Toyota's European subsidiary loses £30 million in BEC scam

News by Rene Millman

Cyber-criminals have swindled a major Toyota supplier for £30.3 million through its European subsidiary - investigation underway.

The Toyota Boshoku Corporation, which makes car parts for the car maker, said that one of its European subsidiaries lost more than £30 million following a business email compromise (BEC) scam.

In an announcement, the company said that "a recent case involving fraudulent payment directions from a malicious third party that has resulted in a financial loss at our European subsidiary."

The incident took place on 14 August this year and the expected loss is around 4 billion yen maximum (as of 9 September) - approximately £30,328,277.

The firm said that together is its European subsidiary, "we became aware that the directions were fraudulent shortly after the leakage."

"Recognising the high possibility of criminal activity, we promptly established a team comprising legal professionals, then reported the loss to local investigating authorities. While cooperating in all aspects of the investigation, we are devoting our utmost efforts to procedures for securing/recovering the leaked funds," the company said in the announcement.

The rest of the announcement was light on the next steps the company was taken but it added that it was planning to "disclose any amendments to the released March 2020 earnings forecast if this incident makes such revision necessary".

"To ensure the confidentiality of the investigation, we are unable to provide further details at this time. We ask for your understanding," it added.

Tim Bandos, vice president of Cybersecurity at Digital Guardian, told SC Media UK that because these highly lucrative attacks are succeeding, they will continue to attract more groups willing to attempt their methods. 

"It’s time that businesses consider applying security to their business practices because IT security tools are not infallible against human behaviour," he said.

"As an example, train your staff to require third party validation for any financial transaction or introduce payment procedures requiring multiple sets of independent eyes. Malicious individuals are abusing the fact that junior staff implicitly trust their seniors and act quickly as instructed. You must put in place processes and beliefs that when unordinary requests come through they should be questioned," he added.

Matt Aldridge, senior solutions architect at Webroot, told SC Media UK that attacks can come in many forms, and sometimes will be orchestrated across multiple attack vectors such as email, telephone and social media.

"No one process or technology will be sufficient to provide protection, and the attackers will know where to find the weak points in any defence, so although it is very important to have proper multi-layered cyber defences, tight processes and well trained security personnel to protect the business, the key investment needs to be in the education and empowerment of all the human assets that the business can bring to bear against these increasingly advanced attacks," he said.

Barracuda Networks’ pre-sales engineer, Steven Peake, told SC Media UK that there are a few ways to prevent or mitigate such attacks. 

"Firstly, by taking advantage of artificial intelligence that deploys technology that doesn’t simply rely on looking for malicious links or attachments, as attackers are increasingly bypassing these tactics," he said.

"Secondly, implementing DMARC authentication and reporting into your organisation, as it can help stop domain spoofing and brand hijacking as well as utilising multi-factor authentication in your organisation, passwords alone are no longer enough to keep cyber-attackers out."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews