Toyota parts supplier affected by $ 37 million email scam


On 14 August, the attackers managed to convert the account information into an electronic money transfer to convince someone with financial information. Toyota Boshoku Corporation and its subsidiaries are in contact with law enforcement officials and an investigation is underway.

It is not yet known whether the company will be able to recover the funds in any wrong way. Apparently, the press release provides some additional details. He explains that the incident may require the company to adjust its financial projections for March 2020.

This type of cyber attack is known as a commercial email (or BEC) commitment, and they have become very common in recent years. According to an FBI report, the BEC has cost the global business community approximately $ 5.3 billion over the past six years. It is assumed that 75% of companies are exposed to at least one BEC effort in a given year.

The attacker's playbook is quite simple. They also use names and email addresses of potential victims (often in the finance and human resources departments) and a suitable name and email address to launch an attack (an executive, manager or even a finance worker working for a contractor ).

If an attacker takes a quick and dirty approach, he can simply browse a corporate website or rumor through LinkedIn. Spearfishing emails are often sent from an address that looks authentic. For minimal effort, a cybercriminal can earn several thousand dollars.

When the target is a giant corporation like Toyota Boshoku, the attacks are more sophisticated. Malware is often associated with cyber phishing of an employee and then spying on email. Attack emails are sent from a valid corporate email account, which makes them more reliable.

A skilled attacker may take months or years of recognition to learn the victims' communication habits. Once enough background information has been collected, they will wait for the right opportunity to attack. In general, the attacker will jump when a large transfer of funds appears in an email, for example, the conclusion of a real estate agreement or payment of services provided.

What steps can you take to avoid becoming a victim of BEC? The FBI has published a list of six mitigations, including verification of any changes in telephone transactions with the applicant and the requirement that such changes be authorized by two parties.