10 real and famous cases of BEC (Business Email Compromise)

Updated at: Jun 01, 2020
By Gatefy

Hacker to illustrate a BEC scam.

BEC (Business Email Compromise) scams have been a major concern for businesses and governments. In this type of attack, cybercriminals aim to trick and persuade employees to take a specific action, such as making a wire transfer, providing funds to pay for an allegedly new project or providing confidential information.

To make this type of attack, hackers compromise corporate email accounts or create new accounts almost identical to the legitimate ones. Then attackers impersonate the owners of the email accounts and send messages to the victims. Criminals often impersonate high-level directors or executives, such as CEO and CFO.

Thus, when the bond of trust is established through the exchange of emails, the scammer asks the target to share confidential information, transfer money to a fraudulent bank account, or click on a malicious file that contains ransomware or other malware.

BEC attacks are also known as CEO fraud and Man-in-the-Email scam. To fight BEC, Gatefy offers an email gateway solution and a DMARC based anti-fraud solution. You can request a demo or see more information here:

According to the FBI, losses due to BEC attacks totaled almost USD 1.8 billion in 2019. BEC represents almost half of all the financial damage caused by cyber attacks that year. The total loss is estimated at USD 3.5 billion.

Next, we'll talk about the following examples of BEC attacks:

  • Government of Puerto Rico.
  • Maire Tecnimont SpA.
  • City of Saskatoon.
  • Toyota.
  • St. Ambrose Catholic Paris.
  • Save the Children.
  • Pathé.
  • FACC.
  • Ubiquiti Networks.
  • Xoom Corporation.

Check out 10 real cases of BEC attacks

1. Government of Puerto Rico, 2019 e 2020

The government of Puerto Rico fell victim to BEC attacks that attempted to steal more than USD 4 million, in 2019 and 2020. Hackers compromised email accounts and sent messages to government officials in different sectors requesting changes to payment accounts

2. Maire Tecnimont SpA, 2019

The Indian headquarters of Maire Tecnimont, an Italian energy and engineering company, received a malicious email from an account that appeared to be from the organization's CEO, in 2019. The email requested a wire transfer for an acquisition in China. The loss of the BEC scam is estimated at USD 18 million.

3. City of Saskatoon, 2019

Pretending to be the Chief Financial Officer (CFO) of an engineering company hired to renovate a bridge, a fraudster persuaded employees of the City of Saskatoon, in Canada, to change the bank information provided for the service's payment. The fraud happened via BEC emails in 2019. The loss was more than USD 1 million.

4. Toyota, 2019

Japan's Toyota Boshoku Corporation, a supplier of auto parts, was victim of a USD 37 million BEC scam, in 2019. Hackers tricked and persuaded an executive in the company's financial department to make a wire transfer.

5. St. Ambrose Catholic Parish, 2019

Crooks sent BEC emails to the St. Ambrose Catholic Parish in the U.S. in 2019. They impersonated service providers and claimed they had not been paid for months. The result was that they managed to get church officials to transfer USD 1.7 million to a fraudulent account.

6. Save the Children, 2018

Save the Children, a nonprofit organization, was hit by BEC attacks in 2018. Cybercriminals compromised an organization's employee account and sent out fraudulent invoices and documents that would be linked to a project in Asia. The loss is estimated at about USD 1 million.

7. Pathé, 2018

French cinema company Pathé was victim of a BEC attack that cost EUR 19 million in 2018. The hacker impersonated the company's CEO in France and appears to have used an email address similar to the domain pathe.com.

8. FACC, 2016

Austrian parts maker FACC suffered a loss of EUR 42 million due to a BEC scam in 2016. Crooks, imitating the CEO, sent emails to a company employee requesting money for a new project.

9. Ubiquiti Networks, 2015

Ubiquiti Networks, a U.S. network technology company, fell victim to a BEC attack and suffered losses of USD 46 million in 2015. Fraudsters impersonated company employees and requested money from the finance department.

10. Xoom Corporation, 2014

U.S. money transfer company Xoom Corporation suffered from a series of fake emails that imitated employees and requested fraudulent money transfers. The result of the BEC attacks was USD 30 million in losses in 2014.

How to fight Business Email Compromise

Due to its sophistication, BEC isn't easily identified by spam filters and basic email security solutions. In this case, to block BEC scams, our 3 most important protection tips are:

Training

Train your team to recognize and handle different types of attacks, including BEC, phishing, and spam campaigns.

Multi-factor authentication

Adopt multi-factor authentication for important processes, such as recovering email accounts and wire transfer payments.

Solutions

Use email security solutions, such as a Secure Email Gateway and a tool to simplify DMARC adoption.

If you are interested in learning more about how to protect your company from BEC attacks, contact us.