Phishing Story #2: The Mattel Million-Dollar CEO Scam

What Happened? 

In a striking example of CEO fraud, Mattel, the famous toy company, became the victim of a sophisticated phishing scam in 2015. The scam unfolded when a high-ranking finance executive received an email that appeared to be from the then-newly appointed CEO, requesting a new vendor payment to China. Believing the email to be legitimate, the executive authorized a wire transfer of $3 million.

The Impact 

The aftermath of this scam was alarming:

• Financial Loss: Mattel initially lost $3 million to the scammers.

• Quick Recovery: Fortunately, due to a timely realization and intervention during a banking holiday in China, Mattel was able to work with law enforcement and banking institutions to successfully recapture the funds.

• Policy Changes: This incident led to a thorough review and strengthening of Mattel's internal controls and verification processes for financial transactions.

Lessons Learned 

The Mattel incident highlights the importance of vigilance and verification in the digital age:

• Email Verification: Always verify the authenticity of requests for money transfers, especially when they deviate from standard procedures or involve large sums.

• Employee Training: Regularly train employees on how to recognize phishing attempts and the importance of following internal controls.

• Multi-Level Authentication: Implement multi-level authentication and approval processes for financial transactions to prevent unauthorized transfers.

Tips for Businesses:

• Strengthen Internal Controls: Regularly review and update your financial transaction policies to prevent unauthorized access and transactions.

• Regular Training and Awareness: Conduct ongoing training sessions for employees to recognize and report phishing and other types of cyber fraud.

• Implement Verification Protocols: Establish a protocol for verifying requests for money transfers, especially when they involve significant amounts or new vendors.

This real-life story serves as a powerful reminder of the ever-present threat of cyber fraud and the need for constant vigilance and robust internal controls in the corporate world.