In 2021, the Central Netherlands court made a striking decision. Bol.com and Brabantia came into conflict after a hacker pretended to be an employee of Brabantia. The criminal made a request to change the account number that Bol.com used to transfer the money from sold products. Bol.com accepted this request and changed the account number. In the period that followed, €750,000 was transferred to the criminal.
"Please note that as of today we have a change in our bank account details for incoming payments. From now on, all incoming payments must have been transferred to our branch account in Spain. We would appreciate if you could update your details."
The judge ruled that Bol.com lacked healthy suspicion, because the email was drafted in poor Dutch and the request to change the Dutch account number to a Spanish one was not logical for a company established in the Netherlands.
These kinds of issues are more common in the digital domain. It is not always clear who bears the costs that follow a cyber attack or fraudulent action. In this case, a Brabantia employee's account was hacked, causing the email to come from a legitimate email address. According to the court, the fact that Brabantia did not have its digital security in order, as a result of which Bol.com had received the request from a trusted email address, was not sufficient to shift liability.
How do you prevent this?
A cyber attack involves a lot of damage. Aside from research costs, ransoms and the cost of shutting down your business, the media attention and additional reputational damage can cost an SME. It is even more sour if you also end up in a liability conflict with, for example, your IT supplier. Shouldn't he have protected you from that ransomware attack? And do you actually know whether your IT supplier is properly secured?
The above case could have been prevented by having the basic security measures in place. For example, Brabantia should have enforced two-step verification on its employees, so that the hacker could not have gained access to the employee's account. At the same time, Bol.com could have made employees aware of cybercrime and what to pay attention to in such cases with training.
- Enforce two-step verification on every application, tooling or website used in the company
- Train your employees regularly on recognising phishing emails and fraudulent requests
- Make agreements with your IT suppliers about what they offer in the field of security, where the responsibilities lie and how action is taken in the event of an incident
- Take out cyber insurance that protects your company against the high costs of a cyber attack
With an all-in-one package from Eye you protect your company against cyber attacks. We monitor your systems and cloud environments for suspicious traffic, train your employees with phishing simulations and advise you several times a year. Read more about affordably securing your business here or request a free consultation right away.
Sustainability. Growth. Digitalisation. These are the words everyone’s using about the logistics landscape of 2023. But what do they mean for individual businesses – and for security?
Multi-Factor Authentication (MFA) is not sufficient. Various attacks, such as EvilProxy, can bypass MFA. Here, we discuss how you can defend yourself.
Software and operating systems are constantly evolving. Those that are no longer maintained - such as Window Server - may be hiding unmitigated security vulnerabilities within your business. Proactively assessing your infrastructure strengthens your security posture and your resilience against cyber threats.
Vishing attacks (voice phishing attacks) are getting more sophisticated. In this article, we cover the details of a real vishing attack that we prevented. Includes digital forensics, incident response, mitigation and prevention measures and IoC lists.