Blog

Top BEC Scams and How to Protect Your Business

Written by Jeff Rezabek | Feb 10, 2023

The phishing problem isn’t going away anytime soon. In reality, it’s getting worse as attackers adopt new tools and strategies to bypass traditional tools and coax their victims into responding to the attack. One of the most prevalent and profitable phishing attacks is Business Email Compromise (BEC) threats. In BEC scams, the threat actors pose as a vendor or high-level executive either by mimicking or gaining access to a genuine email account to build trust and get the victim to transfer funds or sensitive data. 

Over the years, BEC attacks have grown in volume and value. Below are some of the top 5 Business Email Compromise (BEC) scams and how to protect your business from similar attacks using IRONSCALES. 

5 top business email compromise (BEC) scams 

Ubiquiti: $46.7 million 

In 2015, Ubiquiti lost $46.7 million due to a BEC scam where the threat actor impersonated the communication of an executive. According to this article, over the course of 17 days, Ubiquiti made 14 wire transfers after attackers sent Ubiquiti fake emails impersonating top-level executives. 

“Ray Hushpuppi”: $24 million 

A one-time social media influencer, in 2022, Ramon Abbas—known as Ray Hushpuppi—pleaded guilty to conspiracy to engage in money laundering. One of his methods to fund his lavish lifestyle was using BEC attacks. In one instance, Abbas and a co-conspirator sent fake wiring instructions to a paralegal at a New York law firm. By spoofing the email address to appear as a legitimate bank email address, Abbas and the accomplice were able to dupe the paralegal into wiring nearly $923,000, believing it was going to the client’s real estate refinancing.  

Scoular Co: $17.2 million 

BEC attacks aren’t new, but they are increasing rapidly. In 2015, attackers sent emails posing as the CEO of Scoular and targeted the controller. In the emails, the fraudster claimed that the money was needed to buy a company in China and warned the victim not to disclose the communication to others to avoid violating SEC regulations. Through three wire transfers, the attackers obtained $17.2 million from the company. 

Rijksmuseum Twenthe: $3.1 million 

In 2020, art dealer Simon Dickinson and Rijksmuseum Twenthe were negotiating the transaction of a valuable painting by John Constable. The two parties conversed over email for several months, and at some point during the negotiations, cyber criminals entered the conversation by sending spoofed messages to the museum. In the end, the threat actors persuaded Rijksmuseum Twenthe to transfer $3.1 million to a Hong Kong bank account. 

Peterborough, New Hampshire: $2.3 million 

BEC attacks aren’t exclusive to B2B companies with deep pockets. Local governments can find themselves victims of these sophisticated phishing attacks too. In 2021, the town of Peterborough, New Hampshire, lost a total of $2.3 million in funds initially allocated for the school district and bridge project.  

The small town with a population of 6,000+ was the victim of a highly targeted BEC campaign where the actor conducted research to identify the most valuable projects and how the small government conducted business. In the attack, the criminals faked email accounts to impersonate school district officials or contractors for the bridge project and then launched their successful attack. 

Lessons learned from top BEC scams  

BEC Attacks are Highly Targeted Threats 

To launch a successful BEC campaign, the attacker typically conducts a lot of research to understand the business, the recipient of the phishing email, and the activities of the executive or vendor they are impersonating.  

Technology Alone Isn’t Enough 

While traditional email security tools can block known attacks and emails with malicious links and attachments, many BEC attacks start with messages that don’t include links or attachments, making it easy to bypass these barriers.  

When technology fails to block these advanced attacks, it’s critical that your employees know how to identify and report suspicious communications. 

Employees Are Undertrained In Current Phishing Trends 

Most people know not to click on links from senders they don’t know. However, email phishing has moved beyond that. Advanced phishing attacks like BEC use social engineering tactics to create a false sense of trust and urgency to get the victim to act fast and take the bait.  

Regular training using current threats is required to reinforce proper email security habits so employees stay vigilant. Additionally, employees need to feel empowered to question every communication they receive and report anything that seems suspicious.  

Fight business email compromise with IRONSCALES 

Proper BEC protection requires a combination of AI and human insights to prevent these costly phishing attacks. IRONSCALES fights BEC attacks from within the mailbox using AI to understand the communication habits between employees and vendors, analyzing the intent of the message, and leveraging feedback from over 10,000 customers to determine if a communication is legitimate. 

If the message is determined to be a BEC attack or any other phishing attempt, IRONSCALES will search the company’s email client and remove any similar message in the environment to protect users from polymorphic attacks. 

Going one step further, IRONSCALES offers capabilities to launch phishing simulation testing or security awareness training campaigns with ease. IRONSCALES users can launch complete PST campaigns in as little as three clicks using recommended campaigns based on current attack trends or build one from scratch using an actual threat as a template. Additionally, contextual banners and the report phishing button makes it easy for employees to be alerted to suspicious emails and notify admins of the potential threat. 

Download the latest Osterman Research report, "Defending the Enterprise: The Latest Trends and Tactics in BEC Attacks," to learn more.