- Cybercrooks tricked an employee of the Nikkei America subsidiary into transferring money into bank accounts they controlled.
- The company is still in the process of recovering the $29 million lost to the scammers.
Business email compromise, or BEC, scams are one of a kind attacks that only need to be successful a few times to be highly rewarding for the cybercriminals. According to the FBI's report, losses from BEC scams amounted to nearly $1.3 billion in 2018. This is double the losses in 2017, which stood at $676 million.
The Nikkei incident
Nikkei, one of the largest media companies in Japan, with about 4 million active subscribers, was scammed out of $29 million in late September 2019.
- An employee of Nikkei America, a subsidiary of Nikkei Inc., was fooled by fraudsters into transferring the money to a bank account controlled by them.
- The scammers pretended to be one of the executives of Nikkei Inc.
According to Nikkei, it is “taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations.”
How do criminals commit BEC?
BEC scams—also known as CEO fraud, email account compromise (EAC), or whaling, generate over $301 million every month.
- The most elementary BEC scam includes spoofed emails impersonating the company’s senior executives, such as CEO or the CFO, in an attempt to trick the employee transferring funds to a third party.
- In another attack variant, a fraudster may pose as a vendor and send a fraudulent invoice requesting payment to a bank account under their control.
- In some cases, the bad actors also seek sensitive financial information by making legitimate-sounding requests for tax statements or other confidential information related to business transactions which they may use to commit fraud.
The trend, however, is changing.
- In 2017, 33 percent of BEC cases happened due to CEO frauds. It came down to 12 percent in the subsequent year.
- Pretending to be a client and sending a false invoice remained the most popular technique for identity-based frauds in 2018, making up to 39 percent of the BEC scams.
- It was in March 2019 when a man managed to trick employees from Google and Facebook to defraud them of $123 million using fake invoices.
What makes the attempt successful? - The fear
Scammers largely rely on the “fear of the boss” mentality of the employees. Employees, generally, do not dare clarify or decline tasks (which may also carry the tag ‘urgent’) coming directly from potentially the most important person within their company. They simply process it, and that is what cybercriminals put their money on.
The sense of urgency and the hesitation in reaching out to the superiors for a second approval of the transfer are factors that run the game of BEC scams.
How to stop BEC attacks?
No business is secure from BEC frauds; it is targeted at businesses both large and small. The first and the best way to avoid being scammed is to adopt a Zero Trust approach. By not trusting unsolicited emails, an employee is doing the right thing. Even the slightest doubt about the legitimacy of an email must be reported. In this case, an employee must never reply and, most importantly, refrain from making any financial transactions with the other party.
Besides, enterprises can always educate their staff, carry out meticulous verification processes (for example, consider a two-step verification process for wire transfers), and stay alert of social media posting on whereabouts of key people within the organization.