A finance executive fell victim to a phishing scam that saw the Los Angeles-based maker of children’s toys wire a cool $3 million to Chinese hackers.
Expertly timed during a period of corporate change, the email hit the inbox of the unnamed executive and requested a new vendor payment in the amount of $3 million to a vendor in China. Mattel, of late, has been in a period of change as new CEO Christopher Sinclair had only officially taken over after Mattel had fired his predecessor — a move that aided the con artists.
New York, meet the world’s tech scene
5,000 Tech leaders are coming to NYC this November to learn and do business. This is your chance to join them.
The phishing email was unremarkable and came directly from Sinclair, or so the executive thought. She was wrong.
Mattel protocol requires that fund transfers be approved by two high-ranking managers, she was one, and Sinclair — who she believed requested the funds — was another. Satisfied that she’d complied with protocol, the executive wired over $3 million to the Bank of Wenzhou, in China.
It wasn’t until hours later she mentioned the payment to Sinclair before figuring out that something was amiss. Mattel executives then tried to stop the transfer but the bank informed them that it had already made its way to China.
The chances of Mattel getting the money back were slim, bordering on none due to China’s emergence as a global hub for money laundering. Luckily for Mattel, slim isn’t none.
The transfer took place on a Friday, which happened to be a bank holliday. This bought the company time — the money couldn’t be retrieved until the bank opened the following Monday. Mattel used the time wisely and, with cooperation from Chinese authorities, were able to reclaim the wired cash.
After a hard lesson learned, maybe companies will take a little time to educate their employees on the dangers of phishing. But, it’s far more likely that they’ll continue to ignore the problem and hope it goes away.
Mattel got lucky, phishing scams don’t usually have a happy ending.