Phishing Attackshigh

FACC CEO Fraud: Austrian Aerospace Supplier Loses €50 Million to Fake M&A

Austrian aerospace parts maker FACC lost €50 million when an employee was deceived by emails purporting to be from the CEO requesting a secret transfer for an acquisition — a textbook BEC attack with catastrophic results.

FACC AG (Aerospace)·2016·2 min read

Background

FACC (Fischer Advanced Composite Components) manufactures aerospace components for Airbus and Boeing with revenues of €660 million. The company handles significant international wire transfers as part of normal operations. Like many mid-size European manufacturers, FACC had not invested heavily in anti-BEC controls.

The Attack

An employee in FACC's finance department received emails that appeared to come from CEO Walter Stepan requesting an urgent, confidential transfer of €50 million to a foreign bank account as part of an acquisition project. The emails were sophisticated and referenced plausible business context. No phone verification was performed before the transfer was executed. The money was sent to accounts in Slovakia and then moved rapidly to Asia.

Response

FACC discovered the fraud within days. The company pursued legal action to recover the funds, ultimately recovering €10.9 million. FACC's board fired both the CEO and CFO, arguing they had failed to implement adequate financial controls. The employees who executed the transfers were not found personally liable.

Outcome

The €50 million loss represented approximately 7.6% of FACC's annual revenue. The firing of the CEO and CFO — who were not directly involved in the transfer — established a precedent that executives are accountable for the absence of controls that enable BEC fraud.

Key Takeaways

  1. Executive accountability for BEC losses creates incentive to implement controls before an attack, not after
  2. Wire transfers above material thresholds must require two-person authorisation and phone verification
  3. BEC attackers study press releases and annual reports to craft contextually plausible requests
  4. The absence of a secondary verification step is itself a governance failure for which executives can be dismissed
BECCEO fraudwire transferaerospacefinance controls

More in Phishing Attacks

2015critical

Anthem Health: 78 Million Patient Records and a Single Phishing Email

2 min readPhishing Attacks
2022high

Okta Breach: The Identity Provider That Protects Everyone Gets Compromised

2 min readPhishing Attacks
2010critical

Operation Aurora: China's Spear-Phish Against Google and 34 Companies

2 min readPhishing Attacks