Toyota Boshoku Corporation, the leading supplier of Toyota auto parts, gave some disturbing news this week. Toyota Parts Supplier Hit By $37 Million Email Scam. The fraudsters drove the company through JP scam to nearly JPY 4 billion (JPY). It works out to more than $ 37 million at today's exchange rate.
On 14 August, the attackers managed to convince someone with the financial authority to change account information on electronic money transfers. Both Toyota Boshoku Corporation and its subsidiary are in contact with law enforcement officials and an investigation is underway.
It is not yet known whether the company will be able to recover the funds in any wrong way. Apparently, the press release provides some additional details. It notes that the incident may require the company to adjust its March 2020 financial projections.
This type of cyber attack is known as a commercial email agreement (or BEC), and they have become frighteningly common in recent years. According to an FBI report, the BEC has cost the global business community approximately $ 5.3 billion over the past six years. It is assumed that 75% of businesses are exposed to at least one attempted BEC in a year.
The attacker's playbook is fairly straightforward. They identify the names and email addresses of potential victims (often in the finance and human resources departments) and an appropriate name and email address from which to attack (an executive, manager, or even a contractor working for The financial staff).
If an attacker takes a quick and dirty approach, he can simply browse the corporate website or poke around LinkedIn. Spearfishing emails are often sent from an address that looks authentic. For a fairly small amount of effort, a cyber criminal can score several thousand dollars.
Attacks are more sophisticated when the target is a giant corporation like Toyota Boshoku. Malware is often involved in this, with cyber employees phishing an employee and then snooping on email messages. Attack emails are sent from a valid corporate email account which makes them more reliable.
A skilled attacker can take months or years of reconnaissance to learn the communication habits of the victims. Once enough background information is collected, they will wait for the right opportunity to strike. Usually when a large transfer of money arrives in an email, the attacker's inclination will decrease, for example, the closing of a real estate deal or payment for services rendered.
What steps can you take to avoid being victimized by BEC? The FBI has published a list of six mitigations, including verifying any changes in phone transactions with the requester and requiring those changes to be authorized by the two parties.