The Toyota Boshoku Corporation, a major supplier of Toyota auto parts, reported some sorrow news this week. Fraudsters swindled the company via an email scam to the tune of about ¥ 4 billion (JPY). That works out to just over $37 million at today’s exchange rate.
On August 14th, attackers managed to convince someone with financial authority to change account information on an electronic funds transfer. Both Toyota Boshoku Corporation and its subsidiary have been in contact with law enforcement officials and an investigation is under way.
It’s not yet know if the company will be able to recover any of the carnalised funds. Understandably, the press release offers few additional details. It does note that the incident may require the company to adjust its March 2020 financial projections.
This type of cyberattack is known as a business email compromise (or BEC), and they have become frightfully common in recent years. According to a report from the FBI, BECs have cost the global business community about $5.3 billion over the last six years. It is believed that 75% of businesses are exposed to at least one attempted BEC in a given year.
The attacker’s playbook is fairly uncomplicated. They start by identifying names and email addresses of potential victims (often in finance and HR departments) and a suitable name and email address from which to launch the attack (an executive, manager, or even a finance staffer who works for a contractor).
If an attacker takes a quick and dirty approach, he or she might simply browse a corporate website or poke around LinkedIn. Spearphishing emails are mostly sent from an address that looks authentic. For a fairly minimal amount of effort, a cybercriminal might score several thousand dollars.