5 Business Email Compromise Attack Examples We Can Learn From

April 24, 2018 by


Business email compromise (BEC) is a type of phishing scheme where the cyber attacker impersonates a high-level executive (CIO, CEO, CFO, etc.) and attempts to get an employee or customer to transfer money and/or sensitive data.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

BEC is essentially an attack where the cyber attacker accesses corporate email accounts and spoofs the owner's identity. From there, emails are then sent to employees and customers of the company in an effort to steal money and other assets.

Here are five examples of BEC scams in the wild.

1. Xoom Corporation

Xoom Corporation is an international money transfer organization based in California.

Xoom reported an incident where spoofed emails were sent to the company's finance department. This resulted in the transfer of $30.8 million in corporate cash to fraudulent overseas accounts.

The CFO resigned, and the company's audit committee authorized an independent investigation by outside advisors. The company has implemented additional internal procedures, and federal law enforcement authorities are actively pursuing a multi-agency criminal investigation. Because of this. the company stock dipped by a jaw dropping 14%, or approximately $31 million.

2. Scoular Corporation

Scoular Corporation is an Omaha-based commodities trading firm.

The company reported an incident involving a spearphishing, wire fraud scam. Initially, company employees received a fake email claiming to be from the CEO. It was in reference to the acquisition of a business based in China, asking to wire parts of the declared amount. The email stated, "We need the company to be funded properly and to show sufficient strength to the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly."

Since it was apparent the email was supposedly coming from the CEO, the employee in question did not doubt the orders and transferred the money over. Though this actually occurred in June 2014, the FBI did not take any further actions in this case until January 2015. The FBI eventually tracked the money down to the Shanghai Pudong Bank, but the account was closed and the money was transferred somewhere else. It was also discovered that the phony email was actually created in Germany, and the actual email domain (which had the extension of was hosted in a server located in Russia.

3. Ubiquiti Networks

Ubiquiti Networks is a wireless networking technology company based in San Jose, CA.

The company reported an attack targeting company finances that involved both employee and executive impersonation. This attack, initiated by the company subsidiary in Hong Kong, resulted in the transfer of $46.7 million to third-party bank accounts belonging to the attackers.

Once alerted, the company recovered $8.1 million of the total amount transferred. Also, an additional $6.8 million is expected to be recovered in due time. It is still in the process of recovering the remaining sum of $31.8 million and is cooperating fully with both United States Federal and overseas law enforcement authorities.

A subsequent investigation revealed there was no penetration into the IT infrastructure of the company or any malicious activity conducted by its employees.


FACC is an aviation manufacturer based out of Austria.

In 2016, FACC made an announcement that both the forensics and financial accounting departments were hacked by cyber attackers.

The information and data, its intellectual property, as well as the operational business of the group, were not affected by the attack. The financial damage was at 50 million Euros ($54 million). The board of directors has taken immediate structural measures to prevent this same type of attack from happening again and is also further evaluating damages that may have occurred as well.

5. Mattel

Mattel is a toymaker based in the United States.

This particular fraud was the result of a very sophisticated phishing email directed to an unnamed finance executive who was able to approve large cash transfers. The email was apparently written by the new CEO Christopher Sinclair.

The cyber attackers conducted thorough research beforehand on the senior Mattel company staff members. As a result, this enabled them to understand the corporate hierarchy and payment patterns. Because of the sophisticated nature of the cyber attackers, they were able to lure over $3 million from Mattel to the Bank of Wenzhou, China.

Mattel contacted the FBI as well as the bank in China; as result, the funds were subsequently returned. Apparently, this bank is located in a Chinese region that is infamous for funneling cash stolen from CEO phishing scams.

Because of the thorough investigation conducted, Mattel was able to track down a dozen more BEC scams that were launched at the company after this attack.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.


Many of these attacks could have been prevented if there was a security program in place that trained employees how to spot phishing and social engineering attacks. Here are some quick tips you can share with your employees to increase their awareness of this growing threat.

  1. Do not open any e-mails from unknown senders or those that look suspicious. Immediately mark them as "Spam" and move them into the "Spam" folder of your email. Also, train your employees what to look for in a phishing email, especially poor grammar, misspellings and off-sounding domain names (such as the one used in the Scoular Corporation attack).
  2. Whenever the need arises to give out personal information, such as credit card or debit card numbers, make sure employees do so via a secure website.
  3. Another mechanism that cyber attackers use for phishing schemes is that of pop-up screens that appear completely out of the blue in your web browser. Therefore, it is critical your employees:

  • Never, ever click on any links that appear in a pop-up screen
  • Do not copy any URL address from a pop up into your web browser
  • Do not download anything from a pop up
  • Sayaala

    Sayaala is a graduate from India. Sayaala has interest in the field of information security and also other environmental studies. Sayaala would like to explore more and more about different aspect of information security domain such as AWS, Common threats in infosec, Malware, Vulnerability assessment etc. My Blog link