A perfectly timed email allowed scammers to trick a Mattel high-ranking executive into sending $3 million (€2.7 million) to a bank account in Wenzhou, China.

The email, which dates back to April 30, 2015, was your regular business payment request, sent by someone posing as the company’s CEO, asking Mattel’s finance department to wire a payment.

The scam, also known as whaling attack, CEO fraud, or BEC (Business Email Compromise), was extremely efficient in this case because it came at a time when Mattel had just fired its previous CEO, Bryan Stockton, and Christopher Sinclair was taking over.

The reason the scam worked: eager financial exec trying to impress his new boss

Mattel’s financial exec, wanting to impress his new boss, quickly wired the money, following normal procedure, which said that two high-ranking officials had to approve the payment (he and the CEO).

Three hours later, after the new CEO read his email, he saw the financial exec’s payment confirmation, and the company quickly scrambled to try and get their money back from the bank. Unfortunately, enough time had passed, and the payment went through to the Chinese bank.

Luckily, Mattel caught a break, and the next day, May 1, was a national holiday in China, when banks are closed. After that, it was the weekend. This meant that Mattel had three days to convince Chinese authorities to intervene and get their money back by the next Monday, May 4.

Mattel got its money back after a week

Chinese law enforcement helped the company, which is a rare thing these days, and on the very next Monday, local police and one of Mattel China’s execs walked into the bank right when it opened and prevented the $3 million from being siphoned off in secondary accounts. By May 6, all the money was back in Mattel US bank accounts.

“Email continues to be the primary way criminals infiltrate an enterprise. Successful attacks feature identity deception at their core, as we can see with Mattel. While spear phishing has been around for ages, these types of cyberattacks have evolved,” John Wilson, Field CTO at Agari, told Softpedia.

“With the prevalence of cloud infrastructure, the tools that make legitimate businesses more productive, reduce costs and make us more efficient are doing the same for the cybercriminals and enabling them to create more sophisticated and targeted attacks through social engineering,” Mr. Wilson also added. “We need to change the general approach to email security and ensure that employees interact with only authentic and trustworthy messages. Only by establishing per-message authenticity can the risk of targeted email attacks be mitigated.”