Where is my $6M?

July 31, 2017


As a corporation’s accountants reconciled their weekly balance sheets, something was very off.  Over $6M was missing from accounts receivable.  The accountants called accounts receivable to ask if they had received several specific payments.  AR had not.  At this point the billing department called customers to ask why they had not paid their bills.  Each customer said same thing. They had received an email from the corporation’s head of finance telling them going forward to deposit all payments in a new bank account.  Billing contacted IT.  The IT department contacted Check Point’s Incident Response Team to investigate. As the investigation unfolded the following story emerged:

The head of finance had a craving for coffee.  While he was drinking his coffee at the local coffee shop he had an emergency which caused him to open his computer and connected it to the coffee shop’s Wi-Fi.  He didn’t know that the Wi-Fi was doing a man-in-the-middle attack against him.  The attacker redirected him to hostile website where the attacker stole the executive’s credentials.

The attacker used these credentials to log into Office 365 and searched for emails. Jackpot. The attacker found the corporation’s master customer spreadsheet.  The attacker then logged back into Office 365 and created an email to all the customers on the spreadsheet.  The attacker created an email which asked the customers to submit payments to a new account, which just happened to be overseas.  The customers deposited their payments to this new account.  In less than 14 days $6M was “redirected”.

Lessons Learned

Don’t connect to Wi-Fi without a virtual private network (VPN) which protects traffic from unauthorized exposure.  Don’t connect to unknown Wi-Fi hot spots.  Be sure your mobile devices and laptop computers use best practices for cyber security.



  • Check Point Research Publications
  • Global Cyber Attack Reports
  • Threat Research
February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

  • Check Point Research Publications
August 11, 2017

“The Next WannaCry” Vulnerability is Here

  • Check Point Research Publications
January 11, 2018

‘RubyMiner’ Cryptominer Affects 30% of WW Networks