BEC (Business Email Compromise) attacks pose a significant threat to both companies and governments. This particular form of phishing has been ravaging organizations for years now, causing damages worth billions of dollars.
Let’s take a look at ten famous cases that happened in recent years.
What is BEC?
BEC is a cyberattack in which a hacker illicitly obtains access to a business email account and impersonates the rightful owner in order to trick the company and its employees, customers or partners, into transferring money to the scammer’s account.
In this particular form of phishing, scammers typically target employees with access to company finances and pose as high-level directors or executives, such as CEO and CFO.
BEC scams are also known as man-in-the-email attacks and, according to the FBI, they caused losses worth $1.8 billion in 2019. This accounts for nearly half of all the financial damage caused by cyberattacks that year. However, the total loss is estimated at a jaw-dropping $3.5 billion.
10 Famous BEC Cases
1. Government of Puerto Rico (2019-2020)
BEC scammers targeted the government of Puerto Rico and tried to steal over $4 million in 2019 and 2020. They compromised corporate email accounts, reached government officials in various sectors, and requested changes to payment accounts.
2. Maire Tecnimont SpA (2019)
Maire Tecnimont is an Italian energy and engineering company. Its headquarters in India received a phishing email from an address strikingly similar to the CEO’s. The message solicited a wire transfer for an acquisition in China. The incident resulted in total losses of circa $18 million.
3. City of Saskatoon (2019)
A scammer impersonated the Chief Financial Offer (CFO) of an engineering firm hired to renovate a bridge and convinced employees of the City of Saskatoon, Canada, to modify the bank information provided for the service’s payment. As a result, the damages rose up to more than $1 million.
4. Toyota (2019)
The Japan-based corporation fell victim to a $37 million BEC scam in which the attackers tricked an executive in the financial department into making a wire transfer.
5. St. Ambrose Catholic Parish (2019)
Brimstone and hellfire don’t scare scammers. Threat actors sent BEC emails to the St. Ambrose Catholic Parish impersonating service providers and claiming they hadn’t received any payments in the last months. They persuaded church officials to transfer $1.7 million to a fraudulent bank account.
6. Save the Children (2018)
Even organizations with the noblest goals aren’t safe from phishing. Hackers targeted Save the Children, a nonprofit organization, compromised an employee’s account and sent out bogus invoices and files supposedly linked to a project in Asia. The financial damages are estimated at approximately $1 million.
7. Pathé (2018)
Pathé, a French cinema company, was targeted by BEC scammers. They pretended to be the company’s CEO in France and by using an almost identical email address. The attack cost the company €19 million.
8. FACC (2016)
FACC is an Austria-based parts manufacturer that fell victim to a massive BEC scam. The cybercrooks impersonated the CEO, sent emails to an employee, and asked for money for a new project. As a result, the organization suffered massive financial damages – €42 million.
9. Ubiquiti Networks (2015)
Scammers targeted the U.S. network technology company Ubiquiti Networks and, by claiming to be company employees, they requested funds from the financial department. The losses were estimated at $46 million.
10. Xoom Corporation (2014)
Phishers hit the U.S. money transfer company Xoom Corporation with a series of malicious emails that imitated employees and requested illicit money transfers. The organization suffered losses of $30 million.
Fight BEC With ATTACK Simulator’s Security Awareness Training
All the cases presented above offer us a valuable lesson to learn – employees need security awareness training, for every single one failed to recognize they were being phished.
Over one billion phishing emails are sent out each day, and many of them bypass security filters. Thus, you need to be able to rely on your employees to stay vigilant and spot phishing scams.
You can successfully defend your business partly by training your employees on cybersecurity matters and especially phishing attacks, and partly by adopting more rigorous security measures, such as implementing multi-factor authentication and user behavior analytics.
Researching the latest phishing trends and strategies and adequately training your employees can be a hassle, so leave it to professionals.
One phish, two phish, automated fake phish
Here are a few perks of choosing us:
- Automated attack simulation – we simulate all kinds of cyberattacks.
- Real-life scenarios – we evaluate users’ vulnerability to give company or pesonal data away using realistic web-pages.
- User behaviour analysis – we gather user data and compile it in extensive reports to give you a detailed picture of your employees’ security awareness level.
- Malicious file replicas – our emails contain malware file repilcas, to make the simulation as realistic as it can be.
- Interactive lessons – if employees fail to recognize our traps and fall into one, they will discover lessons on the best security practices.
- Brand impersonation – we impersonate popular brands to make the phishing simulations all the more realistic.
ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.