Six-Year Reflection – What is Business Email Compromise Today
By Ronnie Tokazowski, Principal Threat Advisor
When it comes to tracking business email compromise (BEC), a lot has changed over the last six years. In the same breath, absolutely nothing has changed except our understanding of the problem. Duality of multiple truths can be a difficult concept to grasp, as two contradicting truths can be just that: true. On one side, BEC is seen as being responsible for billions of dollars lost, which is true. However, when you slightly shift your vantage point, the cyber criminals behind BEC attacks are responsible for MUCH more damage than initially thought. Let’s take a look at both vantage points where both everything and nothing have changed since we first started phishing the phishers and attempting to understand all things BEC.
How Everything BEC Has Changed
Setting our vantage point to the last six years, and everything BEC has changed. Initially, scammers started targeting CFOs and other corporate employees who had access to financial data. The initial attacks were extremely simple, where the actor asked for a simple wire transfer for some outstanding payment that needed to be processed. While those types of attacks still exist, BEC has shifted to include other types of attacks as well.
While CFO and executive spoofs are still a part of BEC, it has expanded to include invoice, W2, direct deposit, gift cards, and aging report scams. In each of these attacks, actors are able to expand their target list to include not just high-ranking executives and human resources, but to target regular employees within an organization. While losses in some of these cases (ex., W2 or gift card scams) may be lower or unseen to the organization, the truth of the matter is that scammers are still making billions of dollars due to this type of fraud, with institutions and organizations writing off the losses.
How Nothing BEC Has Changed
While business email compromise has changed and shifted over the last six years, the overall problem of cyber-enabled fraud in Nigeria hasn’t changed in decades. While many see BEC as a brand-new thing that started in the 2014-2015 timeframe, it’s actually a symptom of much larger issues in Nigeria, where citizens are forced to choose between poverty and a life of crime to survive.
In terms of cyber fraud in Nigeria, Yahoo Boys don’t do one type of crime but frequently dabble in multiple areas of crime. For example, the history of 419 scams harkens back to the 1990s, where Nigerian actors would send emails and letters to unsuspecting victims. In many of these scams, actors would promise large sums of money in exchange for a small tax fee. To the unsuspecting victims, the promise of untold riches is extremely enticing and, in many cases, spirals out of control.
As Nigeria gained access to the internet, access to victims across the world became much easier to achieve. The internet boom led to dating websites where lonely hearts could search for everlasting love, with the promise of finding their happily ever after. Cyber criminals figured out that they could make fake accounts pretending to be these love interests to manipulate victims into not only sending money, but laundering money on their behalf. And by using these networks of money mules, actors are able to let the victims take the hit if the fraud is ever detected.
And this brings us to 2015 and the times of BEC, where actors figured out that they could use networks of romance victims to send and receive money on their behalf. If law enforcement asks them what’s going on, they’re going to “lie” and say the money was moved on the lover’s behalf. However, the victim
has been caught in a web of lies facilitating a type of fraud that’s responsible for losses in the hundreds of billions of dollars.
Nigerian Fraud has been around forever…So what?
Understanding where we’ve been and where we’re going in the BEC fight is crucial to its success, because many of these problems have existed much longer than the six-to-seven years the security industry has been tracking BEC. While governments, agencies, and private sector partners are aligning for the next phase of the fight against fraud, understanding HOW we got here will help us understand what needs to be done to actually solve the problem. What was once billions in losses is now hundreds of billions in losses, period. The unfortunate truth about BEC is that we could arrest every single scammer tomorrow, and the underlying issues responsible for driving the fraud would still exist.
It should be clear by now that business email compromise is both highly lucrative to threat actors and exploding in its use to defraud countless victims worldwide. Billions are lost to unemployment fraud, romance victims, real estate fraud, advanced-fee fraud, and dozens of other crimes. No single security provider can solve all BEC, but we’re working hard to help fight it.
There are actions you can take to inform your employees and avert this threat. Educate your executive leadership team about this type of crime and discuss business email compromise with your organization at large, particularly employees responsible for payments and payroll. Reach out to suppliers, customers, and clients. Training should include preventative strategies and reactive measures in case they are victimized.
There is no single technology solution to BEC; rather it’s a combination of technology, process and user awareness. Cofense can help. Visit our BEC microsite for information and guidance. You can also contact us to learn how we can help you fight BEC and other ever-changing cyber threats.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.