impersonation of a creditor employee and fraudulent wire transfer requests."
This type of social engineering and impersonation of parties you trust is very common in BEC attacks.
It's the reason a Catholic Church Sent $1.7 Million to Hackers. They thought the money was going to a contractor.
"Waterloo Brewing says it initiated an analysis of all other transaction activity across all of its bank accounts, as well as a review of its internal systems and controls that included its computer networks, after becoming aware of the incident this week."
The brewery believes its systems are secure, which means the creditor's account was possibly compromised and cybercriminals read transaction details there.
This is how BEC typically works: one organization gets hacked and cybercriminals then learn things that only trusted parties would know, making it easier to impersonate a legitimate person or organization and fool the hacker's target into transferring funds.
Business Email Compromise: billions in losses
Global BEC losses have topped $26 billion in the last six years. This takes an enterprise-level style of operations to conduct this massive amount of fraud.
"They're very successful. They're very good at what they do. And they run just like an actual business. They have CEOs, they have financial officers, they have bankers," Chris McMahon told SecureWorld.
McMahon is a key investigator of BEC crime for the U.S. Secret Service. Listen to our in-depth interview with him in The SecureWorld Sessions podcast:
How to mitigate BEC risk
Here is a key ounce of prevention for Business Email Compromise attacks, according to McMahon:
"Look at email forwarding rules. We just investigated a case, a local government case, and they were infiltrated and there were 136 email forwarding rules on one person's email.
The old thought of, 'hey, change my password, you know, then nobody can get in,' won't change it. You can change your password all day long, but if those email forwarding rules are there, then those emails are still getting sent to the bad guy."
And if the emails are still going to the bad guy, then they know exactly what to say to trick an employee into falling for a BEC scam.