Analyzes business email compromise (BEC) scams where attackers impersonate executives or vendors to trick employees into transferring funds or sharing sensitive data. Covers detection methods, employee training approaches, and technical controls to prevent BEC attacks.
posts
In 2019, a Lithuanian national named Evaldas Rimasauskas pleaded guilty to stealing over $100 million from Google and Facebook using nothing more than a series of fake email messages. He impersonated a legitimate hardware vendor, sent invoices from a lookalike domain, and two of the most technologically sophisticated companies on
A Single Email That Cost $100 Million In 2019, Toyota Boshoku Corporation lost $37 million after an employee followed wire transfer instructions in a fraudulent email. Facebook and Google collectively lost over $100 million to a Lithuanian threat actor who sent fake invoices posing as a hardware vendor. These aren&
The CFO Who Wired $25 Million to a Threat Actor In early 2024, a finance worker at engineering firm Arup was tricked into transferring $25 million after attending a video call with what appeared to be the company's CFO and other colleagues. Every person on that call was
In late 2024, security researchers at Avanan documented a surge of phishing campaigns that weaponized legitimate DocuSign and PayPal infrastructure to deliver convincing credential theft attacks. The emails didn't come from spoofed domains. They came from the actual DocuSign and PayPal platforms — which is exactly why they sailed
In 2023, a finance employee at a multinational firm in Hong Kong wired $25 million to threat actors after receiving what appeared to be a legitimate video call and email chain from the company's CFO. It was all fake — the video was a deepfake, and the emails were
In May 2025, the FBI's Internet Crime Complaint Center reported that business email compromise — a sophisticated form of fake mail — accounted for over $2.9 billion in adjusted losses in 2023 alone. That number has only grown. I've personally worked cases where a single convincing email
In May 2024, the FBI's Internet Crime Complaint Center reported that business email compromise — a category built almost entirely on fake emails — accounted for over $2.9 billion in adjusted losses in a single year. That figure dwarfed ransomware losses by a factor of nearly 50. And those
In March 2025, a mid-size accounting firm in Ohio wired $1.2 million to a threat actor who sent a single spoofed email — a fakeemail that perfectly mimicked the CEO's display name, writing style, and even included a forwarded thread from a real conversation. The email passed every
A Legitimate DocuSign Email That Steals Your PayPal Credentials In November 2024, Avanan researchers documented a wave of attacks where threat actors sent phishing emails through DocuSign's actual platform — not spoofed emails, but real DocuSign notifications. The documents inside impersonated PayPal invoices requesting payment authorization for hundreds or
In January 2024, the FBI's Internet Crime Complaint Center reported that business email compromise — much of it powered by spoofed sender addresses — cost American organizations over $2.9 billion in 2023 alone. Behind a huge share of those losses sits a deceptively simple tool: the fake mailer. These
