This week the international carrier Japan Airlines (JAL) admitted it had fallen victim to CEO Fraud that cost it 384 million yen (about $3.39 million).
The incidents took place in September but came to light this week when the airline revealed it was working with law enforcement in a bid to find the perpetrators and track down the money.
The FBI calls it Business Email Compromise (BEC) and this particular strain was a case of “invoice redirect”. Turns out at least one JAL employee was tricked into making several payments to bogus bank accounts. One account purported to belong to a U.S. financial services company which had been leasing a plane to the airline, but it had in fact been set up by fraudsters, the Japan Times reported.
In most cases, the cyber criminals first compromise the corporate email system or a specific mailbox and monitor for months so that they can get information about standard business procedures. Next, they create a bogus company including bank accounts that looks almost identical to an existing vendor.
Impersonating the legit vendor, the scammers contact the victim by email, even going so far as to imitate the writing style of the person that usually sends such emails. The email thread will include invoice and bank details, and if the two companies have a history of doing business, there might even be a false explanation as to why the bank information has changed.
Employees in Accounting sometimes fail to spot the red flag presented by the change in bank details as they’re already expecting to make the payment to the company, so in their eyes nothing seems out of the ordinary.
In JAL’s case, an employee first transferred around 360 million yen ($3.17 million) to the criminal’s Hong Kong account for the lease of a plane when they believed they were paying into the account of the financial services company.
This was soon followed by another payment of around 24 million yen ($212,000) into a different Hong Kong account that JAL thought belonged to an American logistics firm it had had dealings with.
In the case of the first transaction, JAL only realized it had been scammed a month later when the company got in touch to inquire about its payment. It's almost impossible to get the money back after such a long time. You have at most 24 hours to see if the bank can claw back the money transfer. Also, often these types of fraud are not covered by cyber insurance.
CEO Fraud Prevention Manual Download
CEO fraud has ruined the careers of many executives and loyal employees. Don’t be next victim. This brand-new manual provides a thorough overview of how executives are compromised, how to prevent such an attack and what to do if you become a victim.
PS: Don't like to click on redirected buttons? Copy and paste this link in your browser:
