Chinese scammers take Mattel to the bank, Phishing them for $3 million

Mattel, the popular toy maker behind Barbie and Hot Wheels, was the victim of a Phishing attack last year that nearly cost them $3 million. The only thing preventing a total loss was a mixture of timing and luck, because the day following the attack happened to be a banking holiday in China.

Details of the attack against Mattel come from a report by the Associated Press, investigating money laundering and other financial crime in Wenzhou, China.

On April 30, 2015 a finance executive got a note from the newly installed CEO, Christopher Sinclair, requesting a new vendor payment to China. The finance executive didn’t see anything wrong with the request, but checked protocol anyway.

Transfers required approval from two high-ranking managers; she qualified and so did the CEO. The transfer was made. In total, $3 million dollars was wired to the Bank of Wenzhou in China. She mentioned the payment later to Sinclair, who denied making the request.

Mattel contacted law enforcement and their U.S. bank, but were told that it was too late – the money was gone. The thieves had hit Mattel at just the right time. A new CEO had just started and the company was getting ready for massive growth in China, so payments to the nation wouldn’t be out of order.

To further their schemes, according to source who spoke to the Associated Press on the condition that they not be named, the thieves likely did some homework.

Prior to the attack, the person(s) responsible researched how the company operates regarding payments, and mined social media to learn the names of key individuals (as well as compromise corporate email) in order to make the request look as legitimate as possible.

But Mattel got lucky. May 1 was a banking holiday in China. The following Monday they were able to get assistance from local law enforcement and banking officials to freeze the account that held the stolen funds. Two days later, the money was recovered.

There have been a number of high-profile Phishing attacks against corporations over the last few years. At first, the target was wire payments, and as the Associated Press discovered, most of the money stolen in those cases are sent to Wenzhou, China.

But the latest scams target an organization’s employees, seeking W-2 records that enable tax fraud and identity theft.

In the first quarter of 2016 alone, more than three dozen organizations have been targeted by scammers Phishing for W-2 records or similar employment details, such as salary information, withholding details, and PII (Personally Identifiable Information).

“Business email fraud is the latest phishing tactic being used against companies by cyber attackers and it’s successful because it’s easy to do and it works. Despite all the awareness campaigns, people still fall for phishing attacks, especially if they impersonate someone they know,” said Oren Falkowitz, co-founder and CEO of startup Area 1 Security.

“We are only going to see social engineering targeting corporate employees grow and education won’t stop it. The industry needs to have a greater focus on taking effective action to stop these threats from reaching the end user in the first place.”