BEC Scam Results in $39.1 Million Loss for Ubiquiti Networks | Tripwire

BEC Scam Results in $39.1 Million Loss for Ubiquiti Networks

Posted on August 7, 2015
FTC Says Identity Theft Victims Don't Always Need a Police Report
A Business Email Compromise (BEC) scam has resulted in a $39.1 million loss for Ubiquiti Networks, an American technology company that manufactures wireless networking products. On August 6th, Ubiquiti Networks issued a press release summarizing the results of its fourth fiscal quarter of 2015, which ended on June 30, 2015. The company reveals in that statement that it was the victim of a BEC scam that resulted in losses of $39.1 million.
security57.png
A Business Email Compromise scam is a type of social engineering attack in which an attacker compromises the legitimate email account of a high-ranking executive, such as a CFO, and uses that unauthorized access to make fraudulent wire transfers to bank accounts of their choice. A variant on the classic BEC attack, "vendor fraud" occurs when an attacker impersonates a vendor and changes the payment details of a transaction. This in some way mimics a scheme being practiced by a group of Nigerian scammers. Excluding the costs and related expenses it incurred as a result of the BEC scam, Ubiquiti Networks states that its cash for operating costs for the quarter would have been $57.3 million, a 56% increase sequentially. The company discloses additional information about the incident in the Form 8-K it filed to the U.S. Securities and Exchange Commission.
"On June 5, 2015, the Company determined that it had been the victim of a criminal fraud," Ubiquiti Networks reports. "The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties."
After discovering the compromise, Ubiquiti Networks initiated legal proceedings that enabled it to successfully recover $8.1 million of the monies transferred. The company is also hoping to recover an addition $6.8 million, which is currently subject to legal injunction. At this time, Ubiquiti Networks does not believe it will receive insurance coverage for this scam. However, after conducting an independent investigation of its networks, the company has determined that no internal intrusion took place and that no corporate, financial, or account information was compromised. These findings give Ubiquiti Networks optimism for the future.
"While this matter will result in some additional near-term expenses, the Company does not expect this incident to have a material impact on its business or its ability to fund the anticipated working capital, capital expenditures and other liquidity requirements of its ongoing operations."
Users are urged to avoid free web-based email, carefully decide what to post to social media and to company websites, and implement additional security features (such as two-factor authentication) in order to avoid becoming a victim of a BEC scam.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!