Business executives and employees have been victims of business email compromise, which leads to the loss of important information and finances to scammers. BEC is a type of internet phishing scam whose major target is top company CEOs, CIOs, CFO, and more intending to transfer clients’ data or money. Cyber attackers gain access to an organization’s emails and take off with crucial information with the main goal to fleece finances from the organization.
The FBI has given BEC scam the title “$26 billion scams” because the scam costs businesses an average of $5.2 million per breach. The breach keeps on increasing, with cyber attackers finding sophisticated ways to con employees of organizations. Here are real-world examples of BEC scams.
A Toyota subsidiary Toyota Boshoku Corporation became a victim of a business email compromise (BEC) which led the company to lose $37 million, equivalent to 4 billion Japanese Yen. It is another classic example of BEC where a scammer managed to persuade a financial official of the organization to change the information of the account that will receive the money electronically.
After discovering the fraud, the company began an investigation together with its legal professionals and informed the local authorities.
Toymaker Mattel $3M
The email attack successfully managed to trick the toymaker top executive to wire $3 million to a bank account located in Wenzhou, China. An email in the form of a regular business payment request asked the organization’s finance department to complete the transaction.
The email scammer impersonated Mattel CEO, and the employee at the finance department was prompt to act on the request in an attempt to please the new executive. Fortunately, the Chinese law enforcement was able to follow up and managed to recover the amount a week later, saving Mattel from losing the $3 million.
Obinamwe Okeke $11M
The celebrated entrepreneur was sentenced in February 2023 for allegedly slamming his victim, an amount leading to $11 million. The scammer was able to use the email addresses of employees and top CEO to perform the phishing scam. With the email credentials in his possession, he was able to log into the accounts of top CEOs, including the CFI of a British company called Unatrac Holding. The scammer wired the money to offshore accounts to avoid the local authorities from tracking and recovering the amount.
Government of Puerto Rico $2.6M
The organization reported to the local police department the loss that cost the Puerto Rico Industrial Development Company $2.6 million to scammers. The government agency allegedly received an email suggesting a change in the account details to remit the finances.
The email came from an account that was hacked and belonged to an employee of the Puerto Rico Employment Retirement System. The government came forward and said the agency fell prey to a business email compromise scam. The amount included public pension funds and was frozen by the FBI.
St Ambrose Catholic Church $1.7M
The Ohio-based parish also became a victim of the ever-rising business email compromise scam when attackers were able to access the email addresses of two employees. The parish was undertaking a project to make some renovations at a budget of $4 million.
Scammers were able to have a preview of this information and found a way to hack into the employees’ email accounts and successfully divert the payments to their falsified accounts. The church authorities discovered the scam when the contractors mentioned they had not been paired. This is a classic case that tells us the importance of training the employees on basic cybersecurity aspects like setting passwords, using apps, attending to unknown messages or buying a new phone and configuring it to enhance online safety.
Xoom Corporation $30.8M
This comes as a surprise because Xoom Corp is a financial institution that fell victim to an email compromise scam that cost the company $30.8 million, leading to the shares going down by 17%. The amount was allegedly transferred to oversee accounts when a fraudulent employee requested targeting the finance department.
The scammer emailed an employee pretending to be the CEO requesting to wire the said amount to the mentioned account for an alleged business deal. It turned out to be a classic case of BEC.
The cinema organization has also been a victim of a Business email compromise scam which cost the business $21.5 M in march 2023. This loss was equivalent to 10% of the organization’s total earnings at the time. The scam began with an email sent to the company’s CFO from the French parent company making a confidential request to wire 800k to make an acquisition.
The CFO and CEO had discussed the strangeness of the transaction, but never did it seem like a scam. By the time they realized it was too late to save the company from losing the amount.
Save the children $1M
Charities are also not safe from BEC, as shown by this case example of Save the Children in 2023. The non-profit and charity organization was hit with a business email compromise scam. The incident happened when a fraudster was able to gain access to an employee’s email address, impersonated the employee, and created a fake invoice and other materials to convince the organization to send $1 million to charity in Japan.
City of Saskatoon $1M
This is also another classic example of BEC where scammers in 2023 successfully managed to trick the City of Saskatoon to wire them over $1 million. The scam happened through an email account compromise where someone impersonated the CEO of Allan Construction and managed to transfer $1.04 million from the company. Fortunately, the scammer was not able to gain access to the amount because law enforcement, in collaboration with financial organizations, was able to trace and recover the full amount.
Business email compromise scams give government and financial institutions a great challenge in protecting consumer data and finances. BEC scams are common more than ever as phishing emails from hackers and fraudsters keep advancing in tactics leading to major losses. CEO and employees have to find new ways to protect their emails so that they don’t become victims of the ever-rising cases of BEC.