chat
expand_more

11 Most Costly BEC Attack Examples of the Past 10 Years

Losses from business email compromise (BEC) attacks are consistently increasing. Here are 11 examples of the most costly BEC attacks from the past decade.
April 28, 2023

With the recent release of the 2022 FBI IC3 Report, one number has been popping up in news headlines and blog titles for weeks: $2.7 billion—the total losses attributable to business email compromise (BEC) attacks in 2022.

Looking at that figure, it’s impossible to deny that BEC attacks cause considerable financial and reputational damage. But when we’re dealing with a value in the billions and discussing losses across all organizations, it can be difficult to grasp just how devastating a single successful BEC attack can be.

To help illustrate the true impact of this cybercrime, here are 11 examples of the most financially damaging BEC attacks from the past 10 years.

1. City of Lexington, Kentucky

Year: 2022
Industry: State and Local Government
Total Losses
: $4 million

In this BEC attack, city employees in Lexington, Kentucky received an email from an individual claiming to be from the Community Action Council, a local housing group, with a request to update the organization’s bank account information. Not realizing that the email was actually from a threat actor, Lexington sent three wire transfers totaling around $4 million in federal rent assistance and transitional housing funds to the fraudulent account.

Read more about the BEC attack on the City of Lexington

2. FACC

Year: 2015
Industry
: Aerospace and Aviation
Total Losses
: €42 million ($47 million)

Austrian aerospace parts engineer FACC was targeted by a BEC attack that started with an email sent to one of FACC’s finance department employees impersonating then-CEO Walter Stephan. The email included a request to wire approximately €50 million that was supposedly for one of the company’s acquisition projects. Upon realizing the error, the company was able to stop part of the transfer, but the remaining funds couldn’t be recovered.

Read more about the BEC attack on FACC

3. Facebook and Google

Year: 2013–2015
Industry
: Information Technology
Total Losses
: $121 million

Between 2013 and 2015, Evaldas Rimasauskas and his associates successfully executed a sophisticated, multi-million dollar BEC attack on Facebook and Google using convincing-looking bogus invoices from a fake company called Quanta Computer (the same name as a legitimate hardware supplier). The group also used counterfeit lawyers’ letters and contracts to ensure that once the transfers were initiated, the banks would accept the funds—enabling the group to steal $121 million from the two tech giants.

Read more about the BEC attack on Facebook and Google

4. Government of Puerto Rico

Year: 2020
Industry
: State and Local Government
Total Losses
: $2.6 million

While dealing with the aftermath of a 6.4-magnitude earthquake, Rubén Rivera, the finance director of Puerto Rico’s Industrial Development Company, received an email sent from the compromised account of an employee of the Puerto Rico Employment Retirement System. The email claimed that there had been a change to the bank account tied to remittance payments, and Rivera ended up transferring more than $2.6 million to attackers.

Read more about the BEC attack on the Government of Puerto Rico

5. Leoni AG

Year: 2016
Industry
: Manufacturing
Total Losses
: €40 million ($44 million)

In this BEC attack targeting Europe’s largest electrical cable and wire manufacturer, cybercriminals impersonated one of the company’s senior German executives and emailed an employee in the finance department at its factory in Bistrita, Romania. The carefully crafted email used inside information to increase the appearance of legitimacy and requested a transfer of $44 million to a foreign bank account—which the employee dutifully fulfilled.

Read more about the BEC attack on Leoni AG

6. Pathé

Year: 2018
Industry
: Entertainment
Total Losses
: €19 million ($21 million)

In March 2018, Dertje Meijer, the director of the French cinema company Pathé, received a spoofed email from an attacker impersonating the CEO. The email explained that Pathé was in the middle of acquisition discussions with a Dubai-based company and convinced Meijer to make a confidential transfer of $931,600. Later that month, Meijer made three additional transfers to the same fraudulent account, totaling more than $21 million.

Read more about the BEC attack on Pathé

7. Scoular

Year: 2014
Industry
: Agriculture
Total Losses
: $17.2 million

In 2014, the corporate controller of Scoular, an Omaha-based agricultural services organization received an email purportedly from the CEO regarding the acquisition of a Chinese company. The “CEO” instructed the target to first contact a lawyer at the accounting firm KPMG who would help facilitate the transaction and then transfer $17.2 million to a Shanghai bank account. Unaware that both the executive and the lawyer were being impersonated, the controller completed the transfer.

Read more about the BEC attack on Scoular

8. Tecnimont SpA

Year: 2019
Industry
: Engineering
Total Losses
: $18.6 million

In this BEC attack targeting the Indian arm of Tecnimont SpA, an Italian engineering company, threat actors impersonated the CEO using a spoofed email address. Similar to the BEC attack on Scoular, the attackers emailed the head of the division requesting fund transfers related to the confidential acquisition of a company in China. The group even scheduled conference calls to discuss the acquisition and impersonated the CEO, senior executives of Tecnimont, and a mergers and acquisitions lawyer.

Read more about the BEC attack on Tecnimont SpA

9. Toyota Boshoku Corporation

Year: 2019
Industry
: Automotive
Total Losses
: $37 million

A 2019 BEC attack targeting the finance and accounting department of Toyota Boshoku Corporation, a European subsidiary of Toyota and a major supplier of Toyota auto parts, resulted in a loss of $37 million. The attackers posed as one of the subsidiary’s business partners and requested a transfer to a new bank account, claiming the transaction needed to be completed ASAP or parts production would be negatively impacted.

Read more about the BEC attack on Toyota Boshoku Corporation

10. Ubiquiti

Year: 2015
Industry
: Technology Hardware
Total Losses
: $38.6 million

Ubiquiti, a San Jose-based manufacturer of networking technology, fell victim to a BEC attack in 2015 after threat actors targeted an employee in the finance department at one of the company’s Hong Kong subsidiaries. Threat actors impersonated Ubiquiti’s CEO and convinced the employee to complete a transfer totaling $46.7 million. While the company was able to reclaim $8.1 million of the lost funds, the remaining amount was never recovered.

Read more about the BEC attack on Ubiquiti

11. Xoom

Year: 2014
Industry
: Financial Technology
Total Losses
: $30.8 million

A BEC attack on payment solutions provider Xoom resulted in the transfer of $30.8 million to fraudulent overseas accounts. While details about the attack are scarce, an SEC filing disclosed the incident “involved employee impersonation and fraudulent requests targeting the Company's finance department.” As a result of the incident, Xoom’s CFO resigned, and the company’s stock price dropped by 14%.

Read more about the BEC attack on Xoom Corporation

Minimizing the Fallout from BEC Attacks

Business email compromise attacks are industry-agnostic and target organizations of all sizes. And based on the data, the frequency and severity of these attacks will only continue to grow.

While you may not be able to prevent threat actors from ever targeting your organization with BEC attacks, you can ensure the malicious emails are never seen by employees by investing in a behavioral AI-based email security platform that blocks these threats before they can be delivered.

To learn more about the growing risk of business email compromise and how to protect your organization, download the CISO Guide to Business Email Compromise.

Download the Guide

Or to see how Abnormal can stop BEC attacks before they can be delivered to employee inboxes, schedule your personalized demo.

Schedule a Demo
11 Most Costly BEC Attack Examples of the Past 10 Years

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More
B How Phishing Kits Work Blog
Learn how phishing kits provide pre-packaged tools for stealing credentials, bypassing MFA, and targeting platforms like Gmail and Microsoft 365.
Read More
ABN Innovate Blog 1 L1 R1
Join Abnormal Security for a one-day virtual conference featuring the best insights from cybersecurity experts and AI leaders.
Read More
B Partners2024
Discover how strategic investments, global collaboration, and cutting-edge initiatives have empowered our partners to thrive and set the stage for even greater success in 2025.
Read More