Law enforcement officials have arrested 281 individuals for allegedly engaging in business email compromise scams in a significant operation spanning across ten countries.
Business email compromise, or BEC, involves scammers tricking employees into transferring large sums of money via wire payment. These attacks usually target employees with access to company funds who have been identified in huge databases of employee contact details.
The four-month investigation, dubbed Operation ReWired, involved the US Department of Justice, US Department of Homeland Security, US Department of the Treasury, US Postal Inspection Service and the US Department of State, as well as coordination from international law enforcement.
The majority of the arrests – 167 – were made in Nigeria. Numerous reports have shown the African nation to be the world’s hotbed for BEC scams.
A further 72 arrests were made in the US. Law enforcement officials also arrested individuals in the UK, Turkey, Ghana, France, Italy, Japan, Kenya and Malaysia.
“The consequences of this type of fraud scheme are far-reaching, affecting not only people in the United States, but also across the world,” said chief postal Inspector Gary Barksdale.
“This investigation is just another example of how effective law enforcement agencies can be when they join forces.”
IRS Criminal Investigation chief Don Fort said: “In unravelling this complex, nationwide identity theft and tax fraud scheme, we discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91m in refunds.”
The latest BEC crackdown is a step up in scale from previous arrest campaigns. In 2018, Operation Wire Wire saw 74 BEC scammers arrested by US law officials.
“From an attacker’s perspective looking to make money, BEC scams are the perfect blend of low cost and high return,” said Javvad Malik, security awareness advocate at cybersecurity training firm KnowBe4.
“BEC scams rarely, if ever, need any malware to be effective and operate on deceiving users.”
BEC arrests: The cost to victims
Nearly $3.7m in assets was seized as part of Operation ReWired. However, this is small change compared to the total amount made by BEC scammers around the world.
On Tuesday – the same date the BEC arrests were announced – the FBI published data that showed BEC scams cost victims $26bn between June 2016 and July 2019.
Losses from BEC scams doubled between June 2018 and July 2019.
“BEC attacks are clearly surging and it’s not surprising considering the financial return cyber criminals are seeing,” said Robert Ramsden-Board, vice president of EMEA at cybersecurity firm Securonix.
“The attacks are easy to carry out and carry a fairly low risk as many people behind the scams never get caught.”
Ramsden-Board added that employee training is key to spot BEC scams, a move supported by the FBI.
The cost of BEC scams isn’t just counted in lost cash. Criminals also trick people – often those who are vulnerable – into believing they are in a relationship and then persuade them to send money.
Such romance scams can have a deeply distressing emotional impact on those that are affected.
Other variants of BEC attacks involve stealing personally identifiable information, homebuyer scams and lottery scams.
Ronnie Tokazowski, senior threat researcher at Agari, a firm that specialises in BEC protection, told Verdict:
“When looking at the number of individuals who are involved in BEC, it’s staggering. Over 600 people have been arrested as being part of BEC, however, we still have a lot of work to do before we start to impact the $26bn which has been lost since 2013.
“While some industries try to predict the cost of losses associated with other types of cyber threats such as ransomware, BEC is already there. That’s $26bn of confirmed losses, victims who have lost their homes, mom-and-pop shops who have had to file bankruptcy, and many many other victims and sad stories associated with this type of threat.”