Documented Cases

The largest coordinated law enforcement action against business email compromise to date. 281 individuals were arrested across the United States, Nigeria, Turkey, Ghana, France, Italy, Japan, Kenya, Malaysia, and the United Kingdom. Investigators identified more than $3.7 billion in fraudulent wire transfers. Targets included corporations, law firms, financial institutions, and real estate transaction parties. Multiple federal convictions resulted from the operation.

Relevance: BEC is not opportunistic crime. It is organized, international, and specifically targets professional transactional infrastructure. The scale documented in this operation reflects the category of threat, not an isolated incident.

A Lithuanian national impersonated a legitimate Taiwanese electronics manufacturer in correspondence with two Fortune 500 technology companies — subsequently identified publicly as Google and Facebook. Forged corporate documentation, email domains constructed to mimic the vendor, and fraudulent wire instructions resulted in approximately $121 million transferred before detection. The defendant pleaded guilty to wire fraud. Sentenced to 5 years federal prison with forfeiture ordered.

Relevance: No breach of either victim's systems occurred. The fraud succeeded because correspondence from a domain that appeared legitimate was trusted without independent verification. Domain authentication is the only publicly verifiable signal available to a counterparty before a wire is sent.

A Nigerian businessman and CEO of a legitimately operating capital group led a BEC operation causing more than $11 million in documented losses across multiple victims. The scheme operated through compromised email accounts and spoofed domains redirecting wire payments. Convicted at trial. Sentenced to 10 years federal prison — among the longest BEC sentences imposed at the time.

Relevance: The perpetrator operated under genuine professional cover. Institutional affiliation and a legitimate business identity were part of the mechanism. The scheme used the same communication channels professional fiduciaries use as a matter of daily practice.

Federal prosecutors across multiple districts have obtained convictions in schemes targeting real estate closing transactions. The mechanism is consistent: a party to the closing receives email appearing to originate from a known participant — attorney, title company, or lender. Wire instructions are redirected to fraudulent accounts. Closing funds — frequently representing a buyer's entire liquid savings or the net proceeds of a property sale — are transferred and unrecoverable. The FBI and FinCEN have both issued formal advisories identifying transaction counsel as a primary named target category.

Relevance: The attorney's email domain is not incidental to these schemes — it is the instrument. A domain configured to an enforcement-level authentication standard is verifiably more resistant to impersonation than one that is not, and that verification is available to any counterparty before a wire is initiated.

The SEC and DOJ have brought enforcement actions and obtained convictions in schemes involving fraudulent capital call notices and fund distribution communications directed at limited partners and institutional investors. Email purporting to originate from a fund manager or general partner redirects capital contributions or distribution proceeds to fraudulent accounts. The institutional investor has no basis to independently verify the communication's origin beyond the appearance of the sending domain. Federal sentences in prosecuted cases have ranged from 5 to 20 years.

Relevance: Fund managers, general partners, and registered investment advisers send wire-critical communications by email as a matter of routine. The limited partner has no access to the fund's infrastructure and no independent basis to verify source. Domain authentication is the only publicly verifiable signal a counterparty can assess before responding to a capital call or distribution notice.