The business world is a little bit safer now. In June 2018, the US Department of Justice announced that more than 80 cybercriminals were arrested for their involvement in business email compromise (BEC) scams. In this type of attack, cybercriminals use spear phishing emails, social engineering techniques, and other tools to con companies out of money and sensitive data. In 2017 alone, BEC scams cost businesses more than $675 million (USD).

The June 2018 arrests were the result of two separate operations. A six-month investigation dubbed “Operation Wire Wire” led to the arrest of 74 individuals. Most of these arrests took place in the United States (42) and Nigeria (29). The remaining arrests occurred in Canada, Poland, and Mauritius. The US Department of Justice, US Department of Homeland Security, US Department of the Treasury, and the US Postal Inspection Service were involved in this operation, which resulted in the disruption and recovery of around $14 million in fraudulent wire transfers.

In the second operation, “Operation Keyboard Warrior“, US and international law enforcement worked together to disrupt BEC scams perpetrated from Africa. Eight people were arrested for their roles in conning US companies (and even some citizens) out of $15 billion since 2012.

The Victims

The two operations revealed that the BEC scammers had targeted many different types of businesses, including law firms, real estate agencies, and trust companies. While some of the victims were located in large metropolitan areas such as Charlotte, North Carolina, and Memphis, Tennessee, others were from smaller cities. For instance, one of the victims was a business in Eau Claire, a college town in the northwestern part of Wisconsin. This case is of particular interest for another reason. It gives a glimpse into how sophisticated some BEC scams have become.

Like in most BEC attacks, the Wisconsin business was scammed by a group of cybercriminals. Before running their con, the scammers first created a fake corporation — a furniture merchant wholesaler supposedly in Sunrise, Florida. They then opened several banking accounts for it, including one at the TD Bank in Miami, Florida.

The scammers also researched their victim beforehand. They discovered that the Wisconsin business often purchased materials from an Illinois lumber company. Plus, they found out the names, titles, and email addresses of the individuals they needed to target (the Wisconsin business’s accounting manager) and impersonate (the lumber company’s credit manager).

Posing as the lumber company’s credit manager, the scammers sent an email to the Wisconsin business’s accounting manager. The email address in the message’s “From” field appeared to be the credit manager’s address. However, it was actually a Nigerian address, according to one report. In other words, the scammers had spoofed the email address in the “From” field.

In the email, the scammers requested that all invoice payments be sent to the lumber company’s international account rather than the usual account due to problems with the latter. (It could not accept payments.) The Wisconsin business’s accounting manager responded, noting that he would not be able to send money to an international account. The scammers wrote back, saying that this wasn’t a problem and he could instead send the payments to another one of the lumber company’s accounts — an account at the TD Bank in Miami. The accounting manager ended up authorizing an Automated Clearing House (ACH) payment of more than $1.6 million to the TD Bank account that the scammers had previously set up.

Fortunately, when the scammers were arrested, all but $8,000 of the $1.6 million was still in the account so the Wisconsin business got its money back. This is unusual. Most of the time, scammers immediately transfer stolen money to different accounts, according to an agent who worked on the case.

Complacency Is Not an Option

While the arrested BEC scammers will no longer be able to con businesses out of their money, companies should not become complacent. There are many more digital con artists out there, so it is important for companies to defend against BEC attacks. Here are some measures that your business might consider taking:

  • Teach employees at all levels about BEC scams. It is particularly important to educate those individuals who have the authority to send payments, as they are often targeted.
  • Avoid posting certain types of information on your business’s website. For example, you should not post job titles or hierarchal information. Scammers might be able to use this information to determine the best person to target in a BEC attack.
  • Show employees how to check whether an email address is spoofed. BEC scammers often spoof email accounts so that the emails appear to be from known contacts.
  • Use two-step verification for business email accounts. Rather than spoofing email addresses, scammers sometimes hack into the email account of the person they want to impersonate and send the spear phishing email directly from that account. Using two-step verification makes hacking into an email account much more difficult.

If you would like to learn more ways to protect your company against BEC scams and other types of cyberattacks, contact us.