Spearfishing, heard of it? It’s a newer cybercrime that’s hitting America. Check out how one company responded.

1. Spearfishing attack costs
company $400K
THE CHALLENGES
When your boss — the CFO — is out of the office
and sends you an email to wire $100K to a bank
(not an uncommon occurrence in your range of
duties), you usually don’t second-guess the message’s
authenticity. If you did that for every request, you
wouldn’t get any work done. However, for our client,
a $450 million commercial construction company, this
message was a fraud — an example of “spearfishing.”
And the ruse worked.
The controller, who received the message, followed
the orders and initiated the wire transfer after getting
the required secondary approval from a co-worker,
who also didn’t suspect anything. No one thought
further about the matter and some days later another
request came in, this time for $300K to an offshore
bank. Only after this transaction was completed did
the controller suspect foul play.
This was the first occurrence of cybercrime that our client experienced and they weren’t
equipped to handle it. They had no incident response policy in place, and this event
uncovered their internal control deficiencies.
Case study
Sector
Commercial construction
Client challenge
Cybersecurity breach
Services provided
Investigation, cybersecurity
consultation
$100K
$300K

2. Case study: Spearfishing attack costs company $400K
“Grant Thornton” refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a
worldwide partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does not
provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or
omissions. Please visit grantthornton.com for details.
© 2015 Grant Thornton LLP | All rights reserved | U.S. member firm of Grant Thornton International Ltd
Connect with us
grantthornton.com
@grantthorntonus
linkd.in/grantthorntonus
Skip Westfall
Managing Director, Forensic
and Valuation Services
Cybersecurity Services Co-Leader
T +1 832 476 5000
E skip.westfall@us.gt.com
Have a similar challenge?
Contact:
WHAT THE TEAM DID
Grant Thornton LLP was brought in to investigate
the incident and use its experience with forensic
technology, cybersecurity and incident response to
help the client through this difficult process.
First, the team investigated the crime to determine
(if possible) where the email originated, if it was
external and if internal people were involved. We
interviewed the controller and the secondary approver
and determined that the breach was externally driven,
most likely a social engineering ploy. The perpetrator
was familiar enough with names and titles of people at
the company to create an authentic-looking email.
Next, we examined the laptops and systems, since
the email contained a PDF attachment infected with
malware — probably ransomware, which holds
data hostage for money. After conducting a forensic
image of the client’s mail server and several laptops,
we detected that the malware wasn’t activated. We
performed email traffic analysis and determined that
no one else in the company received similar messages.
After getting the infected laptop cleaned and back
online, we conducted a security assessment and
provided recommendations on improving processes
and putting an incident response plan into place.
OUTCOMES
This was the first occurrence of cybercrime that
our client experienced and they weren’t equipped
to handle it. They had no incident response policy
in place, and this event uncovered their internal
control deficiencies. Their eyes were opened to how
unprepared they were.
Although their insurance made them whole fiscally,
the company was still exposed. The risk assessment
revealed their need for increased cybersecurity, among
other changes. The business leaders are now looking
to making improvements, such as:
• Implementing detection software and making
overall technology enhancements
• Conducting detection training; training employees
how to spot a fraudulent message
• Tightening up internal controls
• Creating an incident response plan and incident
response team
Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues
discussed, consult a Grant Thornton LLP client service partner or another qualified professional.