Own goal: email scam nets €2 million for criminals who hijack Lazio transfer

Photo copyright SS Lazio

Business email compromise has found its way into the beautiful game. The Italian football club Lazio fell for an email scam and paid €2 million to fraudsters.

Rome daily Il Tempo reported that scammers tricked Lazio by sending an email pretending to be from Feyenoord. Lazio was due to pay the final instalment of a transfer fee to the Dutch club for the defender Stefan de Vrij, who joined the Italians in 2014.


The email contained bank transfer details for another Dutch account not belonging to Feyenoord, Il Tempo said. The Dutch club said it didn’t send the email to Lazio, nor did it get the transfer fee. So, in fact both parties suffered a heavy defeat in this case.

Lazio just happens to be the latest to fall foul of a growing problem affecting many kinds of business. Last year the FBI called it ‘the 5 billion dollar scam’, recognising the huge amounts of money fraudsters have made since 2013. Between 2015 and 2017, fraudulent wire transfers grew at a staggering rate of 2,370 per cent.


The eye-watering sums of money swirling around the football ‘industry’ make it an enticing target for crooks. Arguably the surprise is that a case like this didn’t come to light sooner. News of multi-million transfer deals are the stuff of back-page stories, bar-room chatter, and online speculation. It’s not hard to imagine a would-be scammer scouring the sports pages for easy research about potential victims. Many of the details for concocting a plausible cover story were in the public domain.

Regardless of the industry, this is a useful test case for infosec professionals. Companies in many industries routinely announce M&A activity, supplier agreements and product launches. News of big deals might be an opportune moment for criminals to strike. Sophos’ Naked Security blog noted that scammers may try to hack actual email accounts in the target company. This would allow them to send scam emails from a genuine address, and then delete them from the sent folder.

As we’ve noted previously on this blog, there’s also a business process aspect to beating the scammers. Requiring approval from more than one director for large-scale payments could reduce the chances of falling for a fake email.

By way of a footnote, the name of the player in question translates from Dutch into English as ‘free’. As Lazio discovered, this transfer was anything but.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.