The Florentine Banker manipulates the conversation until the third party approves the new banking details and confirms the transaction. If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers are there to fix the rejects until the money is in their own hands.

Next, the thieves registered lookalike domains visually similar to the domains of the companies involved in the email chains. Since the hackers had diverted legitimate messages, they could create new conversations or continue existing ones, with the target assuming that the email source was genuine.

At that point, the team was ready to demand money for what seemed like real investments. By posing as legitimate email correspondents, they could easily do that by substituting their own banking information for that of a bona fide party. That allowed them to intercept legitimate wire transfers and even create new ones.

“The Florentine Banker manipulates the conversation until the third party approves the new banking details and confirms the transaction,” according to Check Point. “If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers are there to fix the rejects until the money is in their own hands.”

These types of attacks show how easy it (still) is for malicious players to manipulate emails in a way that’s easily missed by busy or inattentive company officials. Check Point said that, via an “emergency intervention,” it managed to recover about half of the £1.1 million in funds (around $1.3 million), but the rest of the money was lost.

As such, it advised companies to incorporate email security, educate employees and partners immediately, and add second-party verification by direct phone calls. These things all seem obvious, especially for firms dealing in large amounts of money, but we’ve obviously still got a lot to learn.