A study of more than 9,000 instances of business email compromise (BEC) attacks all over the world shows that the number has skyrocketed over the past year, and that the social-engineering scam has expanded well beyond its historic roots in Nigeria.
The report from Agari’s Cyber Intelligence Division (ACID), entitled The Global Reach of Business Email Compromise, found that these attacks cost businesses a staggering $26 billion every year. And that trend appears to be accelerating. In fact, researchers found BEC attacks currently make up a full 40 percent of cybercrime losses globally, impacting at least 177 countries.
For context, the Anti-Phishing Working Group recently found that the average wire transfer in a BEC scam is around $80,000.
In a BEC attack, a scammer impersonates a company executive or other trusted party, and tries to trick an employee responsible for payments or other financial transactions into wiring money to a bogus account. Attackers usually conduct a fair amount of recon work, studying executive styles and uncovering the organization’s vendors, billing system practices and other information to help mount a convincing attack.
It started as an evolution from the old-school lures used by Nigerian cybergangs to trick people into giving them money: Fake princes, the promise of finding true love or even work-from-home gigs that sound too good to be true.
“Most of the seasoned actors have some nexus to Nigeria,” the report said. “It is here, after all, where BEC first gained global notoriety back in 2015, when email-fraud rings first began defrauding organizations by impersonating their CEOs and CFOs in email scams targeting employees.”
The rising payoff for these crimes has led to a period of innovation, according to the report, which identified a new “flavor” of attack, called vendor email compromise, which Agari credits to the criminal organization Silent Starling, located in West Africa.
In a VEC attack, crooks will first compromise accounts belonging to employees of suppliers, then target the vendors’ customers by purporting to be the owner of the compromised account and asking clients to transfer money to the “supplier” – which is actually a mule account.
Meanwhile, these types of attacks have evolved to become more potent and more difficult to stop, largely because these operations have proliferated worldwide, beyond their Nigerian roots.
More Money, More BEC Attacks
Insights gained by Agari in analyzing 9,000 defense engagements between May 2019 and July 2020 found that only half of the instances examined originated in Nigeria. Law-enforcement crackdowns have driven these fraudsters elsewhere and rising returns are enticing other criminal gangs into the fray, meaning the bases of operations from these scams can come from anywhere.
What researchers found instead was that 25 percent of these attacks originated in the U.S., specifically clustered in the states of California, Florida, Georgia, New York and Texas. Not coincidentally, these are the same states targeted by the U.S. Department of Justice’s BEC crackdown.
On Sept. 10, the DOJ announced that 281 arrests had been made across the globe under “Operation ReWired,” and detailed where investigators found U.S.-based scammers, including the metro areas of Atlanta, Chicago, Dallas, and Miami.
BEC Money Mules
Perhaps the most crucial aspect of any BEC gang scam is the role of “money mule.” These people, either wittingly or unwittingly, do the scammers dirty work for them, like setting up bank accounts and transferring money. As further evidence of BEC’s growing global presence, Agari identified mules scattered around 39 countries.
However, most of these mule accounts are located in the U.S. (80 percent) and clustered around many of the same metro areas as the scammers themselves — but, the report added, these accounts were found in every state and the District of Columbia.
Interestingly, they also noticed that mule-account deposit amounts in the U.S. were substantially smaller than in other countries. The report said that out of 2,900 mule accounts analyzed, the average amount requested by American-based scammers was $39,500, which is just a fraction of what was requested in other spots around the world. By comparison, Hong Kong had an average wire transfer amount of of $257,300.
“BEC actors can now be found in 50 countries, and while half of these actors still have a home base in Nigeria, the geographical distribution of these threat actors is much higher than was just a few years ago,” the report concluded. “This signals that cybercriminal organizations are healthy, growing, becoming more diversified and showing little signs of weakness.”