Inside business email compromise attack: Real-world examples

Types of BEC attacks

BEC attacks deceive victim employees into transferring money or sharing sensitive company data. These highly targeted attacks often involve extensive research by cybercriminals and the observation of organizational email correspondence to mimic legitimate users and successfully execute their exploits.

Common BEC attack scenarios include:

• CEO/executive fraud. Attackers impersonate a company executive and instruct the targeted staff to make urgent wire or other related financial transfers.
• Invoice alteration. Cybercriminals pose as a trusted vendor or business partner, requesting that payments be redirected to attacker-controlled accounts.
• Legal impersonation. Attackers pretend to be a member of the legal team handling confidential information and request the transfer of specific data.
• Payroll/HR impersonation. Malicious actors impersonate executives or employees to request changes to payroll or W-2 information, moving funds to attacker-controlled accounts.
• Account takeover. Attackers fully compromise legitimate user accounts through phishing or by gaining successful access with stolen credentials.
• Deepfakes. Cybercriminals use AI-generated or voice-cloned messages to create convincing requests from leadership.

Real-world examples of BEC attacks

Because they prey on human psychology, concepts of authority and workplace culture, BEC scams are highly effective. The following are just a few examples of how criminals have manipulated employees in recent years.

Meta and Google

Between 2013 and 2015, cybercriminal Evaldas Rimasauskas and his accomplices used a legitimate Taiwan-based hardware supplier, Quanta Computer, to conduct a BEC attack on Meta and Google. The group created a fake business with the same name in Latvia and sent fraudulent invoices with forged contracts, letters, documents and other corporate seals to the accounts payable departments of Meta and Google, tricking employees. Google suffered a $23 million loss in 2013, and Meta took a $98 million hit in 2015. Both organizations recovered most or all of the funds stolen in the attack. Rimasauskas was sentenced to five years in prison and ordered to forfeit $50 million and pay $26 million in restitution.

Ubiquiti Networks

In 2015, threat actors impersonated employees at IT company Ubiquiti Networks and sent fraudulent payment requests to the finance department of a Hong Kong subsidiary. The BEC attack, which involved $46.7 million transferred in 14 wire transactions across 17 days to various attacker-controlled overseas accounts, initially went undetected. As of March 2021, Ubiquiti had recovered $18.6 million.

Fischer Advanced Composite Components AG

In 2016, attackers impersonated Walter Stephan, then-CEO of Austrian aerospace parts manufacturer Fischer Advanced Composite Components AG. A spoofed email sent to a finance department employee, purportedly from Stephan, requested a €50 million transfer for a company acquisition. Once the attack was discovered, the company was able to stop a portion of the payment, but the €42 million already transferred to the attacker-controlled accounts remains unrecovered.

Save the Children

Internationally recognized humanitarian and nonprofit organization Save the Children faced a BEC attack in 2017. Cybercriminals successfully compromised an employee's email account and used it to send fraudulent invoices and documents linked to a legitimate project in Asia. Save the Children lost approximately $1 million but recovered 90% of those funds through the foundation's insurance policy.

Toyota Boshoku Corporation

A major parts supplier and Toyota subsidiary was targeted by a BEC attack in 2019 when threat actors posed as a trusted business partner and requested account updates from the finance and accounting departments. Attackers advised victim employees that this request needed to be handled urgently or parts production would be disrupted. The employees were tricked into wiring $37 million to an attacker-controlled foreign account. The recovery status of the funds is still unknown.

Government of Puerto Rico

In 2019, the Puerto Rican government was targeted by a BEC attack. Attackers compromised the email account of a finance employee at the Puerto Rico Employment Retirement System and used it to send fake emails requesting changes to bank account information for remittance payments to various government agencies. Employees at Puerto Rico Industrial Development Company and the Puerto Rico Tourism Company updated the payment information without verification. The attackers stole approximately $6.8 million from the Puerto Rico Industrial Development Company and $1.5 million from the Puerto Rico Tourism Company. Authorities were able to freeze $2.9 million in payments as soon as the attack was discovered.

City of Lexington, Kentucky

In 2022, city employees in Lexington, Kentucky, received an email from someone claiming to be from the Community Action Council, a local nonprofit housing organization, requesting an update to its bank account information. Employees did not follow proper verification procedures through alternative channels and processed the change, resulting in approximately $4 million in federal rent assistance and transitional housing money being sent across three wire transfers to fraudulent accounts. At least some funds were frozen quickly by financial institutions as soon as the fraud was detected.

The collective losses from incidents like these total hundreds of millions of dollars, with many organizations unable to recover their stolen funds. What makes BEC attacks particularly dangerous is their reliance on exploiting human trust and organizational hierarchies rather than sophisticated technical hacking. As cybercriminals continue to refine their social engineering tactics and use emerging technologies such as AI-generated deepfakes, organizations must prioritize comprehensive employee training, implement verification procedures for financial transactions and foster a security-conscious culture where employees feel empowered to question suspicious requests regardless of the apparent source.

Amanda Scheldt is a security content writer and former security research practitioner.