BEC Scam Costs Media Giant Nikkei $29 Million

nikkei bec scam

In September, a Nikkei America employee transferred $29 million to BEC scammers who were purporting to be a Nikkei executive.

Media conglomerate Nikkei Inc. has fallen victim to a business email compromise (BEC) scam that fleeced the company out of $29 million.

Nikkei is Japan’s largest financial media organization and lends its name to Japan’s premier stock index, which is the equivalent of the Dow Jones Industrial Average in the U.S. It owns several publications worldwide, including the Financial Times and the Nikkei Asian Review.

The scam stems from a September incident involving an employee of Nikkei America, the U.S. subsidiary of Nikkei. The employee transferred $29 million to a fraudulent bank account, on instructions from BEC scammers purporting to be a Nikkei management executive.

Shortly after the incident, Nikkei America discovered the fraudulent transfer. The company then hired lawyers “to confirm the underlying facts” and filed a damage report with the investigation authorities in the U.S. and Hong Kong.

“Currently, we are taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations,” according to a press release on the matter last week. “We are investigating and verifying the details of the facts and causes of this incident.”

Threatpost has reached out to Nikkei America for further details.

Information is currently scant due to maintaining “the confidentiality of the investigation by relevant authorities,” but experts told Threatpost that the incident appears to have tell-tale signs that it is a form of BEC called vendor email compromise (VEC), where a third party is compromised and their account is then used for the attack.

“This type of attack (VEC) has been on the rise among BEC actors and is extremely difficult to detect,” Ronnie Tokazowski, senior threat researcher with Agari, told Threatpost. “In many cases that we’ve observed, actors will compromise the inboxes of third-party accounts for vendors via credential phishing, and once they have the credentials, will attempt to log into the account.”

Tokazowski said that if the attackers are successful in first compromising the vendor, they then typically go down one of two paths.

The first attack path involves setting up an email-forwarding rule on the vendor’s email so that the attacker can watch the emails as they come through, looking for opportunities to send an updated invoice with new banking information linked to an account under control by the malign actor. In the second type of VEC attack, attackers send the “updated invoice” from the compromised account rather than their own, making it appear 100 percent legitimate to the recipient.

“With the actors being able to see the email chain, communications, having known subject lines and informal communication with the intended victim, it’s becoming extremely difficult for end users to detect these attacks on their own,” Tokazowski told Threatpost. “Traditionally, we have told users to look for email accounts that they aren’t used to seeing, but how do you communicate that with a user who works with the vendor day in, day out, helping fulfill invoices?”

Nikkei is only the latest BEC attack. Also this week, the City of Ocala in Florida was swindled out of $742,000. And in August, a church in Brunswick, Ohio was scammed out of $1.75 million.

In fact, BEC scams are squeezing more money than ever out of victims, with losses from the attacks almost doubling year-over-year in 2018 to reach $1.2 billion, according to the FBI’s annual Internet Crime Report (IC3) released in April.

That’s because BEC groups continue to become more sophisticated, with recently uncovered groups like Silent Starling, Scattered Canary,  London Blue and Scarlet Widow switching up their tactics to siphon millions from businesses.

“One of the first protections third-party vendors need to do is enable [two-factor authentication] on accounts, as if passwords do get leaked or brute-forced in credential-stuffing attacks, they still need another piece of information to gain access to the email account,” Tokazowski told Threatpost. “Secondly, make sure email-forward rules are not set up accounts and if they are, verify with the user to make sure they were intended. Third, make sure the X-Originating-IP address and other headers match the infrastructure that’s known for sending the emails.”

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles