A growing email scam has cost a major airline millions of dollars

As individuals, we all know we have to keep our wits about us when we’re online. If you’re really unlucky, a couple of ill-considered clicks or downloads could quickly ensnare you in a scam that ends up costing you hundreds of dollars, possibly more.

But if you’re working for a company and your job is to make big payments to clients, the stakes are much higher. And yes, even global players can get caught out.

Take Japan Airlines (JAL). This week the international carrier admitted it’d fallen victim to an email scam that cost it a not-insignificant 384 million yen (about $3.39 million).

Known as “invoice redirect” or “business email compromise,” it seems that at least one JAL employee was tricked into making several payments to bogus bank accounts. One account purported to belong to a U.S. financial services company which had been leasing a plane to the airline, but it had in fact been set up by fraudsters, the Japan Times reported.

In such cases, cybercriminals first hack the client’s email system to gain information about its business procedures before using the gathered data to approach the company’s customers for due payments. Posing as the company, the scammers contact the customer by email, with the correspondence including invoice and bank details. If the two companies have a history of doing business, there might even be a bogus explanation as to why the bank information has changed.

Employees sometimes fail to spot the red flag presented by the change in bank details as they’re already expecting to make the payment to the company, so in their eyes nothing seems out of the ordinary.

In JAL’s case, an employee first transferred around 360 million yen ($3.17 million) to the criminal’s Hong Kong account for the lease of a plane when they believed they were paying into the account of the financial services company. This was soon followed by another payment of around 24 million yen ($212,000) into a different Hong Kong account that JAL thought belonged to an American logistics firm it’d had dealings with. In the case of the first transaction, JAL only realized it’d been scammed a month later when the company got in touch to inquire about its payment.

The incidents took place in September but came to light this week when the airline revealed it was working with law enforcement in a bid to find the perpetrators and track down the money.

In a similar incident reported on Thursday, scammers tricked officials at Dublin Zoo in Ireland into paying 500,000 euros ($590,000) into a fake account. Fortunately for the company, 370,000 euros ($440,000) has been frozen and will be returned to the zoo, though the remainder may be lost.

The sting, which has become more prevalent in the last couple of years, targets companies big and small around the world. Experts suggest that an employee making a payment to an outside company first call it to confirm the validity of the emailed invoice and also the bank details contained within it, and to call again once the funds have been sent to ensure they’ve been received.

Cases like this surged in the U.S. last year, with fraudsters attempting to steal a total of more than $5.3 billion, the FBI said.

Editors’ Recommendations

• Netflix members, beware: Don’t get tricked by the latest email scam
• Here are all the places that support Apple Pay
• Everything you need to know about Android Pay
• Do you miss Windows Movie Maker? Don’t get caught up in this scam
• Faraday Future: What you need to know about the ambitious electric car company