Practical Techie: Business ‘email compromise’ emerges as a new form of persistent cybercrime
Crooks abound in cyberspace, and they never stop phishing in the digital waters. The latest rash occurred in late March 2022, and the crookedness even reached into Puerto Rico.
A new form of devious behavior that hits the corporate world is dubbed “business email compromise (BEC),” a type of cyber fraud that resulted in lost billions of US dollars in trick operations.
As a result of the latest wave, 65 people were arrested during an international law enforcement crackdown on attackers, which started in September of last year and lasted three months. The suspects hail from the US, Nigeria, South Africa, Canada, and Cambodia. All were accused of scamming over 500 U.S. victims, causing losses of over $51 million, according to an FBI communique.
LOSSES — BEC is typically carried out when legitimate business email accounts are compromised through social engineering techniques and used to conduct unauthorized funds transfers. A recently released Internet Crime Complaint Center (IC3) report estimates phisher scam losses in 2021 at nearly $2.4 billion. In 2022 it climbed to over $20 billion in the first half of the year. For example, in 2021, IC3 received a record number of complaints from the American public: 847,376 reported complaints, a 7% increase from 2020, with potential losses exceeding $6.9 billion. Among the 2021 complaints received, ransomware, business email compromise, and the illicit use of cryptocurrency comprised the top incidents reported. In 2021, BEC schemes resulted in 19,954 complaints with an adjusted loss of nearly $2.4 billion.
PHISHERS — Two suspects of Nigerian origin operated out of Houston, Texas. The two are charged with involvement in an international money laundering conspiracy where money mules moved at least $4.5 million in fraud funds, obtained via BEC and other fraud schemes, from the US to Nigeria. The plot impacted a Puerto Rico-based renewable energy supplier which the FBI did not identify. The fraud included check schemes that impacted hundreds of victims in the US and Canada, with losses of $16 million.
Another eight suspects in Houston received charges of laundering almost $900,000 of proceeds from a BEC scam. According to the FBI, the Texas group laundered millions over two years, with the illegal funds consisting of payments received from victim businesses worldwide. Besides detecting suspects, the FBI is also focusing its efforts on recovering financial losses.
PERSISTENT — Phishing seems to be an unstoppable cybercrime despite the crackdowns. In 2018 international law enforcement arrested 74 suspects worldwide and one in 2019 resulted in another 281 arrests. Many countries even consider the business email compromise scams a threat to national security that can no longer be ignored. Cyber threats evolve and become increasingly intertwined with traditional foreign intelligence threats because BEC schemes involve intricate networks of money mules that set up bank accounts to split, transfer, deposit, or withdraw the funds stolen from victims through national banking centers.
The BEC angle of phishing is difficult to stop with mere arrests of suspects. Experts from the security news website duo.com say that unlike ransomware groups, where one centralized, primary team drives the majority of the activity, BEC schemes are made up of thousands of individuals working on their own but sharing information about methods and targets.
INGENUITY — Global law agencies give the digital con artists no pause, but the swindlers are ever becoming more sophisticated. One new BEC trend highlighted in the IC3 report involves attackers using virtual meetings to instruct victims to send fraudulent wire transfers. The attackers would compromise a company CEO’s email, and request employees participate in a virtual meeting platform. In those meetings, the attackers then insert a still picture of the CEO and a deepfake audio impersonation. Employees would then be directed to initiate wire transfers.