In September of 2019 $29 million dollars were transferred from a Nikkei employee to a Nikkei management executive. Except it wasn’t a management executive, it was a scammer.
Nikkei is Japan’s largest financial media organization as well as owning several publications worldwide including the Financial Times and Nikkei Asian Review. It also lends its name to the Japanese equivalent of the Dow Jones Industrial Average.
Based in New York City, the Nikkei America employee was contacted by someone posing as a Nikkei America executive. This imposter was an attacker who directed the employee to transfer $29 million (approximately 3.2 billion Japanese Yen) into an account under their control.
Who falls for an email scam?
You would be surprised by how prevalent Business Email Compromise (BEC) scams are becoming as scammers are finding ways into companies either through the creation of spoofed emails or compromising email accounts with keyloggers or phishing attacks.
Scammers target companies who perform wire transfers and deal with international suppliers. They identify corporate or publicly available email accounts of executives and high-level employees relating to finance. This results in millions of dollars a month in losses. You read that right, millions of dollars a month. The US Treasury Department reported in 2018 the average monthly loss to BEC attacks rose to $301 million.
What’s even more terrifying is the report also goes on to highlight the shift in BEC attacks. In 2017, 33% of BEC attacks involved a scammer impersonating a CEO or other C-suite executives. In 2018 that percentage dropped to 12% while 39% of attacks involved the impersonation of a vendor or business associate.
The safety of your finances
Nikkei is doing their due diligence, cooperating with investigations, filing a damage report, and doing everything they can to “preserve and recover the funds that have been transferred” they said in a press release.
We should let this story serve as a cautionary tale. Organizations need to defend against BEC scams. Consider implementing security policies that require a multi-factor authentication before employees can authorize a financial transaction after receiving what looks like an email from an executive at their company. Also consider implementing a segregation of duties between account managers and approvers for added security.
It also makes sense to create mandatory security awareness training to ensure employees are educated on the most common types of phishing attacks.
When it comes to the security of your finances we should adopt a proactive mindset. Take the time to double check if something seems off. The best defense is a good offense.