{"id":14098,"date":"2019-09-24T13:34:48","date_gmt":"2019-09-24T09:34:48","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/bec-toyota\/14098\/"},"modified":"2019-11-15T15:21:55","modified_gmt":"2019-11-15T11:21:55","slug":"bec-toyota","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/bec-toyota\/14098\/","title":{"rendered":"How business e-mail compromise can cost millions"},"content":{"rendered":"

Generally, hijacked accounts are used to distribute spam and bypass filters. However, a hijacked mailbox can be used for far nastier things, such as a business e-mail compromise (BEC) attack<\/a>. Last month, a subsidiary of Toyota Boshoku Corporation was hit by such a scam, causing an estimated 4 billion yen (more than $37 million) of damage.<\/p>\n

What happened?<\/h2>\n

According to the company\u2019s official statement of September 6<\/a>, as well as comments from news publications<\/a>, unknown cybercriminals launched a BEC attack. The incident is still being investigated and no details have been released, so it is not clear whether a hijacked mailbox was used or if the attackers simply impersonated someone. What we do know is that the financial loss was attributed to fraudulent bank transfer instructions that someone in the company took for legitimate.<\/p>\n

Shortly after the transfer, Toyota security experts realized that the money had gone to outside accounts, but it was too late to stop the transfer. Meanwhile, the company is working to get the funds returned.<\/p>\n

What is a BEC attack?<\/h2>\n

A BEC attack does not necessarily involve hijacking other people\u2019s mailboxes. Sometimes cybercriminals try to impersonate senior company employees or partners using third-party addresses. However, using an insider\u2019s mail account makes the attack a whole lot easier \u2014 after all, an e-mail from someone you really do correspond with raises far less suspicion.<\/p>\n

For the attack to be successful, the cybercriminal must of course have excellent social-engineering skills; impersonating another person and convincing someone to do something is not so easy. Here again, a hijacked mailbox simplifies the attackers\u2019 task; having studied the contents of the Inbox and Sent folders, they will be able to imitate the person\u2019s style and character much more convincingly.<\/p>\n

The goal of a BEC attack is not always the transfer of funds (convincing someone to send millions of dollars is not a trivial task in anyone\u2019s book). It is far more common for attackers to try to extract confidential data from the victim.<\/p>\n

Other examples of BEC attacks<\/h2>\n

The Toyota attack is by no means the first case of this kind. This year, we wrote<\/a> several times about a cybercriminal scheme<\/a> aimed at seizing the accounts of company employees. In May we chronicled how cybercriminals tricked<\/a> a football club into using the wrong payment details for a player\u2019s transfer fee. Last month, scammers tried to phish $2.9 million<\/a> out of Portland Public Schools (Oregon). And in July, Cabarrus County Schools (North Carolina) lost $1.7 million<\/a>, having received bogus instructions by e-mail. Staff initially transferred $2.5 million, supposedly for the construction of a new school, but later recouped part of the funds.<\/p>\n

How to avoid becoming a victim<\/h3>\n

To safeguard against social engineering, technical means alone are inadequate \u2014 especially if the attackers are professionals with access to the real mailbox of the person they are trying to impersonate. Therefore, to avoid falling for this kind of scam, we advise that you:<\/p>\n