In a classic example of how phishing continues to pose a real threat to businesses, Nikkei recently announced that an employee at its US subsidiary was duped by a cyber criminal into transferring as much as $29 million to the latter's account.
The money transfer took place in September last year after a cyber criminal, posing as management executive of Nikkei, convinced an employee of Nikkei America, Inc. to transfer the said amount to their bank account.
Even though Nikkei soon learned that a fraudulent transaction had taken place, the company is yet to recover all of the funds that were lost to the phishing scam and is presently working with law enforcement authorities in the United States and Japan to ascertain the facts and causes of the incident.
"In late September 2019, an employee of Nikkei America, Inc. (New York City, United States) ("Nikkei America"), a subsidiary of Nikkei Inc. ("Nikkei"), had transferred approximately 29 million United States dollars (approximately 3.2 billion Japanese Yen) of Nikkei America funds based on fraudulent instructions by a malicious third party who purported to be a management executive of Nikkei.
"Shortly after, Nikkei America recognized that it was likely that it had been subject to a fraud, and Nikkei America immediately retained lawyers to confirm the underlying facts while filing a damage report with the investigation authorities in the U.S. and Hong Kong.
"Currently, we are taking immediate measures to preserve and recover the funds that have been transferred, and taking measures to fully cooperate with the investigations. We are investigating and verifying the details of the facts and causes of this incident," the company said in a press release.
Cyber criminals targeting employees as major multinational corporations
The mega theft of millions of dollars from Nikkei America reminds us of a similar elaborate phishing scam from 2017 that involved cyber criminals duping Google and Facebook employees into transferring up to $100 million to their offshore bank accounts.
Evaldas Rimasauskas, a Lithuanian national and mastermind behind the phishing attack, was recently arrested by the Justice department. It is alleged that for two years between 2013 and 2015, Rimasauskas impersonated a vendor company named Quanta Computer and demanded payments for goods and services from Google and Facebook employees. He interacted with them via phishing e-mails.
Once he received the said payments, he transferred the money into accounts with a number of banks located in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. The successful phishing attack demonstrated that even large corporations like Google and Facebook are vulnerable to targeted phishing campaigns.
In 2017, employees at India's only government-owned airlines company Air India fell for a phishing scam orchestrated by Nigerian hackers who posed as employees of Pratt & Whitney and duped the latter into transferring $300,000 (£230,905) to a bank account located in Nigeria.
In September 2017, a scammer also conned MacEwan University in Canada out of 11.8 million CAD after he convinced employees to change payment details for a vendor using email communications. After the phishing attack was discovered, the university said that "controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed."