A tech company has made an unusual admission to its investors: A hacker posed as one of its employees online and stole $46.7 million from the company's accounts.
Networking firm Ubiquiti (UBNT) said an "outside entity" targeted its finance department by sending what appeared to be a company email.
The fake emails duped employees into turning over their usernames, passwords and account numbers. Then the hacker was able to transfer funds out of a Ubiquiti subsidiary in Hong Kong to other overseas accounts that the hacker held.
The company gave few other details about the hack in a regulatory filing last week. The story was first reported by security blog KrebsOnSecurity.
Ubiquiti said it determined that it had been a fraud victim on June 5, and it immediately called the subsidiary's bank. It was able to recover $8.1 million of the money that the hacker stole, and Ubiquiti believes it will be able to get back at least $6.8 million more.
The company said it is working with U.S. and overseas law enforcement to retrieve the remaining $31.8 million. The company's filing did not say who the perpetrator may have been.
It's frighteningly easy to pull off such a theft. Many email systems allow people to spoof email addresses, posing as someone they're not. For example, a quick LinkedIn search can reveal who a company's trusted finance department members are.
As security blogger Brian Krebs noted on his blog, the hacker could have easily created a dummy email address that fooled the finance department (example@ubiq1ti.com or example@ubiquiti.co), for instance. After emailing employees, a person hitting "reply" quickly without paying attention could have responded to the hacker's dummy email address.
The FBI said that last year, businesses lost $215 million to similar email scams.
Following an internal audit, Ubiquiti said there's no evidence that the hackers made off with any intellectual property, personal information of employees or any other financial information. The investigation also concluded that it wasn't an inside job -- the hackers were outsiders.
The audit found that Ubiquiti's hacking prevention methods were ineffective, and it has "implemented enhanced internal controls over financial reporting" since June 5.
The company said it doesn't expect the loss to be material to its business.