TOKYO -- Japan Airlines has lost 384 million yen ($3.39 million) to a sophisticated con involving email purporting to be from an actual business partner.
The carrier revealed its misfortune Wednesday. But the most expensive known email swindle against a Japanese company actually went down months earlier.
JAL got word Oct. 7 from an overseas financial institution it leased aircraft from that payment should be deposited into the usual account. This set off warning bells, as the bill had supposedly been paid already.
An employee confirmed that JAL had received email with a bill specifying a new account with a Hong Kong bank for the leasing fees to be paid into. The airline had transferred 360 million yen to the account.
A closer look revealed the critical one-character difference between the sender's email address and the financial institution's. By the time the scam was uncovered, the money had all been withdrawn from the receiving account.
The details of the money transfer had been checked by multiple people, none of whom picked up on the fraud. The scammers had sent a bill closely resembling the genuine article right before the payment's due date. JAL rushed the payment, knowing that it could not use the leased planes if it failed to pay on time.
It has been revealed that the airline was also swindled out of 24 million yen in a similar ploy in August and September involving email exchanges with cybercriminals pretending to be a U.S. cargo business.
Such business email fraud has proliferated rapidly around the globe in recent years. The 40,000-plus reported incidents worldwide from October 2013 to December 2016 caused $5.3 billion or so in actual and attempted losses, according to the U.S. Internet Crime Complaint Center.
Europe has suffered particularly big thefts. Austrian aerospace parts maker FACC lost nearly 42 million euros ($49.8 million at present rates) to fraud that came to light in January 2016. Germany's Leoni, which supplies electrical cables for automobiles, said in August that year that it had lost around 40 million euros to a similar scheme.
Japanese information security companies have long warned of such attacks, but losses in the millions or tens of millions of yen have appeared frequently. A Trend Micro poll of 1,361 digital security personnel at Japanese businesses found that 13% received fraudulent business emails in 2016.
Working an angle
Budget carrier Skymark Airlines received email supposedly from a client this October, requesting payment of 2 million yen. Officials found it suspicious, and the fraud was foiled. But the sender's address precisely matched that of a company partner. The email account had very likely been compromised.
Scammers are "searching for openings at clients or other related parties to mount attacks," said President Nobuo Miwa of Japanese information security company S&J. Even when an enterprise's own security is strong, customer data or product designs entrusted to partners can end up compromised, or its own systems infiltrated, if parties in its orbit are lax.
In an incident that came to light this April, customer information was stolen from sites including a ticket sales website for the Japan Professional Basketball League after hackers targeted a software developer subcontracted to by Pia, the company the sports league had entrusted with selling tickets.