Nikkei hit by BEC scammers, loses $29 million

Japanese media company Nikkei Inc. is the latest organization to be fleeced by BEC scammers, to the tune of $29 million.

What happened?

The company confirmed last week that, in late September, an employee of its US subsidiary,”had transferred approximately 29 million United States dollars (approximately 3.2 billion Japanese Yen) of Nikkei America funds based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei.”

Nikkei America quickly recognized that it had been subject to a fraud and “immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the U.S. and Hong Kong.”

While they did not say so, Hong Kong authorities have likely been involved because the stolen money was sent to an account with a local bank.

“Currently, we are taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations. We are investigating and verifying the details of the facts and causes of this incident.”

Why are BEC scams proliferating?

Until more details are shared, we won’t know for sure how the scammers managed to get the money.

But judging by the wording of the company’s statement, it’s likely that the employee fell for an email either made to look like it was coming from the executive’s account or actually sent by the scammers from the executive’s compromised email account.

Losses due to BEC scams are skyrocketing, and it’s no wonder that scammers love this approach: the effort may be minimal while the pay-off is likely to be huge.

How big? Millions and tens of millions. For example, in 2016, Belgian bank Crelan lost €70 ($78) million to BEC scammers.

The Dutch branch of the French film production and distribution company Pathé lost over €19 ($21.2) million in 2018, in what seems like an attack similar to the one that targeted Nikkei America.

In March 2017, a Lithuanian man was charged with orchestrating a scheme to scam Google and Facebook out of $100 million, by impersonating a Taiwanese computer hardware manufacturer Quanta.

What makes BEC scams possible?

BEC scammers are taking advantage of data breaches, poorly secured email accounts, the fact that many employees aren’t trained to recognize spoofed emails, and vulnerable internal processes.

Data breaches and leaks provide scammers with credentials the can test against legitimate email accounts, which are often not additionally secured with multi-factor authentication. The vulnerability of human nature and the lack of training makes tricking employees possible.

Finally, many companies don’t check and double-check the legitimacy of bank account change requests, whether sent internally or by third parties (e.g., suppliers).