Two C-level Executives Fired After “CEO Fraud” Phishing Email Costs Firm Over $20-Million

The CFO and Managing Director of the Dutch operations of the European movie chain, Les cinémas Gaumont Pathé (commonly referred to simply as Pathé), were recently dismissed from their jobs after a Dutch court ruled that the two could be terminated for failing to spot and properly react to “CEO Fraud” phishing attacks that cost the firm 19.2 million Euros (approximately 21.6 million Euros as of today).

Criminals successfully stole the large sum from Pathé by emailing the executives in March from an account that appeared to belong to the firm’s CEO, and repetitively tricking the two into wiring money as part of a “confidential M&A process with a foreign company in Dubai” whose deal was so sensitive that “communications can only be done using the personal email address of the CEO.”

CEO Fraud refers to scams in which criminals pretending to be a CEO or other senior executive send (spear phishing) emails to employees in which they instruct the employees to take some action such as issuing a (truly, unauthorized) wire payment or sending the criminals’ all of the organizations’ W2 forms for the year.

After the relevant scam and losses were discovered at the end of March by personnel at Pathe’s headquarters, the firm fired the executives. The CFO sued, claiming that he was unjustly dismissed as he was just following instructions that appeared to come from his boss; the lawsuit resulted in the court case, which led to the Amsterdam court ruling that while the CFO could not be fired retroactive to April, he could be dismissed as of December 1^st  for his role in not stopping the crime.

Let this incident be a warning to employees worldwide – if you cause your employer a loss by falling prey to a scam to which reasonable folks believe that you should not have succumbed, you may lose your job. Even in a place with tough laws protecting employees.