On August 14th, attackers managed to convince someone with financial authority to change account information on an electronic funds transfer. BothToyota Boshoku Corporation and its subsidiary have been in contact with law enforcement officials and an investigation is under way.
It's not yet know if the company will be able to recover any of the misdirected funds. Understandably, the press release offers few additional details. It does note that the incident may require the company to adjust its March 2020 financial projections.
This type of cyberattack is known as a business email compromise (or BEC), and they've become frightfully common in recent years. According to a report from the FBI, BECs have cost the global business community about $5.3 billion over the last six years. It's believed that 75% of businesses are exposed to at least one attempted BEC in a given year.
The attacker's playbook is fairly straightforward. They start by identifying names and email addresses of potential victims (often in finance and HR departments) and a suitable name and email address from which to launch the attack (an executive, manager, or even a finance staffer who works for a contractor).
If an attacker takes a quick and dirty approach, he or she might simply browse a corporate website or poke around LinkedIn. Spearphishing emails are often sent from an address that looks authentic. For a fairly minimal amount of effort, a cybercriminal might score several thousand dollars.
When the target is a massive corporation like Toyota Boshoku the attacks tend to be more sophisticated. Malware is often involved, with the cybercriminal phishing an employee and then snooping on email messages. Attack emails are sent from a legitimate corporate email account making which makes them much more believable.
A skillful attacker might do months or even years of reconnaissance to learn the victims' communication habits. Once enough background information has been gathered, they'll wait for the right opportunity to strike. Generally the attacker will pounce when an large transfers of funds come up in an email, say, for example, the closing of a real estate deal or payment for services rendered.
What steps can you take to avoid being victimized by a BEC? The FBI has published a list of six mitigations, including verifying any changes to transactions by phone with the requestor and requiring those changes to be authorized by two parties.