The San Jose, Calif.-based networking firm Ubiquity Networks Inc. reported that cyber thieves recently stole $46.7 million from the firm through a scam that's becoming more common, in which fraudsters fake executive communications to instigate unauthorized wire transfers.
The scam, also known as "CEO fraud" or the "business email compromise" (BEC), typically targets businesses that work with foreign suppliers or regularly perform wire transfer payments.
Ubiquity disclosed the attack in a quarterly financial report filed with the U.S. Securities and Exchange Commission. The company said it discovered the fraud incident on June 5, 2015, which involved employee impersonation and fraudulent requests from an outside entity, and targeted the company's finance department.
"This fraud resulted in transfers of funds aggregating $46.7 million held by a company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties," Ubiquity wrote. "As soon as the company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary's bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of these efforts, the company has recovered $8.1 million of the amounts transferred."
Ubiquity didn't disclose any additional scam details.
In January 2015, the FBI reported that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams. In February, a criminal directed $17.2 million away from the Omaha, Neb.-based The Scoular Co. when an executive from the company wired money in installments to a bank in China after receiving emails ordering him to do so.
According to the Internet Crime Complaint Center (IC3), businesses victimized by BEC scams range in size from small to large, and purchase or supply a variety of goods. Since it affects a business' supplies, funds and relations, this scam impacts both ends of the supply chain.
The FBI said BEC fraud typically starts when thieves either phish an executive and obtain entry to that person's inbox, or email employees from a spoofed domain name.
"The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment," Ubiquity said.
Some victims reported being targets of various scareware or ransomware cyber intrusions immediately preceding a BEC scam request. Recently, the IC3 issued an alert regarding an increasing number of complaints from businesses hit by Distributed Denial of Service extortion campaigns via email.
The IC3 suggested companies follow these steps to protect themselves against the BEC scam:
- Avoid free, web-based email;
- Scrutinize postings to social media and company websites, especially job duties and descriptions;
- Be suspicious of requests for secrecy or pressure to take action quickly;
- Consider additional IT and financial security procedures and two-step verification processes, such as telephone calls and digital signatures, to verify significant transactions;
- Immediately delete unsolicited email (spam) from unknown parties;
- Do not use the "reply" option to respond to any business emails – instead, use the "forward" option; and
- Beware of sudden changes in business practices.
"This is exactly the kind of thing that is prevented by effective security awareness training," Stu Sjouwerman, founder/CEO of the Clearwater, Fla.-based security awareness training provider Knowbe4, said. "The bad guys have a back door into your network – your employees. You can spend a large amount of money putting all kinds of security software in place and you should, but it can be all wasted if you don't also train your employees and keep them on their toes with security top of mind."
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.