A ruling by the District Court of Amsterdam has revealed how Pathé Netherlands lost over EUR €19.2 million (USD $21.6 million) earlier this year to a professional gang of conmen. The so-called “CEO-fraud” type scam is well known by internet security experts, but ended up costing the jobs of Pathé Nederland CEO & Managing Director Dertje Meijer and CFO & Financial Director Edwin Slutter. Both Meijer and Slutter took their case to the court, arguing that they too were victims. This was after Pathé suspended them and stated that it had “lost faith” in both. Pathé argued that both executives had ignored “red flags”, but last week the court sided with Slutter, while Meijer’s case is still ongoing.
The series of events leading to a loss of close to EUR €20 million began with an email that arrived at the inbox of Pathé Nederland CEO Dertje Meijer on Thursday the 8th of March this year. The email purported to be from the CEO of Pathé France, the parent company. It asked whether Meijer had been contacted by KPMG, with Meijer passing on the inquiry to Slutter. A second email then explained the reason. “We are currently working on a financial transaction, which concerns the acquisition of a foreign company in Dubai,” the email said, before saying that this must remain strictly confidential and replies should only be made to the French CEO’s “personal” email.
How The Money Was Stolen
The scam then kicked in with the request, “Can you transfer € 826,521?” The payment was to be made to a KPMG employee in Canada, with the account number and name of the beneficiary (Towering Stars General Trading) included. Pathé Nederland would be reimbursed at the end of the month it said. Meijer was surprised that this was being asked of the Dutch subsidiary and inquired whether this could be done without the involvement of the Supervisory Board. She was told by the “French CEO” that it would be handled. Dertje forwarded the email to Slutter with the comment, “Strange, is it not?”
The following day (9 March 2018) a new email arrived saying that the acquisition was going ahead and that 10% of the total transaction was required as a first payment. A document was attached with the names and signatures of the French CEO and family shareholders. The second payment is due to go out on the 13 March, with EUR €2,479,563 (USD $2,785,744) set to be paid to the same account number. Meijer asks if there can be a telephone consultation about this, but an email reply tells her, no, this is against KPMG standards. The email exchange is forwarded to the CFO who responds, “Curious process. Never experienced anything like that.”
There are requests for a third and fourth tranche to be paid, this time for “communication and development”. At this point Pathé Nederland has to tap into the “cash pool” of Pathé France, with money transferred to the Netherlands and then paid to the overseas account. The final payment was made on Tuesday 27 March. With it the Amsterdam office of Pathé had paid a total of €19,244,304, thinking that it was for the acquisition of a cinema operator in the Persian Gulf.
The final email reply they had was that the money would be repaid soon. But the fraudsters behind this scam of course never had any intention of paying back the millions of euro they had just stolen.
Dutch financial newspaper Het Financieele Dagblad describes what happened next:
Questions about withdrawals from the “cash pool” come from the Pathé headquarters in Paris. What is going on? What did you use that money for? Emergency consultation took place by telephone. Then the penny drops: the fraudsters have led the Dutch up the [proverbial] garden path. A suspension follows. Later the French issue the dismissal of both Meijer and Slutter.
After this Meijer and Slutter take Pathé to court for unfair dismissal, while the cinema industry is abuzz with rumours and half-truths about what had happened and why both the CEO and CFO of Pathé Nederland had been suspended and ultimately let go. What was only becoming clear was that this was one of the largest known case of “CEO-fraud” of a publicly named company.
A Con With Many Names
The “CEO scam” is also known as “CEO Impersonation Fraud,” Business Email Compromise (BEC) scam, or “whaling” – so called because it goes after big targets, as opposed to standard “phishing” (“Hello Dear, I am the Widow of Nigerian General with $159m in a frozen account.”) It impersonates a CEO or Senior executive and asks for a large money transfer in the guise of a secret deal. The “CEO scam” is well known amongst security experts. It rarely comes to light, however, because companies that become victims prefer not to reveal the details if possible.
Previously the largest known case in the UK was a GBP £18.5 million (over EUR €21 million or USD $23.80 million at today’s exchange rate), though the exact identity of the company was never revealed:
The company, a global brand of healthcare products, remained anonymous. However, it emerged that a man impersonating a senior staff member phoned a financial controller in the firm’s Scotland office and requested funds to be transferred to accounts in Hong Kong, China and Tunisia. The employee was so duped that the transaction occurred despite several phone calls and emails occurring.
The average amount stolen in “CEO fraud” cases is typically thought to be around GBP £35,000, (EUR €40,075 or USD$ 45,030) meaning that there are two orders of magnitude for this type of fraud and Pathé found itself in the much larger one. The Pathé case is believed to be one of the largest to have come to light in recent years, though there was a case in France that netted the thieves a staggering €32 million, in what is known as “fraude au president.” BBC reports that “French businesses have lost an estimated €465m since 2010, official figures suggest, with 15,000 firms falling victim to the scam, including big names, such as Michelin, KPMG and Nestle.”
There are several way of spotting and preventing “CEO fraud” but it is critical to remember that these are sophisticated scams by professional gangs devoting weeks or months of preparation. The email will not be caught by spam filters and uses clever social engineering.
Who Is To Blame?
The legal case being decided was not about the guilt or involvement of either CEO Meijer and CFO Slutter, but whether Pathé was right in how it went about handling it from a human resources and contractual perspective, since Meijer and Slutter were suspended and then had to leave once Pathé in France said that it had lost confidence in them.
The “conclusion” of the court is worth quoting in full (translated by Google into English without edits):
It has not been shown that persons working at Pathé have been actively involved in the fraud. It has also not been demonstrated that these persons had knowledge of the fraud prior to or during the fraud. Pathé seems to have become the target of a professional gang of fraudsters, who through refined communication managed to win the trust of some Pathé employees, and in particular of Mrs. [name 3] and Mr [the applicant], respectively. The fraudster managed to persuade Pathé employees to transfer a considerable amount of money several times. In total, it amounts to more than € 19,200,000.
The Court decided that CFO Edwin Slutter should be paid his full monthly salary of EUR €13,503.09 (USD $15,170.48) up until the formal end of his contract on 1 December 2018. The lengthy ruling in Dutch is too long to be easily summarised here but can be read in full. Former CEO Dertje Meijer’s case is still ongoing – although neither of them are named in the court document.
Celluloid Junkie reached out to Pathé for a comment and received the following reply:
“The court has ruled in the proceedings started by Mr. Edwin Slutter following the termination of his employment contract. The court has ruled that the employment contract of Mr. Slutter may be terminated.“
On 1 October Pathé Nederland got a new CEO, with Jacques Hoendervangers replacing Lauge Nielsen, who had stepped in on a temporary basis to replace Dertje Meijer.