24 Real Examples of Business Email Compromise (BEC)
Security

24 Real Examples of Business Email Compromise (BEC)

The FBI has named Business Email Compromise (BEC) a $26 billion scam, and the threat is only increasing. Business email compromise (BEC) is a type of cybercrime in which a threat actor uses an email information-seeking scam to target a business to defraud the entire organization.

Using social engineering techniques, BEC often occurs over fraudulent emails. The attacker falsifies a company email message to trick an employee into performing financial transactions, like transferring money to a fraudulent bank account or a fake company the attacker controls.

24 Real Examples of BEC

This article shares 24 examples of BEC attacks (and common tactics) to help your organization avoid future attacks. If it happened to them, it could happen to you.

Here are some notable incidents, highlighting the wide range of targets and the significant financial losses:

1. Gift card scams 

A recent Better Business Bureau study found reports of gift card scams have increased by 50% this year. Like other BEC scams, gift card scams can also start with a phishing attack in a convincing email, or a text message to an employee’s personal phone.

A corporate email posing as a high-ranking executive is sent to an employee asking if they can assist with purchasing some gift cards. The scammer then asks for the card numbers on the back, completing the scam.

2. Ubiquiti: $46.7m vendor fraud 

Ubiquiti is a networking company that lost a staggering $46.7 million due to a BEC scam involving impersonated legitimate vendors.

The incident involved an employee’s email impersonation, lax email security, and fraudulent requests from an outside entity targeting the company’s finance department to approve money transfers to other overseas accounts held by third parties.

3. Facebook and Google: $121m BEC scam

Can you believe that tech giants like Facebook and Google fell prey to a phishing attack that cost them over $121 million? Evaldas Rimasauskas allegedly impersonated an outside vendor by emailing staffers, requesting payment with convincing-looking invoices.

After the companies sent urgent wire transfers, he transferred the funds to various bank accounts worldwide.

4. Scouler Co.: $17.2m acquisition scam

Scouler Co., a food science company, fell victim to a $17.2 million BEC scam during an acquisition process. A controller, acting on fake emails was asked to get the wire instructions and banking details from an actual employee of the company’s accounting firm, KPMG.

Given the valid business reasons for acquiring a company in China contained in the corporate email, the controller sent the money. He is no longer with the company.

5. St. Ambrose Catholic Parish: $1.75 million

Religious organizations like St. Ambrose Catholic Parish aren’t immune to BEC scams, with losses reaching $1.75 million. Hackers tricked St. Ambrose into believing that the construction firm it worked with to repair and restore the church changed its bank account.

The hackers deceived St. Ambrose into wiring the money to a fraudulent bank account and then moved the money out rapidly.

6. Toyota 2019: $37 million BEC attack

A BEC attack targeted Toyota, resulting in a $37 million loss, showcasing the international reach of this scam.

A third-party hacker posing as a business partner of the Toyota subsidiary sent emails to members of the finance and accounting department, requesting that funds be sent for payment into a specific bank account controlled by the hacker. This type of attack is also known as a Vendor Email Compromise (VEC).

7. Obinwanne Okeke: $11 million in losses

Obinwanne Okeke orchestrated a BEC scheme causing $11 million in losses in a multi-year global business email and computer hacking attack. Okeke and his team obtained details through phishing emails and captured login credentials. They sent fraudulent wire transfer requests and attached fake invoices, transferring the money overseas.

8. Noel Chimezuru Agoha, Sessieu Ange Oulai and Kelechi Arthur Ntibunka: $1.1 million

Recent BEC scams include a group led by Noel Chimezuru Agoha that facilitated a $1.1 million scheme against several victims. The defendants allegedly tried to induce money from their victims by posing as representatives of companies with whom the victims had ongoing business.

9. Homeless Charity, Treasure Island: $625,000 BEC loss

Even smaller charities are vulnerable. Treasure Island, a homeless charity, lost $625,000 to a BEC scam. Hackers impersonated Executive Director Sherry Williams in an email, manipulated the information on a legitimate invoice, and changed the wire transfer instructions to serve their own purposes.

10. Government of Puerto Rico: $2.6 million transfer

The government of Puerto Rico lost $2.6 million in a BEC scam when a fraudulent transfer was initiated. Employees from Puerto Rico Industrial Development Company (PRIDCO) transferred the money after receiving an email that told recipients of a change in the remittance payments’ banking account.

11. Guillermo Perez: $2.2 million

Several individuals fell victim to a BEC scam and lost $2.2 million to Guillermo Perez. He is accused of impersonating individuals and businesses over email in ordinary financial transactions. Posing as someone else, Perez tricked victims into transferring funds into bank accounts controlled by him and his co-conspirators.

12. Save the Children: $1 million

Would BEC scammers stoop so low and target a national charity? Yes. Save the Children lost $1 million because con artists compromised an employee’s email account to masquerade as a staff member.

The scammers used fake invoices with an email request and the charity transferred the money.

13. Atlanta BEC scammer: Sentenced after making $250,000+

Anthony Dwayne King carried out BEC attacks against Minnesota and Oregon home buyers, a Delaware law firm, and a New Jersey company. He opened bank accounts using fictitious identities and sham companies to launder funds stolen from victims.

14. Snapchat payroll information breach

Snapchat’s CEO Evan Spiegel was impersonated in a BEC phishing scam, resulting in a data breach of its payroll information. A hacker posing as Spiegel duped employees, then exposed that information to the outside world. Many employees had their identity compromised.

15. Fraudster steals more than 1,000 unpublished manuscripts

This incident is unique as it targeted authors, resulting in the theft of over 1,000 unpublished manuscripts. This BEC attack impersonated publishers, literary agents, and editors by creating fake web addresses for publishing companies.

16. Real estate firm loses €38 million to international gang of fraudsters

A real estate firm was defrauded out of €38 million by an international gang of fraudsters, who employed social engineering tactics commonly used in BEC attacks. The suspects impersonated lawyers and gained the victim’s trust by requesting a confidential and urgent wire transfer.

17. Eagle Mountain City, Utah, sends $1.13 million to vendor impersonator

Eagle Mountain City in Utah became a victim of vendor impersonation fraud. Fraudsters likely sent emails with proper email headers posing as a legitimate vendor, tricking the city into sending a payment of $1.13 million to a fraudulent account.

18. Fraudsters steal $2.8 million from Grand Rapids Public Schools in Michigan

 Grand Rapids Public Schools in Michigan lost $2.8 million in a BEC scam. Bad actors impersonated someone with authority and tricked the school district into wiring the money. The scammers accessed a school worker’s email to divert the district’s insurance payments to another account.

19. CFO impersonator defrauds Children’s Healthcare of Atlanta of $3.6 million

Children’s Healthcare of Atlanta, a hospital, was targeted by a BEC attack. The scammer impersonated the CFO and convinced the hospital to send $3.6 million to a fraudulent account by convincing the organization’s accounts payable department to switch bank account information it had on file.

20. SilverTerrier gang targets at least 50,000 companies in 150 countries

The SilverTerrier cyber-criminal group launched a BEC attack targeting over 50,000 businesses across 150 countries. They impersonated various senders to trick victims into sending money.

One person was monitoring online conversations between 16 companies and their clients and diverting funds fraudulently.

21. Opportunist siphons $793,000 in new construction funds for N.C. church   

An opportunistic criminal exploited a North Carolina church’s new construction project. By posing as the contractor, the scammer spoofed an original email, changing only one letter in the email address itself. With that, they diverted $793,000 of the funds.

22. VCU transfers $470,000 to “trusted” fake employee of a construction firm

Virginia Commonwealth University (VCU) fell victim to a BEC scam where a fake employee email tricked them into transferring $470,000 to a fraudulent account. The perpetrator was later caught and charged with conspiracy to commit wire fraud.

23. Fraudster posing as senior executive steals $1.2 million from Minnesota city

A Minnesota city suffered a $1.2 million loss. A fraudster impersonated a senior executive via email and convinced the city’s accounting department to update payment information for a contractor. This resulted in the money being sent to a fraudulent account.

24. Cyber criminals drain $11.1 million from Medicare and Medicaid programs

Cybercriminals targeted government healthcare programs (Medicare and Medicaid) through a BEC scheme. They impersonated trusted individuals with spoofed emails and diverted a staggering $11.1 million into unauthorized bank accounts.

How To Prevent BEC

You can take several measures to significantly reduce your risk of BEC scams. Here are some key methods to fortify your organization’s defenses:

Use Secure Email Clients

Many free email services lack robust security features. Consider migrating to a business-grade email client with built-in spam filtering, malware detection, and encryption capabilities. These features help prevent malicious emails from reaching employee inboxes in the first place.

Use Email Monitoring Software

Another layer of protection comes from email monitoring software. These tools analyze incoming and outgoing emails, searching for red flags like suspicious attachments, unusual sender addresses, and keywords commonly used in BEC scams. Early detection allows for intervention before a financial loss occurs.

Implement Data Loss Prevention Tools

DLP tools go beyond email monitoring. They can be configured to identify and block sensitive data, such as social security numbers or financial information, from being sent outside the organization. This helps prevent accidental leaks and deliberate attempts by compromised accounts.

teramind free trial

Setup Regular Email Password Resets

Enforce a policy of mandatory password resets at regular intervals, such as every 30 to 60 days. Encourage employees to create strong, unique passwords for their email accounts and avoid using them for other online services.

Teach Employees How To Identify Scams

Perhaps the most crucial defense is a well-trained workforce. Educate employees about BEC scams, teaching them to identify suspicious emails. Train them to be cautious of unsolicited requests, verify sender addresses carefully, and never click on unknown links or download attachments from unknown sources.

Implement Two-Factor Authentication (2FA)

Implementing 2FA adds an extra layer of security to email logins. Also called Multi-Factor Authentication, users must enter a unique code, typically sent via text message or generated by an authentication app, in addition to their password. This reduces the risk of unauthorized access even if a scammer acquires a user’s password.

Conclusion

Adopting a multi-layered approach that combines secure technology with employee awareness can significantly reduce your risk of falling victim to a BEC scam. Vigilance and a healthy dose of skepticism are essential in today’s ever-evolving cyber threat landscape. You don’t want to end up on a list like this in the future, so prepare now.

FAQs

What are examples of business email compromise?

Some examples of business email compromise (BEC) include impersonating company executives to request wire transfers, falsifying invoice payment details, and tricking employees into revealing sensitive information. These scams can result in significant financial losses for businesses.

What is an example of a compromised email?

An example of a compromised email is when a cybercriminal gains unauthorized access to an individual or business email account. This can lead to the exploitation of sensitive information, such as financial data or login credentials, which can be used for fraudulent purposes.

What is an example of bec?

An example of BEC (business email compromise) is when a scammer impersonates a company executive and sends requests for wire transfers to employees. These fraudulent emails can result in significant financial losses for businesses.

What are the red flags for BEC?

Red flags for BEC include requests for wire transfers from company executives, discrepancies in invoice payment details, and emails that ask employees to reveal sensitive information. These signs should raise suspicion. You should first prompt individuals to verify the authenticity of the email before taking any action.

What’s the first thing you should do if you suspect bec but aren’t sure?

If you suspect a business email compromise (BEC) but aren’t sure how to proceed, you should first contact your IT department or security team to report the suspicious email. They can help investigate the situation and provide guidance on how to guide how to proceed to protect your organization from potential fraud.

What is an indicator of a BEC email?

An indicator of a BEC email is when it requests wire transfers from company executives or asks employees to reveal sensitive information. These red flags often indicate a potential business email compromise scam and should be reported to your IT department or security team for further investigation.

What are 4 indications of a suspicious email?

Four indications of a suspicious email include requests for wire transfers, discrepancies in payment details, emails asking for sensitive information, and emails that seem to be from company executives but have unusual or incorrect email addresses. If you come across these signs, it is important to report them to your IT department or security team for further investigation to prevent any potential business email compromise (BEC) scams.