In the face of adversarial example attack， deep neural networks are vulnerable. These adversarial examples result in the misclassification of deep neural networks by adding human-imperceptible perturbations on the original images， which brings a security threat to deep neural networks. Therefore， before the deployment of deep neural networks， the adversarial attack is an important method to evaluate the robustness of models. However， under the black-box setting， the attack success rates of adversarial examples need to be improved， that is， the transferability of adversarial examples need to be increased. To address this issue， an adversarial example method based on image flipping transform， namely FT-MI-FGSM （Flipping Transformation Momentum Iterative Fast Gradient Sign Method）， was proposed. Firstly， from the perspective of data augmentation， in each iteration of the adversarial example generation process， the original input image was flipped randomly. Then， the gradient of the transformed images was calculated. Finally， the adversarial examples were generated based on this gradient， so as to alleviate the overfitting in the process of adversarial example generation and to improve the transferability of adversarial examples. In addition， the method of attacking ensemble models was used to further enhance the transferability of adversarial examples. Extensive experiments on ImageNet dataset demonstrated the effectiveness of the proposed algorithm. Compared with I-FGSM （Iterative Fast Gradient Sign Method） and MI-FGSM （Momentum I-FGSM）， the average black-box attack success rate of FT-MI-FGSM on the adversarially training networks is improved by 26.0 and 8.4 percentage points under the attacking ensemble model setting， respectively.