Nowadays, BEC attacks are considered the most dangerous cyber threat for organizations and the most lucrative attack vector for cybercriminals. The average loss due to a BEC attack reached a whopping $80,000 in 2020. Many organizations worldwide are worried about the rising threat of BEC attacks. These attacks not only cause financial losses but also incur reputational damage to the targeted individuals or organizations.
According to IC3 of the FBI, the total amount of losses incurred due to BEC attacks is $1.8 billion!
In this blog, we will explore some infamous and devastating examples of BEC attacks that rocked the world. But first, let’s start with the basics.
Join our weekly newsletter and get the latest cybersecurity updates delivered directly to your inbox
What is a BEC Attack?
Business email compromise or BEC is a kind of attack that is based on the concepts of spoofing, impersonation, and spear-phishing. Cybercriminals conduct extensive research on the targeted individual and create forged emails. These fake emails are meant to trick the targeted individual into making financial transactions or making fake payments, usually from the company’s account.
Examples of BEC Attacks
There have been notable BEC attacks across the world in the past few years. Some of the most popular and devastating attacks are listed below.
Tech Giants Google and Facebook
From 2013 to 2015, Evaldas Rimasauskas carried out a series of BEC scams, leading him to a 5-year sentence in federal prison. This guy set up a fake company impersonating a Taiwanese hardware supplier Quanta Computer.
They presented genuine-looking invoices to Google and Facebook, which they duly paid into Rimasauskas-controlled bank accounts. Apart from fake invoices, the threat actor prepared counterfeit lawyer contracts and letters to make sure that banks accepted the fraudulent transfer. Both tech giants lost $121 million to this scam!
Puerto Rico Government
In early 2020, the government of Puerto Rico was still recovering from a 6.4 magnitude earthquake when they found that they had fallen victim to a BEC scam. The victim was the director of Puerto Rico’s Industrial Development Company, Ruben Rivera, who mistakenly made the transaction of $2.6 million to a fake bank account.
This transfer was made after receiving an email requesting a change in the banking account associated with remittance payments. This email came from a compromised account of an employee of the Puerto Rico Employment Retirement System. Notably, three employees were suspended, and public pension funds were frozen by the FBI. The director of the company confirmed that none of the pension accounts were affected by the scam.
Vendor Fraud on IT Company, Ubiquiti
In August of 2015, Ubiquiti Networks Inc., the San Jose-based manufacturer of high-performance networking technologies, fell victim to a devastating BEC attack that led to a loss of $ 46.7 million. As soon as the company became aware of the breach, it contacted its financial institutions and law enforcement agencies. Fortunately, Ubiquiti managed to recover some of the loss amounts with the cooperation of law enforcement agencies. This scam is also regarded as ‘Vendor Email Compromise (VEC)’.
The threat actors impersonated an employee of some third-party company and sent fake emails to the financial department of Ubiquiti asking to make fraudulent transactions. An employee at one of the company’s subsidiaries based in Hong Kong was tricked by the hackers into transferring a huge sum into bank accounts controlled by the threat actors. Previously, VEC attacks were launched by domain or email spoofing, but now sophisticated account takeover methods are used.
Obinwanne Okeke Sentenced to 10 Year Prison
Obinwanne Okeke is a celebrated entrepreneur who was sentenced to 10 years in prison because he was convicted of involvement in a BEC scam. This scam took place in February 2021, resulting in a financial loss of $11 million for victims. Okeke was not only convicted of BEC fraud but also of creating fraudulent web pages to manipulate victims. The fake transfers were directly transferred to overseas shell companies.
Scouler Co. Under BEC Attack
In June 2014, an employee of Scouler Co. company in Nebraska named Keith McMurty received an impersonated email from a boss. This means that threat actors impersonated the CEO of the company, Chuck Elsea. The email notified Keith to acquire a Chinese company.
In the same series of fake emails, he was further notified to contact a lawyer from KPMG, who would assist in the acquisition. McMurty followed all the instructions and commands from the CEO and transferred $17.2 million to a Shanghai bank account. During all this communication, every email from the CEO was faked and impersonated.
Toyota Boshoku Corporation
In 2019, a European subsidiary of the Toyota Group, Toyota Boshoku Corporation, became the victim of a BEC attack that incurred a loss of $37 million. The auto parts supplier was tricked into making a large fund transfer into the hackers’ bank account. The threat actors posed as one of the subsidiary’s business partners and sent carefully crafted emails to members of the accounting and finance departments.
These emails requested that the funds be sent into a specific bank account, which was controlled by the hackers. Soon after the transfer was made, the company’s security experts realized that they had been duped. However, by then, it was too late to stop the transfer.
French Film Production Pathé
In March 2018, a European cinema chain known as Pathé suffered a financial loss of $21.5 million due to a BEC scam. The most surprising element is that this scam continued to occur over the course of a month without being detected. The attack began on March 8, 2018, when the director of Pathe, Dertje Meijer, received a spoofed email from the CEO of Pathe.
The cybercriminals stated in the email that Pathe was in the middle of acquisition discussions with a Dubai-based company. Impersonating the CEO, they asked Dertje Meije to send a confidential payment of $931,600. After consulting with the seniors, Meijer made the payment. And later in the same month, he made three more payments, amounting to a total of $21.5 million.
Wire and Cable Manufacturing Leoni AG
In 2016, a leading wire and cable manufacturer, Leoni AG, was scammed out of $44 million by another one of the top BEC attacks of all times. Cybercriminals impersonated the company’s senior German executive to send emails to an employee working in the finance department of the company’s factory in Bistrita, Romania. The email was carefully crafted using inside information to look perfectly genuine and requested a transfer of $44 million from the company’s bank account. It tricked the employee into making the payment and the stolen money was switched to a different bank account in the Czech Republic.
Types of Business Email Compromise
BEC attacks can be carried out through various methods. Based on these methods, following are the different types of BEC attacks:
False Invoice Scam
Threat actors often use this medium to collect payments through fake transactions. The scammers impersonate some associated vendor or supplier and create a fake invoice in the name of the target business. They then trick an employee in the finance department by citing a fake invoice and demanding payment.
In this type of BEC attack, threat actors impersonate C-suite executives and send fake emails to employees or other stakeholders. In such scammed emails, they either ask for confidential data or financial transactions.
In this type of attack, cybercriminals get illegal access to the email account of any employee. Then they send fake emails to stakeholders for payments or data. They often use means like credential theft or phishing to get access to the email account.
In this type of attack, threat actors impersonate the attorney of an organization. Then, they send fake emails to the organization or their stakeholders asking for permission to make fake transactions against some legal procedures or activities.
In this type of BEC attack, more often than not, the HR department is targeted. Threat actors intend to get all the employee information from the department so that they can lead spear-phishing attacks or spoofing attacks.
With companies being robbed by BEC scammers left and right, it has become essential to take the necessary precautions needed to keep your company safe. As the above-mentioned cases clearly prove, most of the BEC attacks depend on spoofing a company’s email domain to trick employees into believing that the phishing emails are sent by their superiors.
In order to protect your organization against the threat of BEC attacks, the best thing you can do is to secure your company’s domain against spoofing and impersonation. You can secure your email domain with an effective anti-spoofing and DMARC deployment tool like TDMARC to prevent threat actors from sending fraudulent emails on your behalf.