11 Most Costly BEC Attack Examples of the Past 10 Years
With the recent release of the 2022 FBI IC3 Report, one number has been popping up in news headlines and blog titles for weeks: $2.7 billion—the total losses attributable to business email compromise (BEC) attacks in 2022.
Looking at that figure, it’s impossible to deny that BEC attacks cause considerable financial and reputational damage. But when we’re dealing with a value in the billions and discussing losses across all organizations, it can be difficult to grasp just how devastating a single successful BEC attack can be.
To help illustrate the true impact of this cybercrime, here are 11 examples of the most financially damaging BEC attacks from the past 10 years.
1. City of Lexington, Kentucky
Industry: State and Local Government
Total Losses: $4 million
In this BEC attack, city employees in Lexington, Kentucky received an email from an individual claiming to be from the Community Action Council, a local housing group, with a request to update the organization’s bank account information. Not realizing that the email was actually from a threat actor, Lexington sent three wire transfers totaling around $4 million in federal rent assistance and transitional housing funds to the fraudulent account.
Read more about the BEC attack on the City of Lexington →
Industry: Aerospace and Aviation
Total Losses: €42 million ($47 million)
Austrian aerospace parts engineer FACC was targeted by a BEC attack that started with an email sent to one of FACC’s finance department employees impersonating then-CEO Walter Stephan. The email included a request to wire approximately €50 million that was supposedly for one of the company’s acquisition projects. Upon realizing the error, the company was able to stop part of the transfer, but the remaining funds couldn’t be recovered.
Read more about the BEC attack on FACC →
3. Facebook and Google
Industry: Information Technology
Total Losses: $121 million
Between 2013 and 2015, Evaldas Rimasauskas and his associates successfully executed a sophisticated, multi-million dollar BEC attack on Facebook and Google using convincing-looking bogus invoices from a fake company called Quanta Computer (the same name as a legitimate hardware supplier). The group also used counterfeit lawyers’ letters and contracts to ensure that once the transfers were initiated, the banks would accept the funds—enabling the group to steal $121 million from the two tech giants.
Read more about the BEC attack on Facebook and Google →
4. Government of Puerto Rico
Industry: State and Local Government
Total Losses: $2.6 million
While dealing with the aftermath of a 6.4-magnitude earthquake, Rubén Rivera, the finance director of Puerto Rico’s Industrial Development Company, received an email sent from the compromised account of an employee of the Puerto Rico Employment Retirement System. The email claimed that there had been a change to the bank account tied to remittance payments, and Rivera ended up transferring more than $2.6 million to attackers.
Read more about the BEC attack on the Government of Puerto Rico →
5. Leoni AG
Total Losses: €40 million ($44 million)
In this BEC attack targeting Europe’s largest electrical cable and wire manufacturer, cybercriminals impersonated one of the company’s senior German executives and emailed an employee in the finance department at its factory in Bistrita, Romania. The carefully crafted email used inside information to increase the appearance of legitimacy and requested a transfer of $44 million to a foreign bank account—which the employee dutifully fulfilled.
Read more about the BEC attack on Leoni AG →
Total Losses: €19 million ($21 million)
In March 2018, Dertje Meijer, the director of the French cinema company Pathé, received a spoofed email from an attacker impersonating the CEO. The email explained that Pathé was in the middle of acquisition discussions with a Dubai-based company and convinced Meijer to make a confidential transfer of $931,600. Later that month, Meijer made three additional transfers to the same fraudulent account, totaling more than $21 million.
Read more about the BEC attack on Pathé →
Total Losses: $17.2 million
In 2014, the corporate controller of Scoular, an Omaha-based agricultural services organization received an email purportedly from the CEO regarding the acquisition of a Chinese company. The “CEO” instructed the target to first contact a lawyer at the accounting firm KPMG who would help facilitate the transaction and then transfer $17.2 million to a Shanghai bank account. Unaware that both the executive and the lawyer were being impersonated, the controller completed the transfer.
Read more about the BEC attack on Scoular →
8. Tecnimont SpA
Total Losses: $18.6 million
In this BEC attack targeting the Indian arm of Tecnimont SpA, an Italian engineering company, threat actors impersonated the CEO using a spoofed email address. Similar to the BEC attack on Scoular, the attackers emailed the head of the division requesting fund transfers related to the confidential acquisition of a company in China. The group even scheduled conference calls to discuss the acquisition and impersonated the CEO, senior executives of Tecnimont, and a mergers and acquisitions lawyer.
Read more about the BEC attack on Tecnimont SpA →
9. Toyota Boshoku Corporation
Total Losses: $37 million
A 2019 BEC attack targeting the finance and accounting department of Toyota Boshoku Corporation, a European subsidiary of Toyota and a major supplier of Toyota auto parts, resulted in a loss of $37 million. The attackers posed as one of the subsidiary’s business partners and requested a transfer to a new bank account, claiming the transaction needed to be completed ASAP or parts production would be negatively impacted.
Read more about the BEC attack on Toyota Boshoku Corporation →
Industry: Technology Hardware
Total Losses: $38.6 million
Ubiquiti, a San Jose-based manufacturer of networking technology, fell victim to a BEC attack in 2015 after threat actors targeted an employee in the finance department at one of the company’s Hong Kong subsidiaries. Threat actors impersonated Ubiquiti’s CEO and convinced the employee to complete a transfer totaling $46.7 million. While the company was able to reclaim $8.1 million of the lost funds, the remaining amount was never recovered.
Read more about the BEC attack on Ubiquiti →
Industry: Financial Technology
Total Losses: $30.8 million
A BEC attack on payment solutions provider Xoom resulted in the transfer of $30.8 million to fraudulent overseas accounts. While details about the attack are scarce, an SEC filing disclosed the incident “involved employee impersonation and fraudulent requests targeting the Company's finance department.” As a result of the incident, Xoom’s CFO resigned, and the company’s stock price dropped by 14%.
Read more about the BEC attack on Xoom Corporation →
Minimizing the Fallout from BEC Attacks
While you may not be able to prevent threat actors from ever targeting your organization with BEC attacks, you can ensure the malicious emails are never seen by employees by investing in a behavioral AI-based email security platform that blocks these threats before they can be delivered.
To learn more about the growing risk of business email compromise and how to protect your organization, download the CISO Guide to Business Email Compromise.
Or to see how Abnormal can stop BEC attacks before they can be delivered to employee inboxes, schedule your personalized demo.
See the Abnormal Solution to the Email Security Problem
Protect your organization from the full spectrum of email attacks with Abnormal.