Fraud , Messaging , Technology

Flipkart CEO's Email Spoofed, But Fraud Attempt Fails

Report: Fraudsters Tried to Trick CFO Into Transferring Funds
Flipkart CEO's Email Spoofed, But Fraud Attempt Fails

Fraudsters unsuccessfully attempted to steal $80,000 (U.S.) from Indian e-commerce company Flipkart through an email spoofing scheme.

See Also: Mitigate Risks and Protect Your Users from Cyberattacks, Avoid the Yahoo Data Breach

The company told Bengaluru Police that the email account of CEO Binny Bansal was spoofed, and the fraudsters then sent emails instructing the company's CFO, Sanjay Baweja, to transfer money, according to the Times of India.

The fraudsters sent two spoofed emails with the same message to Baweja on March 1, and investigators discovered that the messages were sent from Hong Kong and Canada and routed via a Russian server, the newspaper reports.

A Flipkart spokesperson confirms to Information Security Media Group that the company was targeted by an attempted email spoofing attack but declined to provide further details around the incident.

"Flipkart's corporate email system leverages the highest standards of security, including, but not limited to, two-factor authentication," Flipkart's spokesperson says. The company immediately detected the email spoofing and then filed a report with the police, she added.

The Times of India reports that the attempt at fraud was discovered when the CFO's suspicions were raised by "the nature and timing" of the messages, prompting him to cross-check with the CEO. The newspaper quotes Bengaluru CID as saying the fraudsters apparently used an "advanced virus" to hack into the email account.

Vigilance, Awareness Key

The head of security at an e-commerce portal in India, who asked to remain unnamed, tells ISMG that companies are vulnerable to email spoofing if they have inadequate perimeter security, which can allow phishing emails to slip through. These messages can carry malware that can stay dormant for a long time, making them difficult to detect.

"Spoofing of your CEO's email should not have happened, as this is the first step in email security - especially in a technology-driven company like Flipkart," he says. Implications can be very severe, including and not restricted to having to revamp the entire security architecture.

But Vivek Chudgar, senior director for consulting, APAC, at FireEye, says there are no technical controls that can prevent spoofing.

"Some spam filters and email security can intercept weak spoofing attempts, but sophisticated attempts can bypass security technology," Chudgar says. As a result, businesses need to train all employees on how detect and report suspicious emails, he says.

Law enforcement officials suggest that users always be suspicious of emails requesting money transfers and report them to authorities.


About the Author

Varun Haran

Varun Haran

Principal Correspondent, ISMG

Haran has been a technology journalist in the Indian market for close to six years, specializing in information security. He has driven industry events such as the India Computer Security Conference (ICSC) and the Ground Zero Summit 2013. Prior to joining ISMG, Haran was a correspondent with TechTarget and InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.




Around the Network