Toyota Car Seat Supplier Pays $37 Million to BEC Scammers

Last updated September 25, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Toyota Boshoku announced last week that they had fallen victims to a BEC (Business Email Compromise) attack, losing 4 billion yen due to it. This is the equivalent of about $37 million, so it’s a pretty large amount of money for the entity. As the announcement details, the scammers targeted the European subsidiary of the firm and provided fraudulent payment directions that Toyota’s employees accepted and processed. The firm has actually noticed the potential risk of the transaction soon after it went through and tried to recover the leaked funds, but this request has not been approved yet.

The incident occurred on August 14, 2019, and the attack was based on social engineering targeting a single employee. As much as this employee may feel sorry about what happened, he/she should have taken steps to confirm the validity of the payment request beforehand. As we have discussed in the past, BEC scams are usually conducted through an internal email address that has been previously compromised by the actors. This can make it especially hard to distinguish between legitimate requests and scammer messages. However, there are protection measures that can be incorporated, and Toyota Boshoku seems to be lacking in this area.

For example, automatic scam detection and alerting systems that can identify fraudulent messages and warn the recipient should be a no-brainer for companies of this size. Two-factor authentication for accessing email accounts internally should also be a good step to prevent take-overs that result in the losses of millions. And finally, training employees on how to identify the signs of a scam and how to use protective tools are key in the whole situation. As long as companies continue to underestimate these basic anti-BEC measures, actors will continue to ramp up their efforts to grab large amounts of cash from them.

Toyota hasn’t had a good cybersecurity year so far. Back in February, the Australian arm of the car manufacturer announced a ransomware attack against their systems but told the public that they successfully managed the incident without compromising any client data. In April however, a story surfaced about multiple Toyota data breaches in Japan, Vietnam, and Thailand, with the number of customers who were affected reaching a staggering 3.1 million. The data that was exposed was sensitive, including names, addresses, emails, etc. The hackers behind these attacks were state-supported cyber-espionage groups like APT32.

Do you trust large enterprise networks with your sensitive personal data, or do you try to avoid it as much as possible? Let us know where you stand in the comments down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: