• The Click Code
  • Posts
  • How a Fake Email Cost Ubiquiti $47M — And What Small Businesses Can Learn

How a Fake Email Cost Ubiquiti $47M — And What Small Businesses Can Learn

This real-world BEC scam didn’t involve hacking—just trust, pressure, and a convincing email. Here’s how it happened, and how your business can avoid the same fate.

April 15, 2025

A Cautionary Tale From a Tech Giant

In 2015, Ubiquiti Networks, a publicly traded tech company, fell victim to one of the most successful Business Email Compromise (BEC) attacks on record.

The scam? Simple emails impersonating executives.
The cost? Nearly $47 million was lost in just 17 days.

This wasn’t a failure of firewalls or antivirus software.
It was a failure of trust, process, and verification—something any business, large or small, can learn from.

The Scam: How It Worked

The attackers used classic social engineering tactics—with frightening effectiveness:

1. Target Research

They identified key executives and finance staff using public data—company websites, press releases, and regulatory filings.

2. Email Spoofing

Using fake email addresses that looked legitimate (e.g., [email protected] vs. [email protected]), they mimicked Ubiquiti’s tone and internal language.

3. Pretexting With Urgency

While Ubiquiti did not publish the exact contents of the emails, public reporting confirms that the attackers used messages portraying urgent, confidential business activity to pressure employees into acting quickly—discouraging verification.

4. Execution

Over just 17 days, Ubiquiti staff authorized 14 fraudulent wire transfers totalling $46.7 million to overseas accounts.

Key Insight: This wasn’t a technical hack. It was a trust hack—and it worked.

What Went Wrong

Even successful companies can overlook simple but critical protections.

  • Email-only verification: Staff trusted messages without confirming through another channel.

  • No Multi-Factor Authentication (MFA): MFA could have blocked access to sensitive tools or inboxes.

  • Lack of email authentication (SPF, DKIM, DMARC): Without these, spoofed emails flew under the radar.

  • No “second eyes” rule: Wire transfers didn’t require multi-approval.

  • Insufficient training: Staff didn’t know how to spot or escalate unusual requests.

Even with a strong IT team, human decisions made under pressure became the weakest link.

How Ubiquiti Discovered the Fraud

On June 5, 2015, internal teams flagged suspicious transfers from a Hong Kong subsidiary.
The damage?

  • 14 transfers

  • $46.7 million gone

They acted fast:

  • Contacted banks

  • Notified authorities

  • Launched an internal investigation

They also confirmed there was no system breach—the attack relied purely on deception.

What Helped Their Recovery

Ubiquiti didn’t get all their money back—but they made important moves quickly:

  • Swift reporting: Alerted banks, international financial authorities, and the FBI.

  • Legal action: Took legal steps across multiple countries to freeze stolen funds.

  • Partial recovery:

    • $8.1M recovered

    • Another $6.8M frozen through legal proceedings

  • Public transparency: Disclosed the incident in financial reports—taking responsibility and rebuilding trust.

How Ubiquiti Rebuilt Trust and Resilience

The company strengthened its defences with a mix of process and tech improvements:

✅ Internal Controls – Introduced multi-approval rules for all high-risk financial transfers.
✅ MFA Everywhere – Rolled out Multi-Factor Authentication across sensitive systems.
✅ Employee Training – Increased phishing and BEC awareness across all teams.
✅ Email Authentication – Implemented SPF, DKIM, and DMARC to detect and reject spoofed emails.
✅ Ongoing Legal Efforts – Continued recovery work in multiple jurisdictions.

Lesson: The most valuable outcome wasn’t the recovered money—it was the stronger culture that followed.

Key Takeaways for Canadian Small Businesses

The following weren’t necessarily part of Ubiquiti’s official response, but they reflect proven tactics endorsed by cybersecurity professionals and the Canadian Centre for Cyber Security.

You don’t need to be a tech giant to be targeted—or protected. Here's what works:

1. Set a Two-Person Rule

No financial transfers or bank changes without a second pair of eyes.

2. Use a Secret Phrase for Sensitive Requests

Add a shared word to legit high-risk emails.

No safe word? No action.

3. Secure Your Domain

Use MxToolbox to set up:

  • SPF – Approves servers that can send email for your domain

  • DKIM – Confirms the email hasn't been altered

  • DMARC – Instructs how to handle suspicious email

4. Train Your Team Frequently

Short, real-world examples go a long way—normalize asking questions.

5. Require MFA on Everything

Email, cloud tools, banking—especially for executive accounts.

6. Normalize the Pause

Empower your team to say, “Can we double-check this before acting?” That pause can save your business.

Final Thought

BEC doesn’t break into your systems—it breaks into your trust.
Ubiquiti’s story shows how costly a fake email can be—and how essential it is to verify, not assume.

You don’t need a massive cybersecurity budget to build strong habits.
Just the right processes, a bit of training, and a culture that values caution over speed.

Because one trained team member asking the right question can stop millions from walking out the door.


Subscribe to The Click Code.