Travel Company Hit in £1.5 million Cyber Fraud

44

We lost £1.5m in phishing fraud – you could too’
ATD Travel Services chief Oliver Brendon warned delegates not to be complacent as he revealed how the firm lost £1.5 million in a ‘phishing’ fraud in 2015.
Brendon told the Travel Weekly Cyber Security Summit in London: “We were totally focused on sales, not thinking about risk. We’re quite risk-averse now.”
The company, which operates attraction ticket brands including Attractions Tickets Direct and Do Something Different was the victim of a sophisticated phishing attack by a criminal gang.
Phishing attacks aim to obtain the information to facilitate a fraud, often through fake emails.
Brendon said: “Phishing scams are surprisingly common.” He was on leave when he received an email supposedly from a company he had invested in.
By the time he realised it was fake and had changed his passwords it was too late. His email was compromised, along with his mobile which was synched with his laptop, and a virus had shut down the phone.
He said: “The fraudsters were filtering my email. They knew I had no phone and where I was.”
While he was out of contact, the firm’s finance director was sent mocked-up invoices “with reassuring messages as if from me” urging payments to accounts in Dubai and Malaysia. Over five days, more than £1.8 million in payments were made to the fraudulent accounts.
Brendon said: “You may ask why our bank allowed these payments, but they did. We lost almost all our balance sheet.
“I called the City of London Police and wrote to the police commissioner. The police sought cooperation in Dubai and Malaysia. I even wrote to the home secretary.
“We hired expensive lawyers who said we could get a court order in Dubai but the money would be gone. So we gave up.”
The company did recover some of the payments. But Brendon said: “I realised that apportioning blame would not get the money back. The problem was we focused solely on sales and not on risk. We had got complacent.
“Now we have very strict security in payment processes, more monitoring and good insurance.”
Brendon told the summit: “I know you’re thinking ‘this could never happen to me, but it can.”