Business email compromise attacks cost millions, losses doubling each year

Cybercriminals follow the money, and you need look no further than Toyota Boshoku's recent $37 million loss to see why many are turning to BEC scams.

In August 2019, someone at Japan's Toyota Boshoku Corp. received fraudulent payment instructions by email to send 4 billion yen (about $37 million) to a third party — which they did. "We became aware that the directions were fraudulent shortly after the leakage," the company disclosed in a statement.

The company reacted quickly once it realized the fraud and took appropriate actions to recover their losses — a prospect experts believe unlikely. If it can't recover the money, it might be forced to restate its earnings forecast downward. That could have a negative impact on its stock price.

This is just the latest high-profile example of business email compromise (BEC). "I've seen this happen at least 100 times personally," says Robert Wheeler, CEO of Strategic Consulting and retired general who was previously a deputy CIO at the Air Force. For example, attackers were recently able to get into a company's systems, and the CFO received an email from the CEO asking for a large amount of money to be transferred.

The company had security in place, Wheeler says, but this particular attack was able to get through. What saved the company was that they had a process in place that called for a face-to-face confirmation for certain transactions. It was a medium-sized company, so this requirement wasn't particularly onerous. "That CFO went down the hallway and talked to the CEO about the money," Wheeler says, "and the CEO said, 'What money?' That was their procedure that they had set up for cases that hit a certain dollar amount. It saved them from sending that money."

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!