Business email compromise (BEC) is an email scam where malicious actors impersonate a trusted source using a spoofed, lookalike or compromised account. Fraudsters send targeted emails to employees, business partners or customers. The recipients, believing the emails are legitimate, then take actions that lead to scammers gaining access to sensitive data, funds or accounts. Notably, most BEC attacks result in fraudulent wire transfer or financial payment.
The FBI’s Internet Crime Complaint Center reports that businesses lost more than $2.7 billion to BEC scams in 2022. That’s more than one-quarter of all the cyber crime-related financial losses for that year. Proofpoint research for the 2023 State of the Phish report showed that 75% percent of organizations experienced at least one BEC attack last year.
BEC is often hard to detect because there is no malicious payload, such as URL or attachment. And yet, it’s easy to understand why BEC scams are so successful. Just take a closer look at the various social engineering tactics used in the following 10 recent BEC attacks, which are a testament to fraudsters’ creativity, ingenuity and persistence.
#1: Fraudster steals more than 1,000 unpublished manuscripts
What happened: Filippo Bernardini, an employee at the U.K. operation of publishing company Simon & Schuster, impersonated book agents, editors, authors and others for years in a quest to obtain unpublished manuscripts. The book thief’s aim: to read new works before anyone else.
BEC strategy: Bernardini registered more than 160 fake internet domains to send emails from slightly altered, official-looking email addresses. A key factor in his success was his insider knowledge of the publishing world.
#2: Real estate firm loses €38 million to international gang of fraudsters
What happened: A real estate developer in Paris, Sefri-Cime, was targeted by an international email “CEO fraud” gang in December 2022. The group managed to steal €38 million through one BEC scam, which they then laundered through bank accounts in various countries, including China and Israel.
BEC strategy: The firm’s CFO received an email from someone claiming to be a lawyer at a well-known French accounting firm. Within days, the fraudster had gained the CFO’s trust and began to make successful requests for large and urgent transfers of millions of euros.
#3: Eagle Mountain City, Utah, sends $1.13 million to vendor impersonator
What happened: This rapidly growing, master-planned community had so many new projects underway that busy city officials grew accustomed to receiving requests for large payments from various vendors—and thus, became less vigilant about looking out for potential scams.
BEC strategy: In August 2022, Eagle Mountain was engaged in a construction project to widen a major road. During an email exchange between city officials and its construction vendor, BEC scammers inserted themselves into an email thread and impersonated the vendor. The cyber criminals persuaded a staff member to transfer an electronic payment to them instead.
#4: Fraudsters steal $2.8 million from Grand Rapids Public Schools in Michigan
What happened: A California couple defrauded a Midwestern school district and went on a spending spree with the stolen funds. It all started when they gained access to an email account of the school district’s benefits manager. It all began to unravel after an insurance company inquired about the missing funds.
BEC strategy: The fraudsters monitored correspondence between the district and its health insurance vendor about monthly insurance payments. They then sent an email to a district finance specialist asking them to change the wiring information for those payments. That person complied, which resulted in two large payments being sent to the bank account of a California nail salon that the couple owned.
#5: CFO impersonator defrauds Children’s Healthcare of Atlanta of $3.6 million
What happened: This pediatric care provider’s experience with BEC scams is a stellar example of just how unscrupulous the perpetrators behind these campaigns can be. Children’s Healthcare of Atlanta likely became a target for fraud after kicking off a project to build a new, 70-acre campus—a construction firm in Kansas City, Missouri, J.E. Dunn, announced it was the general contractor.
BEC strategy: A bad actor was quick to jump on this news and launched a familiar BEC attack—spoofing the construction company’s email domain. This individual also impersonated the firm’s CFO and sent a letter to Children’s—using a fake J.E. Dunn Construction Group letterhead, no less—successfully requesting that payments be directed to another account.
#6: SilverTerrier gang targets at least 50,000 companies in 150 countries
What happened: In the spring of 2022, Interpol arrested a man believed to be the ringleader of a Nigeria-based BEC gang, SilverTerrier (aka TMT). His arrest led to the exposure of the group’s massive attack infrastructure supported by at least 400 gang members.
BEC strategy: SilverTerrier has targeted tens of thousands of companies and individuals worldwide since it emerged in 2014. Here’s a quick overview of the gang’s approach to BEC scams (and these aren’t even all the steps these cyber criminals take):
- They conduct mass phishing campaigns in various languages. The emails appear to be from representatives of legitimate companies.
- They use malicious email attachments to spread various malware programs, spyware and remote access tools.
- The gang tracks every open message; once they know they’ve infiltrated a system, they monitor activity so they can target the victim with new BEC scams designed to steal funds.
#7: Opportunist siphons $793,000 in new construction funds for N.C. church
What happened: Elkin Valley Baptist Church in North Carolina spent a decade collecting $1.5 million to build a new worship center. In late 2022, when they were ready to break ground on the project, bad actors swooped in to launch a BEC campaign that led to the theft of more than half of the construction fund.
BEC strategy: On a Friday night, two emails arrived in the church’s financial secretary’s inbox. One was sent by the builder with a request for the first half of the payment and transfer instructions. The other email with different transfer details was fraudulent—but almost identical to first. It even included the previous email thread in the body of the message. Unfortunately, a church representative believed it was legit and sent the payment to the fraudsters on Monday.
#8: VCU transfers $470,000 to “trusted” fake employee of construction firm
What happened: A U.K. citizen spent several months in 2018 working to build trust with Virginia Commonwealth University (VCU) by posing as “Rachel Moore,” a fake employee of Kjellstrom + Lee, based in Richmond, Virginia. The construction company had a project underway with VCU at the time.
BEC strategy: Once trust was established, this bad actor submitted new banking details for payment transfers—to an account in California. Soon after wiring nearly a half-million dollars, the university learned it had been scammed, and that “Rachel” was not a real person.
#9: Fraudster posing as senior executive steals $1.2 million from Minnesota city
What happened: The city of Cottage Grove, Minnesota hired the contractor Genslinger & Sons for a sewer project in mid-2021. A few months later, the city’s accounting specialist sent an email to an incorrect address at “genslingerandsons.com.” Five days later, a malicious actor launched a BEC attack.
BEC strategy: The fraudster, posing as the contracting firm’s president, Jeff Genslinger, sent an email to the accounting specialist to update payment information. The city sent two large payments to the new account, and the scammer moved fast to disperse the funds to multiple accounts belonging to other people. A few months later, the Cottage Grove theft came to light when the contractor contacted the city about its missing payments—and the city learned the real Jeff Genslinger had been on vacation for weeks.
#10: Cyber criminals drain $11.1 million from Medicare and Medicaid programs
What happened: We round out our list of 10 business email compromise examples with Medicare and Medicaid fraud scams, which scammers use to rake in more than $100 million annually. In focus here are five state Medicaid programs, two Medicare contractors and two private health insurers that were duped into wiring payments in a series of schemes involving 10 BEC fraudsters in multiple states.
BEC strategy: In most of these schemes, the cyber criminals created email accounts that looked almost identical to legitimate businesses and hospitals. Targets were tricked into updating bank account details for reimbursement payments. To hide their spoils, several of the fraudsters used stolen identities to open bank accounts in the name of shell companies.
For more details on these 10 business email compromise examples, including what happened (or not) after the discovery of these BEC scams, download the Proofpoint e-book, You’ve Got Email Fraud!
5 steps to combat BEC scams
The BEC examples outlined above are only a sampling of this rampant criminal activity happening on a global scale. Sadly, for the businesses and individuals targeted, BEC scammers are often successful—wildly so, in many cases. While funds can sometimes be recouped, more often, victims end up losing a lot of money. That is true with many of the BEC examples we’ve highlighted in this post.
However, while the cyber criminals who carry out these campaigns can be clever and quick, businesses can also be smart and swift in how they address this pervasive and costly threat. Here are five steps to combat BEC:
- Detect and stop BEC threats before users can interact with them
- Get visibility into BEC risks
- Enable users to spot and report BEC attacks
- Automate threat detection and response
- Authenticate your email to protect your brand in email fraud attacks
For the best defense, make sure to use AI-enabled email protection, which blocks sophisticated BEC attacks. Here’s how AI can help.
Protect your business from BEC scams with Proofpoint
It takes both technology and user education to protect against email fraud attacks—and only Proofpoint provides an end-to-end, integrated solution to combat them. Learn how we can help, and take a free assessment to gauge your organization’s preparedness to stop BEC attacks here.