Phishing Attackshigh

Ubiquiti Networks: $46.7 Million Wired to Hong Kong Fraudsters via Email

A Finance department employee at Ubiquiti was deceived by emails impersonating the CEO and external legal counsel into authorising 17 wire transfers totalling $46.7 million to accounts in Hong Kong, Poland, Hungary, and Russia.

Ubiquiti Networks·2015·2 min read

Background

Business Email Compromise (BEC) became the FBI's highest-loss cybercrime category in 2015. Ubiquiti Networks, a Silicon Valley networking hardware company, processed international wire transfers as part of normal operations. Attackers had studied the company's corporate structure and communication patterns.

The Attack

Attackers registered a lookalike domain nearly identical to Ubiquiti's legitimate domain and used it to send emails appearing to come from the CEO and outside legal counsel. The emails requested a series of urgent, confidential wire transfers for a supposed acquisition. No phone verification was requested or performed. Finance staff, believing the requests were legitimate, executed 17 transfers over several weeks totalling $46.7 million to bank accounts across four countries.

Response

Ubiquiti discovered the fraud in June 2015. The FBI was notified and assisted with recovery efforts. Approximately $8.1 million was recovered. The company tightened its wire transfer authorisation procedures and disclosed the incident in a quarterly SEC filing.

Outcome

The $46.7 million loss ($38.6 million unrecovered) was disclosed publicly in SEC filings, exposing the company to additional reputational damage. The case became a canonical example of BEC fraud and was used by the FBI to train organisations on the threat. Ubiquiti's share price dropped on disclosure.

Key Takeaways

  1. All large wire transfers must be verified by phone call to a pre-registered number — never to a number in the email
  2. BEC attackers study company org charts and communication styles for weeks before striking
  3. Finance staff need specific training on email impersonation — the CEO will not email instructions for secret wire transfers
  4. Dual-authorisation controls for transfers above a threshold prevent single-person fraud

How to Prevent This

All guides
beginnerfeatured

Verify wire transfer requests by calling a pre-registered number — never one from the email

Business Email Compromise (BEC) caused more than $3 billion in losses in 2022 alone. Every BEC attack involving a wire transfer succeeded because the victim called back a phone number from the fraudulent email, or did not call back at all. The defence is simple and absolute: any wire transfer request arriving via email must be verified by calling the requestor at a number already in your company directory or phonebook — not a number provided in the email. FACC lost €50 million because no one picked up the phone. Ubiquiti lost $46.7 million for the same reason. A 60-second phone call to a known number prevents these attacks entirely.

See: Ubiquiti BEC FraudSocial Engineering Defence
BECwire fraudCEO impersonationlookalike domainfinance fraud

More in Phishing Attacks

2015critical

Anthem Health: 78 Million Patient Records and a Single Phishing Email

2 min readPhishing Attacks
2022high

Okta Breach: The Identity Provider That Protects Everyone Gets Compromised

2 min readPhishing Attacks
2010critical

Operation Aurora: China's Spear-Phish Against Google and 34 Companies

2 min readPhishing Attacks