The $3 Million Phishing Problem at Mattel is More Common Than You Think

One of the most common types of cyber attacks that both businesses and personal users have to contend with today’s is called a “phishing” attack. In An attacker will pose as a legitimate company or other business contact in an attempt to steal valuable information from their victim. For, example, they may send a seemingly-legitimate e-mail asking for key information including passwords, financial data and more. If the victim falls for this scam (or gets “phished”) they’ve potentially exposed themselves and (in the case of businesses) their customers to harm.

If you think that all phishing attacks are easy to spot if you know what you’re looking for, think again: toy giant Mattel recently lost $3 million after their own CEO became the sudden victim of a particularly sophisticated phishing attack.

Phishing and Mattel: What Happened?

On April 30, 2015, one of Mattel’s top-level executives based out of China received an e-mail that at first glance appeared unremarkable. It was a simple request to make a $3 million wire transfer to pay a new vendor based in that region. What followed was a perfect storm of failure and vulnerability all of which left Mattel’s bank account $3 million lighter.

The phishing e-mail was impeccably timed. A new CEO had taken the company reins only during the previous month and Barbie sales numbers, particularly in areas like China were hitting lows they hadn’t seen in years. Against this background, the executive who received the e-mail was incredibly eager to please her new leader and followed Mattel’s protocol for wire transfers to the letter. Any transfer of this size required no less than two approvals both of which she received in the coming days.

Only hours later after speaking directly to the new CEO who confirmed that he did not ask for any such wire transfer did panic set in at the administrative level. Mattel immediately called not only the sending and receiving banks but also the police and the FBI. The response they got was not what one would call “good news” – all entities confirmed that the funds were gone for good.

Luckily, however, the story did not end there. Mattel did eventually get all $3 million back with the help of local and federal law enforcement but from a certain perspective the damage was already done. They were publicly embarrassed on a grand scale at a time where their reputation was wavering and confidence in their leadership was shaken to its core.

Even if you don’t work at Mattel, there are a number of valuable lessons to take with you from this situation. Not only is phishing becoming increasingly common by the day but attackers are also becoming increasingly bolder – targeting a major corporate CEO directly was practically unheard of up to this point. Mattel’s public embarrassment also makes an incredibly compelling argument about the need for security awareness training for all employees, including those in HR, accounting and even the ones at the top of the proverbial food chain.

If you’re in {city} and you’d like to find out more information about how to keep you and your data safe from phishing attacks, or if you’d like to make sure that you’re protected from the wide range of other cyber threats that we now face on a daily basis, please feel free to call {phone} or email {email} to speak to someone at {company} today.