The impact of Business Email Compromise

How Email Spoofing Costs Companies Millions
Domain Check

Check your domain for DMARC, DKIM, SPF and MX records. Get a free report.
Articles
Tags
Published: October 30, 2025

Business Email Compromise (BEC) has quietly become one of the most costly cyber threats worldwide. Unlike typical phishing emails full of typos and generic greetings, BEC attacks are highly targeted and often involve email spoofing where attackers impersonate executives, suppliers, or trusted partners. According to the FBI’s Internet Crime, BEC scams caused over $50 billion in exposed losses globally between 2013 and 2025. 

The difference between BEC and generic phishing is intent and precision. Instead of casting a wide net, attackers study a company’s structure, its executives, and its financial workflows. Then, they spoof an email domain to trick employees into transferring funds, releasing sensitive information, or changing payment instructions. This article explores real life cases of email spoofing in BEC attacks, how they unfolded, and what businesses can learn from them. 

 

What is Business Email Compromise (BEC)?  

 

Business Email Compromise (BEC) refers to scams where cybercriminals impersonate a trusted identity often via email spoofing to deceive employees into taking harmful actions. While phishing aims to steal login credentials or personal data, BEC usually targets financial gain directly. 

The most common forms of BEC include: 

  • CEO Fraud (attackers impersonate a senior executive) 

  • Vendor/Supplier Fraud (fake invoices or payment redirection) 

  • Payroll Diversion (employees tricked into changing salary account details) 

  • Legal or HR Impersonation (fraudulent requests for W-2s or sensitive documents) 

The success of these scams depends heavily on email spoofing, which allows criminals to forge the From address so emails appear to come from legitimate company domains. 

 

The $100 Million Google & Facebook Scam  

 

One of the most infamous BEC cases involved two of the world’s biggest tech companies: Google and Facebook. Between 2013 and 2015, attackers managed to defraud both companies out of more than $100 million. 

The criminals set up a fake company with a name strikingly similar to a real hardware supplier both Google and Facebook regularly used. They then sent spoofed invoices and emails that looked like they came from the legitimate vendor. Because the emails used forged domains that mimicked the supplier, the finance departments at Google and Facebook processed the payments without suspicion. 

By the time the fraud was uncovered, the attackers had funneled millions into bank accounts across Latvia and Cyprus. The scam only came to light when U.S. prosecutors unsealed indictments in 2017. 

Lesson learned: Even the largest and most technologically advanced companies are vulnerable to vendor spoofing attacks. Stronger email authentication (DMARC, DKIM, SPF) combined with manual payment verification policies could have stopped this fraud. 

 

Toyota Boshoku Corporation – $37 Million Lost  

 

In 2019, Toyota Boshoku Corporation, a subsidiary of Toyota Group, was hit with a BEC attack that cost the company $37 million. Attackers spoofed emails appearing to come from senior executives and instructed staff to transfer funds to a fraudulent overseas account. 

The emails were carefully crafted and timed, exploiting trust in hierarchical communication. Employees complied, only realizing after the transfer that the instructions were fake. While Toyota managed to recover a portion of the funds, a significant amount was permanently lost. 

 Lesson learned: BEC doesn’t require malware it exploits trust in internal authority. Employee training combined with executive-level awareness is critical, since attackers often impersonate CFOs or CEOs in spoofed emails. 

 

The Pathé Film Company Scam – €19 Million  

 

The Dutch film company Pathé fell victim to a classic CEO fraud BEC attack in 2018. Fraudsters spoofed emails that appeared to come from Pathé’s CEO in France, directing the Dutch office to transfer funds for a confidential acquisition project. 

Over several weeks, attackers convinced finance staff to wire nearly €19 million to foreign bank accounts. The company’s Dutch CEO and CFO were eventually fired after the breach came to light. 

Lesson learned: BEC thrives in environments where authority is rarely questioned. A simple two-step verification process for large wire transfers could have prevented the fraud. 

 

The Puerto Rico Government Scam – $2.6 Million  

 

In 2020, Puerto Rico’s Industrial Development Company lost $2.6 million after falling for a spoofed vendor email. Attackers impersonated an employee from an existing vendor and instructed the agency to change bank account details for upcoming payments. 

Since the spoofed email looked nearly identical to previous correspondence, staff processed the transfer. The fraud was only discovered after the real vendor inquired about missing payments. 

Lesson learned: Vendor spoofing works because businesses often trust ongoing relationships. Implementing DMARC policies and out-of-band verification (such as confirming changes via phone) are critical safeguards. 

 

How Email Spoofing Works in BEC  

 

Email spoofing is the backbone of many BEC attacks. It works by forging the From header of an email so it looks like it’s coming from a trusted source. Without proper authentication protocols, most mail servers cannot distinguish between a spoofed and legitimate message. 

Attackers often often use your exact domain in combination with their infrastructure to send emails on your behalf to trick recipients. In this case, they directly spoof an existing domain when the target company lacks DMARC implementation.

Protocols like SPF, DKIM, and DMARC were designed to fight this problem. SPF allows domain owners to specify which servers can send email. DKIM adds a cryptographic signature that verifies authenticity. DMARC ties both together, giving domain owners control over what happens if authentication fails. Without these in place, spoofing is almost impossible to detect for the average employee. 

 

Preventing BEC Through Authentication & Policy  

 

While BEC is hard to eliminate entirely, companies can significantly reduce risk with layered defenses: 

  • Implement DMARC, DKIM, and SPF: These stop spoofed emails from reaching inboxes. 

  • Use strict payment verification policies: Require secondary approvals for high-value transfers. 

  • Train employees regularly: Especially finance and HR teams, who are prime targets. 

  • Monitor and report: Enable DMARC reporting to track suspicious activity. 

Most importantly, businesses should treat email security as a financial control issue, not just an IT issue. Just as accounting requires audits, email requires authentication checks and independent verification.  

Business Email Compromise is not a distant cyber threat it’s a real-world crime with billions in damages. From tech giants like Google and Facebook to government agencies and film companies, no organization is immune. What unites these cases is the use of email spoofing as the entry point. 

Companies must accept that email alone cannot be trusted without proper safeguards. By implementing DMARC, DKIM, and SPF, combined with robust internal financial policies, businesses can protect themselves against one of the most costly and preventable cybercrimes of our time. 

Bulletproof emails with DMARC

Check domain and follow the instructions to nail down your DMARC configuration.
No expert knowledge needed!