As individuals, we all know we have to keep our wits about us when we’re online. If you’re really unlucky, a couple of ill-considered clicks or downloads could quickly ensnare you in a scam that ends up costing you hundreds of dollars, possibly more.
But if you’re working for a company and your job is to make big payments to other businesses, the stakes are much higher. And yes, even global players can get caught out.
Take Japan Airlines (JAL). This week the international carrier admitted it had fallen victim to an email scam that cost it a not-insignificant 384 million yen (about $3.39 million).
Known as “invoice redirect” or “business email compromise,” it seems that at least one JAL employee was tricked into making several payments to bogus bank accounts. One account purported to belong to a U.S. financial services company which had been leasing a plane to the airline, but it had in fact been set up by fraudsters, the Japan Times reported.
In such cases, cybercriminals first hack the service-providing company’s email system to gain information about its business procedures before using the gathered data to approach its customers for due payments. Posing as the company, the scammers contact the customer by email, even going so far as to imitate the writing style of the person that usually sends such emails. The correspondence will include invoice and bank details, and if the two companies have a history of doing business, there might even be a bogus explanation as to why the bank information has changed.
Recipients sometimes fail to spot the red flag presented by the change in bank details as they’re already expecting to make the payment to the company, so in their eyes nothing seems out of the ordinary.
In JAL’s case, an employee first transferred around 360 million yen ($3.17 million) to the criminal’s Hong Kong account for the lease of a plane when they believed they were paying into the account of the financial services company. This was soon followed by another payment of around 24 million yen ($212,000) into a different Hong Kong account that JAL thought belonged to an American logistics firm it had had dealings with. In the case of the first transaction, JAL only realized it had been scammed a month later when the company got in touch to inquire about its payment.
The incidents took place in September but came to light this week when the airline revealed it was working with law enforcement in a bid to find the perpetrators and track down the money.
In a similar incident reported on Thursday, December 21, scammers tricked officials at Dublin Zoo in Ireland into paying 500,000 euros ($590,000) into a fake account. Fortunately for the company, 370,000 euros ($440,000) of the total amount has been frozen and will be returned to the zoo, though the remainder may be lost.
The sting, which has become more prevalent in the last couple of years, targets companies big and small around the world. Experts suggest that an employee making a payment to an outside company first call it to confirm the validity of the emailed invoice and also the bank details contained within it, and to call again once the funds have been sent to ensure they’ve been received.
Cases like this surged in the U.S. last year, with fraudsters attempting to steal a total of more than $5.3 billion, the FBI said.
