How business e-mail compromise can cost millions

Toyota’s European division just lost more than $37 million to cybercriminals. Learn how to avoid becoming a victim of a BEC attack.

Generally, hijacked accounts are used to distribute spam and bypass filters. However, a hijacked mailbox can be used for far nastier things, such as a business e-mail compromise (BEC) attack. Last month, a subsidiary of Toyota Boshoku Corporation was hit by such a scam, causing an estimated 4 billion yen (more than $37 million) of damage.

What happened?

According to the company’s official statement of September 6, as well as comments from news publications, unknown cybercriminals launched a BEC attack. The incident is still being investigated and no details have been released, so it is not clear whether a hijacked mailbox was used or if the attackers simply impersonated someone. What we do know is that the financial loss was attributed to fraudulent bank transfer instructions that someone in the company took for legitimate.

Shortly after the transfer, Toyota security experts realized that the money had gone to outside accounts, but it was too late to stop the transfer. Meanwhile, the company is working to get the funds returned.

What is a BEC attack?

A BEC attack does not necessarily involve hijacking other people’s mailboxes. Sometimes cybercriminals try to impersonate senior company employees or partners using third-party addresses. However, using an insider’s mail account makes the attack a whole lot easier — after all, an e-mail from someone you really do correspond with raises far less suspicion.

For the attack to be successful, the cybercriminal must of course have excellent social-engineering skills; impersonating another person and convincing someone to do something is not so easy. Here again, a hijacked mailbox simplifies the attackers’ task; having studied the contents of the Inbox and Sent folders, they will be able to imitate the person’s style and character much more convincingly.

The goal of a BEC attack is not always the transfer of funds (convincing someone to send millions of dollars is not a trivial task in anyone’s book). It is far more common for attackers to try to extract confidential data from the victim.

Other examples of BEC attacks

The Toyota attack is by no means the first case of this kind. This year, we wrote several times about a cybercriminal scheme aimed at seizing the accounts of company employees. In May we chronicled how cybercriminals tricked a football club into using the wrong payment details for a player’s transfer fee. Last month, scammers tried to phish $2.9 million out of Portland Public Schools (Oregon). And in July, Cabarrus County Schools (North Carolina) lost $1.7 million, having received bogus instructions by e-mail. Staff initially transferred $2.5 million, supposedly for the construction of a new school, but later recouped part of the funds.

How to avoid becoming a victim

To safeguard against social engineering, technical means alone are inadequate — especially if the attackers are professionals with access to the real mailbox of the person they are trying to impersonate. Therefore, to avoid falling for this kind of scam, we advise that you:

  • Clearly set out the company’s funds transfer procedure so that no employee is able to make a transfer to a third-party account unsupervised. Ensure that transfers of large sums are authorized by several managers.
  • Train employees in the basics of cybersecurity, and teach them to be skeptical about incoming e-mails. Our security awareness programs greatly assist in this regard.
  • Prevent the hijacking of corporate mail accounts with phishing protection at the mail server level. For example, install Kaspersky Endpoint Security for Business.