Crook breaks into AI biz, points $250K wire payment at their own account
Fastidious attacker then tidied up email trail behind them
A Maryland AI company has confirmed to the Securities and Exchange Commission (SEC) that it lost $250,000 to a misdirected wire payment.
In what appears to be a business email compromise (BEC) scheme, iLearningEngines said an unidentified cybercriminal broke into its systems and rerouted a $250,000 wire payment before deleting "a number of" emails and scramming.
"When it learned of the incident, which has been contained, [iLearningEngines] activated its cybersecurity response plan and launched an internal investigation," the disclosure reads.
iLearningEngines provides e-learning automation platforms for educational institutions.
"The company engaged a nationally recognized forensic firm and other external advisors to assess and remediate the unauthorized activity. The company's ongoing investigation and response include continued assessment of impacted systems and data."
It also said the payment wasn't recovered, nor did it suggest it was in the process of trying to recover it.
BEC is big business. According to the FBI, more than 21,000 complaints were made in 2023 regarding this type of fraud, eclipsing the mere 2,825 for ransomware. The latter is likely influenced by organizations not reporting their incidents, however.
The adjusted losses from BEC schemes in the US last year totaled more than $2.9 billion, the feds said.
The wording used in iLearningEngines' disclosure makes for interesting reading. It said: "A threat actor illegally accessed the company's environment and certain files on its network," which suggests there was a technical intrusion – one that isn't necessarily a requirement for successful BEC fraud.
BEC scams usually target staff in the finance or accounting departments of a business with phishing emails, since they're the ones who have the authority to execute wire transfers.
Crooks don't necessarily need access to a genuine company email account to convince the victim to make that transfer. In fact, it's more common for attackers to spoof email addresses with subtle differences from the legitimate domain, for example, than it is to use a genuine company email account post-breach.
Of course, using a genuine account will vastly improve the chances of success. Organizations with robust email security measures will be able to filter out many spoofed email attempts, flag suspicious messages or senders, and alert the user if the sender's domain is not what it appears to be.
As for recovering the funds, it's not impossible but is a challenging task reliant on fast action.
The first port of call should be to contact the organization's bank directly and follow their advice. Then follow the advice from the outside security experts that were drafted in, as they were in iLearningEngines' case, and then fall back on cyber insurance, assuming the victim's policy covers BEC fraud.
Financial and legal uncertainty
Investors were also warned that the stolen $250,000 may not be the last of the costs incurred by the incident, but it isn't expected to have a material impact on iLearningEngines' year-end results.
- Small CSS tweaks can help nasty emails slip through Outlook's anti-phishing net
- Criminals open DocuSign's Envelope API to make BEC special delivery
- Orion SA says scammers conned company out of $60 million
- 'LockBit of phishing' EvilProxy used in more than a million attacks every month
"Based on the information available to date, the company believes that the cybersecurity incident will have a material impact on its operations during the quarter ended December 31, 2024 but does not expect the incident to have a material impact on full-year 2024 results," the disclosure reads.
"The company remains subject to various risks due to the incident, including diversion of management's attention, potential litigation, changes in customer or investor behavior, and regulatory scrutiny."
As iLearningEngines alluded in its SEC disclosure, it hasn't ruled out the possibility of legal and regulatory attention to the incident.
If that were to come to pass, it would only add to the list of similar issues it's already facing, such as several putative class-action lawsuits being built by lawyers alleging the company misreported revenues. The litigation is focused on allegations made in an August report about the company from "short seller" focused US investment house Hindenburg Research. The company denies the claims and points to "extensive third-party audits and reviews by leading financial institutions."
iLearningEngines, which recently appointed a fresh set of execs, also announced a delay in the release of its third-quarter 2024 financial results yesterday. It reiterated that it had formed a "Special Committee of the Board of the Directors" to conduct an independent investigation into assertions made in what it described as a "recent short seller report."
The company's stock price tumbled by 53 percent following the allegations and has not yet recovered.
Harish Chidambaran, CEO at iLearningEngines, published a lengthy response to the allegations, rebutting each of Hindenburg's major claims.
The lawyers organizing the class-action suits gave shareholders a deadline of December 6 to register their interest in joining the litigation against the company. ®