Have you heard of business email compromise? This is the most advanced phishing scheme that plays with people’s trust.
Yes, you heard that right BEC scammer’s main agenda is to scam businesses by hacking a company email. They send out fake invoices that look real, to trick companies into transferring money to the wrong bank accounts.
However, things can be prevented better rather than cured little, you for sure can protect yourself from falling victim to such attacks.
In this blog, I will share some real-life examples of business email compromise and some prevention tips for you. Tag along and find out.
What is Business Email Compromise?
Business Email Compromise (BEC) is a type of scam where cybercriminals impersonate a trusted company or employee via email to trick businesses into sending money or sharing sensitive information. They often use fake invoices, altered payment details, or fraudulent requests to deceive companies and steal money or data.
Real-World Examples of Business Email Compromise
Many businesses worldwide have fallen prey to the business email compromise attacks, take a look at some of them, so you can get a clear idea of how these scams look.
1. Facebook and Google: $121 Million BEC Scam
In a staggering scam that targeted both Facebook and Google, hackers could trick employees into wiring $121 million. The scammers impersonated a trusted hardware supplier through emails, making the invoices look legitimate. Both the companies processed the payments, unaware that they were being deceived.
This case is a good lesson that even the most tech-savvy giants are not immune to cyber risks. A good internal verification process could’ve saved them from this costly mistake though.
2. Ubiquiti: $46.7 Million Vendor Fraud
In 2015, Ubiquiti Networks, a global leader in wireless technology, lost $46.7 million to a clever vendor fraud scam. Cybercriminals impersonated company executives, making it seem like they were issuing wire transfer instructions for legitimate business purposes. The funds were transferred to the overseas accounts, and the fraud wasn’t discovered until it was too late to be found.
This case shows how vulnerable firms are, particularly when it comes to handling payments to vendors, they believe they trust.
3. Toyota Boshoku Corporation: $37 Million BEC Attack
In 2019, Toyota Boshoku Corporation, a key supplier for Toyota, was targeted in a complex Business Email Compromise (BEC) scam. Cybercriminals impersonated a senior executive and tricked employees into transferring $37 million to fraudulent accounts. By the time the scam was discovered, the money had already been moved. This incident is a good reminder to always check requests or better still never deal with them without prior confirmation especially when such request involves large amounts of money.
4. Sefri-Cime: €38 Million Real Estate Fraud
French real estate company Sefri-Cime was scammed out of €38 million after cybercriminals impersonated a key staff member in 2019. They managed to persuade employees to send huge amounts of money for a supposed property deal. The fraud was only uncovered after the funds were transferred to fraudulent accounts, showing how high-stakes transactions in industries like real estate are ripe for these kinds of scams.
5. Eagle Mountain City, Utah: $1.13 Million Vendor Impersonation Scam
In 2018, Eagle Mountain City in Utah fell victim to a BEC scam involving a vendor impersonation. The scammers used email to impersonate a contractor, tricking the city’s officials into wiring over $1 million. The fraud was only caught when the city noticed irregularities in the payment process. This case highlights how even local governments can become targets for fraudsters when they least expect it.
6. Mattel: $3 Million CEO Fraud
Mattel, the iconic toy-making company, lost $3 million in a 2015 scam where cybercriminals impersonated the company’s CEO. The fraudsters convinced employees to wire money to fraudulent accounts under the guise of an urgent business deal. Employees, trusting emails from the top executives, didn’t question the request and ended up sending money to fraudulent accounts.
This attack shows just how effective CEO fraud can be. With proper training and a more careful approach to verifying such requests, companies can avoid this situation.
7. Interpol: €3 Million BEC Scam
Have you ever thought that the most reputable police force could also fall prey to a BEC attack, it’s hard to believe but yes, even Interpol wasn’t immune to a BEC scam in 2017, when the hackers impersonated an official from the organization, requesting urgent payments for operations. The scammers successfully tricked employees into transferring €3 million before the fraud was discovered.
This is a good example that even the most reputable police forces around the globe should not let their guard down when it comes to email scams.
8. Cabarrus County, NC: $2.5 Million Fraud
In 2017, Cabarrus County in North Carolina lost $2.5 million due to a BEC scam. The fraudsters impersonated a contractor, and with the help of fraudulent invoices, convinced the county to wire the funds to overseas accounts. The fraud was only discovered after an internal audit.
This incident highlights the challenge faced by public organizations handling huge amounts of public funds.
9. Save the Children: $100,000 BEC Scam
The fraudsters didn’t even spare the charity. In 2018, Save the Children, a leading global charity was defrauded $100,000 by fraudsters disguising as a trusted partner. They managed to convince the charity’s finance team to wire funds for an urgent, yet entirely fake, project.
The transfer had already been made by the time the fraud was discovered. This attack shows that even charities with the best intentions are not immune to these deceptive tactics.
10. Burlington: $503,000 BEC Scam
On Thursday, May 23, 2019, the City of Burlington realized it had fallen victim to a fraudulent scheme. A sophisticated phishing email was sent to city employees, requesting a change in banking details for an existing vendor. As a result, an electronic funds transfer of about $503,000 was made to a fraudulent bank account on May 16.
11. Nikkei: $29 Million Email Fraud
In 2017, Nikkei, Japan’s largest media corporation, was targeted in a $29 million email fraud scheme. Hackers posed themselves as a company executive, and with clever social engineering, tricked employees into transferring large sums of money. The fraud was only detected after the money was channeled out of the company and the organization was left to clear the mess.
This case is a clear reminder that even well-established media giants like Nikkei aren’t immune to cyber threats. Ignoring these risks just isn’t an option for any company today.
12. The Scoular Company: $17.2 Million Fraud
In 2017, The Scoular Company, a key player in the agricultural trade, fell victim to a $17.2 million BEC scam. Cybercriminals posed themselves as a senior executive and used email to convince employees to wire huge sums to fraudulent accounts. By the time the fraud was uncovered, the financial hit was already done. This incident is a strong reminder of how easily businesses can be targeted when they depend on email for handling financial transactions.
13. Upsher-Smith Laboratories: $50 Million BEC Scam
Back in 2017, Upsher-Smith Laboratories, a big name in pharmaceuticals, fell victim to a $50 million BEC scam. Scammers posed as the CEO, tricking employees into wiring massive sums of money, by the time the company discovered they got scammed, it was too late, and the money was sent overseas.
This entire situation shows why it’s so important for companies, especially in high-stakes areas like pharma, to have strong protections against CEO scams.
14. FACC: €50 Million CFO Fraud
FACC, an Austrian aerospace company, lost €50 million to a CFO fraud in 2016. The scammers acted like the company’s CFO and tricked employees into sending money to fake accounts. The fraud was only uncovered after the money was moved offshore, highlighting the danger of impersonating top executives to carry out large-scale fraud.
15. Crelan Bank: €70 Million CEO Fraud
In 2016, Belgian bank Crelan was scammed out of €70 million by fraudsters who tricked others into believing they were the bank’s CEO. The criminals successfully convinced employees to wire large sums of money to accounts that were under their control. The fraud was only discovered after the money transfer was done. This case serves as a reminder to financial institutions to be extra cautious when handling high-value transactions.
How to Prevent BEC Attacks
BEC attacks are really concerning because they are constantly rising, in 2023, these attacks represented a staggering 10.6% of all social engineering attacks, and that’s highlighting a consistent upward trend.
All of the scams discussed above are real-life incidents that happened to companies, and these are only some of the incidents listed out of millions of scams ever happened.
You can prevent these business email compromise attacks by following some simple practices.
1. Raise Awareness of Examples of BEC Attacks
Make your employees well aware of real-life examples of BEC attacks. Take time to explain the five types of BEC attacks and how they unfold. Use real-life phishing examples to ensure that the employees will easily identify with these scams when they come across them. To keep them sharp, update the training regularly with new tactics used by fraudsters.
Encourage a culture of vigilance, where employees feel comfortable flagging anything that seems off, this small step can go a long way in protecting your business.
2. Issue Regular Security Awareness Training
Conduct regular security awareness training and phishing simulations to help employees stay alert to BEC and social engineering threats. Reinforce this by designating internal cybersecurity advocates dedicated to protecting your organization. Encourage these “heroes” to share their knowledge with their team members and help sustain a culture of cybersecurity throughout the company.
When employees are given the responsibility to address security issues, you would have a proactive security mechanism.
3. Monitor Employee Awareness
Encourage security leaders and cybersecurity heroes to actively monitor employees’ awareness levels on BEC and phishing threats. Using microlearning modules is a great way to teach, train, and reshape your employee habits around cybersecurity best practices. When such habits are developed over time, they form a strong shield against new threats making security an integral part of working culture.
4. Send Ongoing Communications About Threats
Regular training and reminders can go a long way in keeping everyone aware of cybersecurity threats, including BEC scams and social engineering tricks. Start with strong password policies, but also keep up the reminders about suspicious emails, links, and attachments. Running some mock phishing tests now and then can make spotting these scams easier. Keeping security a regular, everyday focus helps everyone stay a step ahead.
5. Set Network Access Rules
Create network access guidelines to limit the use of personal devices and prevent information sharing outside the network’s perimeter. Make sure these rules are clear, simple, and easy for everyone to follow, so employees understand what’s allowed and what’s not. This way, you can significantly decrease the chances of suffering a data breach and exposure of your company to different types of risks.
6. Update All Infrastructure
Make sure all your software, from applications to operating systems, is updated and secure. Installing good malware and anti-spam protection is a must to keep things safe. Also, regularly checking for security patches can prevent potential vulnerabilities from being exploited. It’s easy to overlook, but staying on top of updates can save you from bigger headaches down the road.
Conclusion
Business Email Compromise (BEC) is a pressing issue that hits companies of all sizes. As the examples discussed show, even the biggest players can fall victim to these scams. So, make your employees well aware of these risks and provide some training sessions with visual simulations because cybersecurity awareness and regular training aren’t just for IT, they’re for everyone in the organization.
Build a strong security culture, keep everyone informed, and make sure your employees stay proactive, by doing this, you can ensure minimized risks of these attacks. Preventing BEC is not only about not losing money, it is about creating a safe environment for your business in the future.
If you are interested in knowing more about business email compromise then we have covered that as well
Check OutFrequently Asked Questions
Business email compromise specifically involves email impersonation with a financial objective. Unlike phishing, which may target credentials, BEC aims directly at causing financial loss or data theft through trusted emails.
Common types include CEO fraud, vendor/supplier impersonation, data theft, gift card scams, and requests for urgent payments or wire transfers.
Red flags of a BEC scam include unexpected or urgent payment requests, unusual language, altered email domains, and instructions to bypass standard procedures or make payments to new accounts. By sensing these red flags your employees can identify potential scams.
Immediately report the incident to law enforcement, notify banks about the transaction, and alert employees about the situation. Immediate reporting can help trace the money and potentially recover funds.
Industries with frequent high-value transactions, like finance, real estate, manufacturing, and government sectors, are frequently targeted.
Strong password policies reduce the risk of account takeovers, making it harder for attackers to gain access and misuse company email accounts for fraudulent purposes.
