Media corporation Nikkei has become the latest victim of Business Email Compromise (BEC) fraud, admitting that the firm had lost £22 million (US$ 29 million) to scammers in a single transaction.
The company issued a statement, confirming that an employee of its US subsidiary was tricked in late September 2019 into making a costly mistake. “In late September 2019, an employee of Nikkei America transferred approximately 29 million United States dollars of Nikkei America funds based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei”, ran the statement, “we are taking immediate measures to preserve and recover the funds that have been transferred”, concluded the company.
Corin Imai, senior security advisor at DomainTools told SC Media UK that the situation is far from unique: “This incident is just one indication of the significant impact that the billion – dollar BEC industry can have on a business. Where traditional phishing campaigns will attempt to cast a wide net of potential victims, a BEC scammer will research one individual at a company and create a sophisticated and difficult to detect campaign targeted at this person, usually in the finance team in some capacity. These attacks are highly successful and play on the ‘always on’ work culture which chastises individuals for inefficiency.
“My advice to anyone in a high risk role for a BEC attack is that it is better to make a transfer slightly later than to make a transfer which is fraudulent and costs your company millions, such as happened in the case of Nikkei America. For organisations, the best practices remain the same: Focus on security awareness training and stringent email filtering,” summarised Imai.
Joseph Carson, chief security scientist at Thycotic told SC Media that he believes improved cyber-awareness among employees is indeed the key challenge in solving BEC fraud: “BEC scams are a major issue as cyber-criminals are taking advantage of human trust and abusing that trust to steal information, gain access to sensitive data or conduct financial fraud. Lack of cyber-aware employees is one of the highest challenges for many organisations. Most cyber-attacks are not sophisticated or done by nation states with majority of cyber-attacks abuse of identity theft motivated by financial reward”.
BEC is certainly on the rise, with a recent FireEye report charting a 25 percent uplift in Q2 2019 alone, along with a corresponding increase in sophistication. In another recent example, the City of Ocala in Florida transferred US$ 742,000 (£575,000) to a bank account controlled by fraudsters after payment details were changed.
Peter Draper, technical director EMEA at Gurucul blames a breakdown in enterprise security processes for the increase: “Here we have yet another example where having robust processes and enterprise grade monitoring capabilities in play would have identified this risk before the money transfer was completed. Having a process requiring multiple individuals involved to transfer larger sums would mitigate the risk somewhat. Utilising modern machine-learning driven tools would have highlighted the changes to accounts and the request for payment before the money was lost to a rogue account. Yes it requires an investment in technology, time and processes but that’s better than losing millions of dollars to nothing.”