Ubiquiti stung US$46.7 million in e-mail spoofing fraud

Ubiquiti Networks has been defrauded of more than US$46 million by scammers who spoofed its communications.

The heist was revealed in an SEC Form 8-K filing.

Apart from the financial information, details are scant. The San Jose company says: “The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.”

Ubiquiti says it's recovered $8.1 million of the heist and has launched legal action to chase a further $6.8 million, with the remaining $31.8 million subject to US and overseas law enforcement investigations.

Brian Krebs says the fraud is based on the scammers spoofing communications from the firm “in a bid to initiate unauthorized international wire transfers”.

Rather than a breach of its IT systems, Krebs says, the modus operandi seems to be similar to other attacks: e-mails spoofing the address of an executive (such as a CEO) instruct employees to make the funds transfers.

Ubiquiti says its audit committee and outside advisers have, perhaps unsurprisingly, concluded that there are “material weaknesses” in its “internal control over financial reporting”.

While it's unsure whether it has insurance coverage for the losses, the company also says “this matter will result in some additional near-term expenses,” but it “does not expect this incident to have a material impact on its business”.

The SEC filing notes that Ubiquiti's chief accounting officer has resigned, with an interim replacement appointed. ®