Hacking a business e-mail can cost millions of dollars


Hacked accounts are mostly used to distribute spam and bypass filters. However, if someone intercepts the data in the mailbox, they can use it for something much worse, such as a Business E-mail Compromise (BEC) attack . Last month, it was dealt with by Japanese auto parts maker Toyota Boshoku Corporation. As a result, the company has suffered approximately 4 billion yen (more than $ 37 million) in damage.

What happened?

As reported in an official statement on September 6 , as well as via comments on the publication , unknown cybercriminals launched a BEC attack. Incident analysis is still ongoing, so no details have been released yet – it is unknown whether the hijacked mailbox was used or the attackers impersonated someone. We only know that the incurred financial losses are related to a bank transfer that a person in the company has recognized as legal.

Shortly after the money was transferred, security experts at Toyota realized that the money had ended up in some external accounts, but the transfer could no longer be reversed. The company is currently seeking recovery.

What is a BEC attack?

A BEC attack does not necessarily hijack your mailbox. Sometimes, cybercriminals pretend to be senior company employees or partners by using third-party addresses. However, using an email account belonging to someone working in the organization under attack makes the attack much easier to carry out – after all, a message from someone you really correspond with significantly reduces suspicion.

For such an attack to be effective, the cybercriminal obviously needs to possess excellent social engineering skills: impersonating another person and convincing someone to do something is not an easy task. Here, the re-captured mailbox makes the task much easier – it is enough to carefully analyze the contents of the inbox and sent messages.

The goal of a BEC attack is not always to transfer money (convincing someone to send millions of dollars is not all that easy). Much more often it is about extorting confidential data from the victim.

Other examples of BEC attacks

This attack is not the first of its kind. This year, we have  already described the pattern of cybercriminals trying to hijack company employees' accounts. In May, we described how cyber criminals defrauded a soccer club by using incorrect payment details for a player transfer fee. Last month, scammers tried to extort $ 2.9 million  from the municipal school district, Portland Public Schools (Oregon). And in July, Cabarrus County Schools (North Carolina) lost $ 1.7 million after receiving false instructions via e-mail. Staff initially sent $ 2.5 million – allegedly to build a new school – but later got some money back.

How not to become a victim of fraud

To protect yourself from social engineering, it is not enough to rely on technical issues – especially if the attackers are professionals and have access to the mailbox of the person they are pretending to be. Therefore, the best solution is to follow the rules below:

  • Prepare a clear procedure for making money transfers so that no employee can make transfers unattended. Make sure that large transfers are authorized by several people in a higher position.
  • Teach employees the basics of cybersecurity, especially to be skeptical about emails you receive. This is where our security awareness programs come in handy .
  • To prevent hijacking of corporate email accounts, protect yourself against phishing at the mail server level.