Analyzes business email compromise (BEC) scams where attackers impersonate executives or vendors to trick employees into transferring funds or sharing sensitive data. Covers detection methods, employee training approaches, and technical controls to prevent BEC attacks.
posts
A Legitimate Invoice From PayPal — That's Also a Scam In late 2024, security researchers at Avanan documented a campaign where threat actors sent real PayPal invoices to victims — not spoofed emails, not lookalike domains, but actual invoices generated through PayPal's own platform. The emails passed every
A Single Fake Email Cost Facebook and Google $100 Million Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas sent a series of fake email messages to employees at Facebook and Google. He impersonated a legitimate hardware vendor, attached fraudulent invoices, and directed payments to bank accounts he controlled.
The $4.88 Million Problem Sitting in Your Inbox Right Now In 2024, the FBI's Internet Crime Complaint Center reported that business email compromise — essentially sophisticated fake mail — cost victims over $2.9 billion in a single year. That wasn't a spike. It was a trend.
In 2019, a Lithuanian national named Evaldas Rimasauskas pleaded guilty to stealing over $100 million from Google and Facebook using nothing more than a series of fake email messages. He impersonated a legitimate hardware vendor, sent invoices from a lookalike domain, and two of the most technologically sophisticated companies on
A Single Email That Cost $100 Million In 2019, Toyota Boshoku Corporation lost $37 million after an employee followed wire transfer instructions in a fraudulent email. Facebook and Google collectively lost over $100 million to a Lithuanian threat actor who sent fake invoices posing as a hardware vendor. These aren&
The CFO Who Wired $25 Million to a Threat Actor In early 2024, a finance worker at engineering firm Arup was tricked into transferring $25 million after attending a video call with what appeared to be the company's CFO and other colleagues. Every person on that call was
In late 2024, security researchers at Avanan documented a surge of phishing campaigns that weaponized legitimate DocuSign and PayPal infrastructure to deliver convincing credential theft attacks. The emails didn't come from spoofed domains. They came from the actual DocuSign and PayPal platforms — which is exactly why they sailed
In 2023, a finance employee at a multinational firm in Hong Kong wired $25 million to threat actors after receiving what appeared to be a legitimate video call and email chain from the company's CFO. It was all fake — the video was a deepfake, and the emails were
In May 2025, the FBI's Internet Crime Complaint Center reported that business email compromise — a sophisticated form of fake mail — accounted for over $2.9 billion in adjusted losses in 2023 alone. That number has only grown. I've personally worked cases where a single convincing email
In May 2024, the FBI's Internet Crime Complaint Center reported that business email compromise — a category built almost entirely on fake emails — accounted for over $2.9 billion in adjusted losses in a single year. That figure dwarfed ransomware losses by a factor of nearly 50. And those
