Email scams are one of the costliest types of cybercrime, but many people have never heard of them.
Business Email Compromise (BEC) scams involve criminals hacking into email accounts, pretending to be someone they’re not, and tricking victims into sending money where it doesn’t belong.
Although they receive far less attention than the massive ransomware attacks that have triggered a powerful government response, BEC scams have been by far the costliest type of cybercrime in the US for years, according to the FBI.
The huge profits and low risks associated with BEC scams have attracted criminals from all over the world. Some flaunt their ill-gotten riches on social media, posing in photos alongside Ferraris, Bentleys and piles of cash.
Almost all businesses are vulnerable to BEC scams, from Fortune 500 companies to small towns. Even the US State Department was tricked into sending BEC fraudsters more than $200,000 in grant funds meant to help Tunisian farmers, court records show.
“The scammers are extremely well organized and law enforcement is not,” said Sherry Williams, director of a San Francisco nonprofit organization that recently fell victim to a BEC scam.
US losses due to BEC scams in 2021 were nearly $2.4 billion, according to a new FBI report. That’s a 33% increase from 2020 and more than ten times more than just seven years ago.
And experts say many victims never come forward and FBI figures only show a tiny fraction of how much money is stolen each year.
BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees into sending electronic payments or making purchases they shouldn’t. Spear phishing emails are a common type of attack, but experts say scammers have been quick to adopt new technologies, such as artificial intelligence-generated “deep fake” audio to impersonate company executives and trick subordinates into send money.
In the case of Williams, the San Francisco nonprofit director, the thieves hacked into the email account of the nonprofit’s accountant, then inserted themselves into a long email thread, sent messages requesting to change the wire transfer payment instructions for a grant recipient and took $650,000. .
After she found out what happened, Williams said, her calls to police went nowhere.
The FBI told him that the local US Attorney’s office will not take his case. He flew to Odessa, Texas, where the bank that initially received the stolen money was located. By then the money was long gone and the local detective couldn’t help. Williams asked her US senators for help and later learned the Secret Service was investigating, but said he hasn’t given her any updates.
Crane Hassold, an expert on BEC scams and a former FBI cyber analyst, has heard of federal prosecutors refusing to take BEC cases unless several million dollars are stolen, a minimum threshold that speaks to how out of control it is. the problem.
“There are so many of them that they can’t possibly work with all of them,” said Hassold, now director of threat intelligence at Abnormal Security.
The Justice Department has launched months-long operations in recent years that have generated hundreds of arrests around the world.
“Our message to criminals involved in these types of BEC schemes will remain clear: The FBI’s memory and reach are long and far-reaching, we will pursue you relentlessly no matter where you are,” said Brian Turner, executive deputy director of the Criminal, Cyber, Response and Services Branch of the FBI.
But security experts say the wave of arrests has had little impact, and the FBI’s own numbers show that BEC scams continue to grow at a rapid rate.
Sophisticated BEC scams targeting businesses and other organizations began to take off in the mid-2010s. It was also around this time that ransomware attacks, in which hackers break into networks and encrypt data, began to grow. in frequency and severity.
For years, both BEC scams and ransomware attacks were largely treated as a law enforcement issue. That remains true for BEC attacks, but ransomware is now a key national security concern after a series of disruptive attacks on critical infrastructure like last year against the largest fuel pipeline in the US caused shortages. gas on the east coast.
Hackers from the National Security Agency have taken steps to disrupt the networks of ransomware operators. The Department of Justice created a special anti-ransomware task force to better organize the law enforcement response. And US President Joe Biden has lobbied the issue directly with President Vladimir Putin of Russia, where many ransomware operators are based.
Nothing resembling such efforts against BEC fraud has been deployed despite huge financial losses.
If the US were to launch a whole-of-government response to the BEC fraud, it would almost certainly be largely focused on Nigeria. Nowhere are BEC fraudsters more active than in Africa’s most populous nation, where fraudsters have been able to operate almost unchecked for decades.
Ramon Abbas, a well-known Nigerian social media influencer who went by the name Hushpuppi, had more than 2 million followers on Instagram before he was arrested in Dubai. Abbas’s social media posts showed him living a life of total luxury, complete with private jets, ultra-expensive cars, and high-end clothing and watches.
“I hope to one day inspire more young people to join me on this path,” read an Instagram post by Abbas, who pleaded guilty in the US to BEC-related international money laundering and other cybercrimes last year. last. His sentence is currently set. for July.