Fraudsters running business email compromise scams were able to swindle Norfund, Norway’s state investment fund, out of $10 million.

The attackers took their time before pulling the trigger and took action to ensure that the theft would be discovered long after they got the money.

The scammers got access to the email system, which allows them to monitor communication between Norfund employees and their partners. This also allowed them to figure out who’s responsible for money transfers.

According to Norfund CEO Tellef Thorleifsson, the scammers spent several months in the system, learning the ropes and carefully preparing the robbery.

The scammers created a Norfund email address to impersonate an individual authorized to wire large sums of money through DNB, the bank Norfund uses for these operations.

They falsified the payment information to divert the transfer to their account in a different country than that of the legitimate recipient. It is not uncommon for a parent company to have subsidiaries in other regions of the world.

“The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified” – Norfund

A microfinance institution in Cambodia was supposed to receive a loan of $10 million but the money was sent to an account in Mexico, controlled by the fraudsters.

A fraudulent wire transfer can be blocked if it is detected in time but Norfund had no chance at this or at recovering at least some of the money because the attackers took steps to delay the discovery of the illegal transfer.

The robbery occurred on March 16 but it came to light more than a month later, on April 30, when the attackers tried their luck once more. However, this attempt was detected internally and stopped.

This much of a delay was caused by the attacker sending an email to the Cambodian beneficiary saying that coronavirus circumstances in Norway would cause a delay in transferring the funds.

In an announcement on Wednesday, Norfund said that the scam was the result of “an advanced data breach.”

“It was wonderfully done,“ the CEO said at a press conference on Wednesday, Aftenposten reports.

“This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have take immediate and serious action to correct this” – Tellef Thorleifsson

A private equity company, Norfund is owned by the Norwegian Ministry of Foreign affairs. It was established by the Parliament in 1997 to support economic growth in countries struggling with poverty.

Norfund gets its investment capital from the state budget and uses it on companies or through local investment funds in countries in Central America, South-East Asia, or Sub-Saharan Africa.