Photo: jorono | Pixabay
Modalis Inc., a Tokyo-based company specialising in biotech innovation, has revealed a significant financial loss from a business email compromise (BEC) incident. The company disclosed that $90,000 (approximately ¥14 million) was illicitly transferred following a meticulously orchestrated email scam targeting its subsidiary.
The fraud, which unfolded in late 2023, involved a cybercriminal masquerading as Modalis’s longstanding U.S.-based contractor, identified as Company A. Using compromised email credentials, the attacker gained access to prior correspondence and sent a seemingly legitimate payment request for services delivered in August 2023.
Tusting the email’s authenticity, Modalis wired the funds to the fraudster’s bank account.
The deception came to light only after Company A’s accounting department issued a second invoice for the same work. This prompted Modalis to investigate and discover the fraudulent transaction.
Modalis acted swiftly by reporting the incident to local authorities and working with the banks involved to freeze the fraudulent account. Fortunately, a significant portion of the funds remained unwithdrawn at the time of detection, enabling partial recovery.
Negotiations with Company A led to an agreement to share the unrecovered loss. Additionally, Modalis received partial compensation from its cyber insurance policy.
Despite these efforts, the company incurred a net loss of $90,000. The company described the scam as highly sophisticated, pointing to the attacker’s deep understanding of contractual timelines, payment patterns, and interpersonal dynamics between Modalis and Company A.
These details suggest the attacker observed email exchanges for an extended period before executing the fraud.
Modalis confirmed that no customer data was compromised during the incident. Also, internal investigations revealed no signs of personal or sensitive information being exposed.
In response, Modalis has pledged to strengthen its cybersecurity framework. New measures include mandatory two-factor authentication for email accounts, enhanced verification protocols for payment requests, including cross-platform confirmations, and a thorough review and update of the internal financial process.
In the News: NIA intensifies crackdown on Laos human trafficking and cyber slavery network