Rogue hackers continue to come up with new attacks designed to infiltrate the cyber defenses of the world’s largest corporations. The latest corporate titan to fall victim to hackers is automotive giant Toyota. A European subsidiary of the company, Toyota Boshoku Corporation, was targeted by hackers as part of a business email compromise (BEC) scam. Total financial losses from the BEC scam are reportedly close to $37 million (¥4 billion), and the company is now trying to recover this money with the help of law enforcement officials.
Details of the Toyota BEC scam
On the surface, the BEC scam was not extraordinarily sophisticated. A BEC scam is essentially an advanced phishing or ransomware scam carried out on a large corporation, in which employees of that corporation are asked to send money to foreign bank accounts using a phony business pretext via fake email accounts. By now, BEC attacks are common all over the world, and are used primarily to target finance and accounting departments. In this case, the BEC scam was simple: a third-party hacker posing as a business partner of the Toyota subsidiary sent emails to members of the finance and accounting department, requesting that funds be sent for payment into a specific bank account controlled by the hacker.
The tricky part here, of course, was actually convincing a reasonably intelligent Toyota worker to wire $37 million to a foreign account. In some companies, this sum of money might have triggered all kinds of alarms and warnings. And it might have required the employee to obtain multiple signatures and approvals before making the payment. But at Toyota, the company was large enough that $37 million probably didn’t seem like an outlandishly large figure. Thus, a $37 million fund transfer flowing out of the European subsidiary might not have initially raised any questions from mid-level employees.
According to Colin Bastable, CEO of Lucy Security, Toyota should have been on the lookout for just such a scam: “This is the third acknowledged attack on Toyota this year – Australia in February, Japan in March and now the Zavantem, Belgium European HQ of Toyota Boshoku. Once is happenstance, twice is co-incidence but three attacks looks like enemy action.” In fact, says Bastable, “It’s reasonable to assume that Toyota’s global infrastructure has been compromised to some extent. There is a multiplier effect at work with successful hacks – each one opens up numerous new opportunities to steal money, IP, data or identities.”
While Toyota has not commented publicly on exactly how the hackers carrying out the BEC scam managed to convince the employees to send the money, it’s possible to make a few key inferences. The most likely scenario, of course, is that the BEC scam involved emails from people posing as senior Toyota executives or known European business partners and email addresses that looked close enough to the real thing (perhaps just with a clever typo or misspelling) that the employees didn’t even think twice about carrying out the instructions.
As Bastable notes, “BEC attacks, like ransomware attacks, take planning and patience. The hackers will have had a clear picture of their target, and from the earlier attacks probably were able to steal the email account credentials of C-Suite executives in order to carry out the fraud. They would also, of course, have been able to send spoof emails as well.”
Social engineering at the heart of the BEC scam
According to cyber security experts, that is precisely what makes these BEC scams so successful – the emails appear to be coming from people you know. Cyber security experts refer to this as “social engineering” because the hackers use intimate knowledge of your social network or details of your workplace environment to pose as someone that you might plausibly trust. Think about it for a moment – if you received an email message from somebody posing as a top executive at your company, wouldn’t you at least open the message? If the message was then written in a highly convincing manner, it might even impel you to follow all the instructions written in that message.
And that’s why socially engineered BEC scams are more sophisticated than they might appear to be on the surface. Some hackers spend months, or even years, infiltrating a corporation’s network. Once they have penetrated the network, they can lurk behind the scenes, studying the communication habits of key individuals and deciding on the right timing to carry out a BEC scam. For example, if they see a big real estate deal being discussed, that might be a good opportunity to put the BEC scam into motion. That’s because any real estate deal likely involves significant sums of money. Moreover, there’s the whole timing issue: the hackers carrying out the BEC scam can inject a sense of urgency into the matter by making it appear that the real estate deal will not take place if money is not urgently sent to a certain account.
BEC scams on the rise worldwide
As law enforcement officials point out, BEC scams are on the rise worldwide. In April 2019, for example, the FBI’s Internet Crime Complaint Center (IC3) reported that BEC victims lost over $1.2 billion in 2018. And the U.S. Treasury recently reported that BEC scams carried out on U.S. victims are now responsible for losses in the neighborhood of $300 million per month, or nearly $3.6 billion on an annual basis.
These BEC scams have become so lucrative, in fact, that they now represent 50% of total cybercrime losses in the United States. Put another way, half of all losses attributed to cybercrime can be traced back to BEC scams. With BEC scams so profitable for hackers, it’s perhaps no surprise that they are on the rise worldwide. The only challenge at this point is finding enough gullible employees at big corporations who will send them money.
A new no-nonsense approach to cybercrime
At one time, corporations might have tried to keep these BEC scams private. Telling business partners and vendors that you just lost a lot of money due to a BEC scam is plenty embarrassing, with potential follow-on consequences for your company’s reputation in the marketplace. But now, the BEC attacks are big enough that they represent a real hit to the overall financial performance of a company, and need to be discussed with shareholders. Toyota, for example, says that if the money is not recovered, it could have an impact on its March 2020 earnings forecast.
For that reason, corporation are adopting much more of a no-nonsense approach to BEC scams. They are cooperating in all aspects with law enforcement and local investigating authorities, revising internal processes, training employees how to recognize BEC scams, and requiring multiple forms of authentication for certain transactions. For its part, Toyota said that after establishing “a high possibility of criminal activity, we promptly established a team comprising legal professionals.” The company also reached out immediately to law enforcement officials, eager to bring the hackers to justice. In the new era of cybercrime, cooperating with the authorities and making your response as transparent and public as possible might be the only way to deter future cyber criminals.