Cyber Incident Victim: Goliath and Goliath
Date:
Apr 2018
Location:
South Africa
Summary
A comedy and entertainment agency suffered financial losses exceeding R300,000 due to a phishing scheme where attackers intercepted invoices and altered banking details, redirecting payments ranging from R20,000 to R130,000. The breach was detected when a client flagged discrepancies in payment instructions, after which hackers aggressively demanded payment confirmations via emails that overloaded and disabled the CEO's account. The incident caused operational disruptions, forced consideration of domain and email service changes, and significantly impacted business efficiency. Law enforcement involvement ensued, with the company subpoenaing bank records, while its service provider found no evidence of system compromise but pledged cooperation with authorities. The CEO reported feeling violated and unsafe following the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2018, comedy and entertainment agency Goliath and Goliath suffered a financial loss exceeding R300,000 due to a phishing attack targeting its invoicing process. Hackers intercepted legitimate invoices issued by the company and altered the banking details to divert payments into accounts under their control. The fraudulent transactions ranged from R60,000 to R130,000 per incident, with the company’s subsidiary PR Bailiff losing an additional R20,000 through similar methods. CEO Kate Goliath became aware of the scam when a client reported suspicious activity regarding an invoice discrepancy – specifically noting that the bank account number listed differed from previous legitimate transactions. The attackers aggressively followed up with the client, sending repeated emails demanding proof of payment every two hours until payment was made. At the peak of the attack, over 700 emails were sent from Kate Goliath’s compromised email account within a three-hour period, exceeding the email service quota and causing her account to be temporarily blocked. The fraudulent emails used plain text formatting and consistently directed recipients to transfer funds to the hackers’ specified bank accounts. Forensic analysis by their service provider Afrihost found no evidence of system breaches or compromises on their infrastructure, leading investigators to classify the incident as a phishing campaign rather than a technical intrusion.
The company responded by filing a police case and initiating legal procedures to subpoena the bank where the fraudulent accounts were held. Kate Goliath expressed extreme personal distress, stating she felt watched, violated, and unsafe, while the business experienced operational disruptions including slowed processes and consideration of costly measures like changing their web domain and email service to prevent future attacks. The incident necessitated plans to migrate all business contacts and workflows to new platforms, further straining resources. Afrihost publicly expressed empathy for the client’s financial and emotional impact while committing to cooperate with the South African Police Services investigation. Industry commentary highlighted that small and medium enterprises like Goliath and Goliath face heightened cybercrime risks due to limited IT security budgets and lack of dedicated risk management personnel, with experts emphasizing staff training on phishing recognition, regular password updates, and software patching as critical vulnerabilities needing attention based on the attack vectors observed.