In the current times, BEC attacks serve as the most dangerous cyber threat for organizations and the most lucrative attack vector for cyber criminals. The average losses due to a BEC attack reached a whopping $80,000 in 2020! Companies worldwide are worried about the rising threat of BEC attacks. When a single silly mistake can cost you millions of dollars, wouldn’t you worry as well?
Well, the threat is real. And the only way to stay ahead of it is knowing how it has endangered other organizations worldwide. So, here is a list of the top 7 real-life examples of BEC attacks you can check out.
#1 Puerto Rico Government
In January 2020, Puerto Rico’s government lost more than a staggering amount of $2.6 million to a BEC attack . This email-based phishing scam targeted the US island territory’s Industrial Development Company, a government-owned corporation that aims to drive the island’s economic development. The agency transferred the money to a fraudulent account on 17th January 2020 after receiving an email requesting a change in the banking account associated with remittance payments. The police and the FBI were contacted by the agency as soon as the fraud was discovered.
#2 Homelessness Charity Treasure Island
Treasure Island is another example of the devastating impact of BEC attacks. In June 2021, the renowned San Francisco-based homelessness charity known as Treasure Island suffered a terrible, month-long BEC attack that led to the loss of $625,000. The threat actors infiltrated the email system of the organization’s bookkeeper and manipulated a legitimate invoice used by one of the charity’s partner organizations. As a result, the employees at Treasure Island sent a huge amount of money intended for the partner organization to the hackers’ bank account. Unfortunately, the charity did not have cyber crime insurance and had to deal with the devastating loss alone.
#3 Toyota Boshoku Corporation
A European subsidiary of the Toyota Group, Toyota Boshoku Corporation, suffered a massive BEC attack that cost the company $37.3 million in August 2019 . On 14th August 2019, the auto parts supplier was tricked into making a large fund transfer into the hackers’ bank account. The threat actors posed as one of the subsidiary’s business partners and sent carefully crafted emails to members of the accounting and finance departments. These emails requested that the funds be sent into a specific bank account, which was controlled by the hackers. Soon after the transfer was made, the company’s security experts realized that they had been duped. However, by then, it was too late to stop the transfer.
#4 French Film Production Company Pathé
The famous European-based cinema chain known as Pathé lost a massive amount of $21.5 million to a month-long BEC attack in March 2018. The attack began on 8th March 2018, when Dertje Meijer, Pathé Nederland director, received a spoofed email from the email address of Pathé’s CEO. The cyber criminals claimed that Pathé was in the middle of acquisition talks with a Dubai company. Impersonating the CEO, t hey asked Dertje Meije to send a confidential payment of $931,600. After consulting with a superior and receiving an invoice for the amount, Meijer authorized the payment. This was followed by three more payments, until Pathé Nederland had paid the hackers over $21.5 million by 27th March 2018.
#5 Tech Giants Google and Facebook
Counted amongst the biggest BEC attacks of all times, the BEC scam targeting Google and Facebook cost the companies over $100 million. Cyber criminals set up a fake company impersonating a Taiwanese hardware supplier Quanta Computer. They presented Google and Facebook with real-looking invoices. Both the victim companies promptly transferred the amount into the bank accounts controlled by the hackers. In addition to the invoices, the threat actors also created fake contracts and lawyers’ letters to make sure that the transfers were accepted by the banks.
#6 Networking Firm Ubiquiti Networks Inc.
Ubiquiti Networks Inc., the San Jose-based manufacturer of high-performance networking technologies, fell victim to a devastating BEC attack that led to a loss of $ 46.7 million. An employee at one the company’s subsidiaries based in Hong Kong was tricked by the hackers into transferring the huge sum into bank accounts controlled by the threat actors. As soon as the company became aware of the breach, it contacted its financial institutions and law enforcement agencies. Fortunately, Ubiquiti managed to recover some of the lost amount with the cooperation of law enforcement agencies.
#7 Wire and Cable Manufacturer Leoni AG
In 2016, a leading wire and cable manufacturer, Leoni AG, was scammed out of $44 million by another one of the top BEC attacks of all times. Cyber criminals impersonated the company’s senior German executive to send emails to an employee working in the finance department of the company’s factory in Bistrita, Romania. The email was carefully crafted using inside information to look perfectly genuine and requested a transfer of $44 million from the company’s bank account. It tricked the employee into making the payment and the stolen money was switched to a different bank account in Czech Republic.
With companies being robbed by BEC scammers left and right, it has become essential to take the necessary precautions needed to keep your company safe. As the above-mentioned cases clearly prove, most of the BEC attacks depend on spoofing a company’s email domain to trick employees into believing that the phishing emails are sent by their superiors.
In order to protect your organization against the threat of BEC attacks, the best thing you can do is to secure your company’s domain against spoofing and impersonation. You can secure your email domain with an effective anti-spoofing and DMARC deployment tool like KDMARC to prevent threat actors from sending fraudulent emails on your behalf.
Originally published at https://blog.kdmarc.com on September 25, 2021.