281 scammers arrested but BEC scams continue to grow alarmingly
In a massive law enforcement operation across ten countries including the United States, the UK, Japan, France, and Nigeria, the FBI, along with local law enforcement agencies, has succeeded in arresting 281 cyber criminals accused of carrying out international BEC scams.
In a press release published on Tuesday, the FBI revealed that the multi-nation operation resulted in the arrest of 74 cyber criminals in the United States and over two hundred others in Nigeria, Turkey, Ghana, France, Italy, Japan, Kenya, Malaysia, and the United Kingdom.
Aside from arresting those behind business email compromise (BEC) scams, authorities also seized nearly $3.7 million and either disrupted or recovered approximately $118 million in fraudulent wire transfers.
“These sophisticated cyber-enabled scams often target employees with access to company finances and—using methods like social engineering and computer intrusions—trick them into making wire transfers to bank accounts thought to belong to trusted partners. The accounts are actually controlled by the criminals,” the FBI explained.
“Criminal organisations that perpetrate BEC schemes don’t just target companies. They also exploit individual victims—such as real estate purchasers or the elderly—by convincing them to make wire transfers to bank accounts controlled by the criminals. The scam can also involve requests to purchase gift cards and send the serial numbers or to mail a check, but the request will always appear to come from someone known to or trusted by the victim,” it added.
BEC scams resulted in losses of over £21 billion globally
On Monday, the FBI also revealed in a separate press release that between May 2018 and July 2019, financial losses suffered by small, medium, and large business, as well as citizens to BEC scams, grew by 100% compared to the previous year, with such scams impacting businesses in 177 countries and fraudulent money transfers taking place in 140 countries.
In fact, between June 2016 and July 2019, as many as 166,349 reported instances of business email compromise inflicted losses of over $26 billion to global enterprises and citizens. Between October 2013 and July 2019, BEC scams impacted 69,384 businesses or indiviiduals in the US alone and resulted in the loss of over $10 billion.
“Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds. However, the Federal Bureau of Investigation has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey,” it warned, indicating that cyber criminals are seeking new banks to carry out their fraudulent activities and to park their illegally-obtained funds.
It remains to be seen whether the arrest of 281 cyber criminals across ten countries by the FBI and other law enforcement agencies this year will be able to cripple the network that conducts BEC scams across the globe.
Last year, the FBI ran a similar operation that resulted in the arrest of 74 cyber criminals, 29 of whom were based in Nigeria, and another 42 were in the United States. The arrests took place following a six-month-long investigation that involved personnel from the FBI, the Department of Justice, the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service. The agencies were able to bust several cyber crime groups located in the United States, Nigeria, Canada, Mauritius, and Poland.
Layered defence & user education key to stopping scammers
According to Kevin Epstein, vice president of threat operations at Proofpoint, it is difficult or close to impossible for law enforcement agencies to eradicate the scourge of BEC scams as carrying out such scams does not require much money but a lot of research into targetec victims.
“Sending fraudulent email is cheap and the messages don’t require expensive malware or sophisticated command and control; yet the attacks themselves are highly effective, resulting in billions of dollars in reported losses.
“Exploiting the email communication channel through highly personalised, socially engineered messages allows attackers to easily impersonate a trusted employee or partner. The prevalence and effectiveness of pervasive credential phishing schemes provides fuel for increasingly common EAC attacks as well, giving attackers an inside channel to implement their schemes,” he says.
Epstein adds that with the passage of time, these social engineering schemes will only become more prevalent and difficult for organizations to identify, detect, and respond to. Therefore, organisations should prioritise a people-centric approach to security that protects all parties (their employees, customers, and business partners) against phishing, email fraud, credential theft, and brute force attacks.
“We recommend layered defenses at the network edge, email gateway, in the cloud, and endpoint, along with strong user education to provide the best defense against these types of attacks, most of which lack malware payloads that traditional defenses are designed to detect,” he adds.