How one e-mail could cost your company millions of dollars

What seemed to be an ordinary business transaction cost a Toyota subsidiary $37 million last year. But that “business transaction” turned out to be a scam. Unfortunately, companies all over the world have been victimized by cybersecurity scams that have cost them thousands—sometimes even millions—of dollars. And there are lingering questions about a company's right to recuperate some of the money it has lost because of an employee's negligent actions or its own weak internal controls.

Is your company prepared for a cybersecurity scam? What can you do to protect yourself? What are your rights as an employer? Companies of all sizes need to be alert and train their employees how to spot scammers.

How many clicks will cost you $37 million?

Apparently not too many for a subsidiary of a large corporation. Last year, Toyota lost $37 million in a fairly simple e-mail scam. Hackers sent an e-mail to Toyota's finance and accounting departments in which they posed as a business partner of the Toyota subsidiary and requested that funds be wired to a specific bank account. Normally, $37 million would be an extraordinary amount for an employee to casually wire to a bank account, but for Toyota it was a normal business practice.

Unfortunately, it wasn't the first time Toyota was targeted by an e-mail scam. The company suffered two other hacks in 2019—one in Australia and one in Japan—leading it to believe it's being specifically targeted. Toyota is working with law enforcement to recover its losses. But does it have any recourse against the employees who were fooled by the scammers?