Business email compromise attacks cost millions, losses doubling each year

In August 2019, someone at Japan’s Toyota Boshoku Corp. received fraudulent payment instructions by email to send 4 billion yen (about $37 million) to a third party — which they did. “We became aware that the directions were fraudulent shortly after the leakage,” the company disclosed in a statement.

The company reacted quickly once it realized the fraud and took appropriate actions to recover their losses — a prospect experts believe unlikely. If it can’t recover the money, it might be forced to restate its earnings forecast downward. That could have a negative impact on its stock price.

This is just the latest high-profile example of business email compromise (BEC). “I’ve seen this happen at least 100 times personally,” says Robert Wheeler, CEO of Strategic Consulting and retired general who was previously a deputy CIO at the Air Force. For example, attackers were recently able to get into a company’s systems, and the CFO received an email from the CEO asking for a large amount of money to be transferred.

The company had security in place, Wheeler says, but this particular attack was able to get through. What saved the company was that they had a process in place that called for a face-to-face confirmation for certain transactions. It was a medium-sized company, so this requirement wasn’t particularly onerous. “That CFO went down the hallway and talked to the CEO about the money,” Wheeler says, “and the CEO said, ‘What money?’ That was their procedure that they had set up for cases that hit a certain dollar amount. It saved them from sending that money.”

It requires a commitment from senior management to put these kinds of policies in place, Wheeler says. “The culture of the C-suite drives the amount of risk the company accepts.”

What is business email compromise?

BEC is a form of spear phishing where criminals target key individuals who control the flow of finances. By impersonating financial officers and CEOs, these criminals attempt to trick victims into initiating money transfers into unauthorized accounts.

Read full article at CSO magazine.