On a Grand Prix race weekend, McLaren’s CEO received an email requesting payment with a click-through link. But the supplier wasn’t real, nor was the link
Zak Brown, chief executive of U.K.-based Formula One racing team McLaren Racing Ltd., received a suspicious email on a weekend in late October as the Emilia Romagna Grand Prix race was about to be held in Imola, Italy.
At first glance, the email was routine. A supplier had sent a payment request, and all it needed was Mr. Brown’s approval and some financial information. It instructed him to click a link that appeared as though it would take him to DocuSign Inc.’s website, a widely used document-approval company, to get things moving.
There was just one problem: The supplier wasn’t real, nor was the link.
A few days later, Karen McElhatton, McLaren’s chief information officer, found out about the email and told Mr. Brown, who had missed it while juggling work demands on a busy weekend leading up to the Nov. 1 race. While phishing attempts are a relatively common form of cyberattack, this one stood out for the quality of the fake email, and its timing.
Ms. McElhatton said it wouldn’t be unusual for Mr. Brown to receive emails asking him to authorize something around the time of a race.
“There’s no way Zak, on a race weekend where he’s really incredibly busy, would be able to spend enough time looking at that particular email and determine it wasn’t something [legitimate],” she said.
Although Mr. Brown missed the email, McLaren’s cybersecurity tools flagged it, and applied a digital lock to the message, preventing him from opening what turned out to be a phishing lure.
“Attacks are getting more and more sophisticated these days, and then when you’re a high-profile organization or high-profile individual, you also know you’re more of a target,” Mr. Brown said.
Cyberattacks such as phishing emails targeting chief executive officers and attempts to steal their login credentials are common, said Alan Brill, senior managing director at Kroll’s cyber risk practice, a unit of consulting firm Duff & Phelps LLC. Attackers often strike at off-hours, on a holiday or weekend, when employees may be distracted.
Zak Brown, chief of McLaren Racing, at a race this month in Abu Dhabi.
PHOTO: XPB/ZUMA PRESS
“They are hoping that things that really should be common sense aren’t that common, that people will make a mistake and that that mistake either will directly get them money or cause the loading of malware,” Mr. Brill said.
Hackers commonly spoof CEO emails to get payments from employees, a scam known as business email compromise. Victims of these scams reported more than $26 billion in U.S. and international losses to the Federal Bureau of Investigation between 2016 and 2019.
Police arrested one Nigerian scammer who had the details of more than 10,000 CEOs and corporate accountants on his computer, international police agency Interpol said in a report published last year.
Prior experiences had put Mr. Brown on alert about cybercrime. At another company he had worked, Mr. Brown said an employee received a fraudulent payment request and transferred $50,000 to a bank account in Brazil, sidestepping a required internal authorization process.
Mr. Brown, a former racer, is sensitive to intrusions of any kind. He remembered an incident that targeted McLaren in 1998, years before he joined the organization, when a person took control of a stadium announcement system. The individual gave fake instructions to McLaren driver Mika Häkkinen to go to the pit during a race, according to Mr. Brown. McLaren won, but the experience showed him that scammers will try to manipulate sports results, he said.
“One incident can have a huge knock-on effect, certainly on the race, on the championship and it can mean tens of millions,” Mr. Brown said.
McLaren uses technology from cybersecurity firm Darktrace Ltd., which employs artificial intelligence to analyze how data normally flows within a company by looking at emails, cloud applications and other systems, and detects abnormal activity. The tool doesn’t immediately focus on any particular job function, but it can recognize whether certain people in a company are more exposed to cyber threats than others, said Mike Beck, Darktrace’s chief information security officer.
“The executives are far and away the ones that are heavily targeted… if you can access their mailbox, you can start to act as an authority within that company,” Mr. Beck said. The fraudulent email to Mr. Brown looked “incredibly real,” he added.
The AI security tool has been especially helpful during this year’s race season, when McLaren employees frequently travel to different locations, Ms. McElhatton said. It would be difficult for the company’s cybersecurity team to assess normal data flows and employee behavior without AI, she added.
For Mr. Brown, the attempted cyberattack was a reminder to stay alert. It was also a useful message to McLaren’s employees. “What did change was making sure that the entire organization has a high level of awareness and discipline,” he said.
—
Fonte: WSJ por Catherine Stupp