Published: March 27, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
Japanese media titan, Nikkei Inc., discovered its U.S. division had a massive cybersecurity incident not long ago. The company found a business email compromise (BEC) scam was responsible for stealing $29 billion using a fraudulent wire transfer. In September of last year, a Nikkei America employee fell for the email scheme, leading the staffer to believe the request for funds came from a legitimate Nikkei executive. Instead, the theft was part of a BEC phishing attack that targeted the company with the goal of stealing funds through fraudulent actions.
BEC’s are phishing attacks aimed at employees, especially those involved in wire transfers sending funds to suppliers at home and abroad. Since Nikkei fit the victim profile perfectly, it’s no surprise they were targeted. The employee who made the $29 billion transfer had no idea they had fallen for an email phishing attack, much less that they were an integral part of BEC fraud. Just a few months earlier, a BEC attack stole $742,000 from a church in Ohio, and the City of Ocala, FL, was scammed for almost $2 million. Security experts note hacking groups like Scarlet Widow, Silent Starling, and London Blue are revving-up their attacks by using more sophisticated and effective BEC methods than ever before.
Nikkei is examining the attack, saying very little in a recent press release--“We are investigating and verifying the details of the facts and causes of this incident.” Since the FBI found BEC attacks almost doubled in the U.S. since last year (totaling $1.2 billion), it’s another reason to use cyber-smart tactics to avoid email phishing. Every consumer should use two-factor authentication (2FA) or multi-factor authentication (MFA) whenever available, especially for those accounts dealing with finances of any kind. Authentication is a crucial extra step that helps verify the user is who they claim to be, and not a hacker who’s trying to access a compromised account.
Verification is also key for any business and the third-party vendors with whom they transfer funds:
Always use 2FA or MFA for all accounts. Even if credentials are stolen, an additional point of verification can ferret out bad actors and stop a BEC attack.
Don’t use “email-forward” setup for email accounts. If it’s being used, verify the setup was intentional by the account owner and not the doing of an attacker.
Ensure the originating IP address and other headers match the company known for sending the emails. Any conflict with verification should be an immediate red flag.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org