#privacy: Toyota subsidiary loses £30 million to BEC scam


Toyota Boshoku Corporation, a subsidiary of the Toyota Group, has become the latest victim of Business Email Compromise (BEC).

On August 14, the firm was conned into transferring a large payment, resulting in a financial loss of approximately £30,328,277.

In an announcement the company wrote:

“Recognising the high possibility of criminal activity, we promptly established a team comprising legal professionals, then reported the loss to local investigating authorities.

“While cooperating in all aspects of the investigation, we are devoting our utmost efforts to procedures for securing/recovering the leaked funds.”

An investigation is being conducted and few details have been released, however the company stated that it would need to amend its March 2020 earnings forecast “if this incident makes such revision necessary.”

Victoria Guilliot, Partner at Privacy Culture Ltd told PrivSec:

“Typically these scams target the CFO or CEO and the attacker often waits until they’re away to take over their email account & put pressure on individuals in finance or with payment authority to transfer large sums of money – often citing a secret deal. They also takeover accounts of known company suppliers and clients & monitor conversations with finance teams, jumping in when legitimate payments are discussed with the aim of changing payment instructions to themselves. If successful they will try sending completely fraudulent invoices to line their criminal pockets.

“Although these attacks can be hard to spot the best defence is to never rely solely on an email as an instruction to make a payment or change payment or any other details of a supplier or client. Always call an approved or official number (not the one in the email) and seek out someone who can verify the requester. Never feel pressured as missing this step could come at significant cost.”

A report by the insurance company, AIG, found that BEC has now become the main reason companies file a cyber-insurance claim.

It can be assumed that these attacks will start to become more popular due to their success rate; the rise of BEC is, in part, down to companies failing to employ effective security protection.

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/