Thanks to the long-running Nigerian Prince Scam, business email compromise (BEC) attacks are most commonly associated with the African country that gives the scam its name.
And with good reason too. Half of all email scammers are located in Nigeria, according to phishing defence company Agari.
But a year-long investigation by the security firm reveals a sprawling network of BEC scammers and a tangled web of money mules spread across 50 countries.
Nigeria is at the centre of this web, but the US is the second-largest hotspot, accounting for 25% of email scammers.
Agari’s Cyber Intelligence Division (ACID) identified money mules in every state – including the District of Columbia, home to the law-making capital of Washington DC.
Nearly half of US scammers were located in the states of California, Georgia, Florida, Texas and New York.
BEC attacks, in which a fraudster uses email to scam organisations into transferring funds, have been steadily on the rise each year.
According to the FBI, this cost organisations more than $26bn globally between 2016 and 2019. The real figure is likely to be higher because not all incidents are reported.
Money mule networks
Mules play a crucial role in this criminal enterprise, laundering stolen funds and moving them offshore.
Agari uncovered a total of 2,900 money mule bank accounts, with more than 900 of these located in the US.
Hong Kong is a popular destination for laundering money, with the average amount requested to money mules standing at $247,000 – six times higher than in the US.
Across the criminal groups tracked by Agari, a total of $64m was requested from organisations.
“A CISO I spoke to just last week explained her number-one goal is customer trust – to earn it, maintain it and respect it,” said Agari Chief Identity Officer Armen Najarian.
“The information unveiled today as a result of our ACID team’s investigations enables CISOs to learn something new about the threat landscape they are working in and how to adapt their security controls to stay out ahead of fraudsters. And ultimately those actions taken by the CISO organization earn and sustain consumer trust.”