By ALAN SUDERMAN – Associated Press
RICHMOND, Va. (AP) – It’s a crime that’s stealing untold billions from the economy — but many people have never heard of it.
In business email compromise scams, criminals hack into email accounts, pretend to be someone they are not, and trick victims into sending money where it doesn’t belong.
While receiving far less attention than the massive ransomware attacks that prompted a strong government response, BEC scams have been by far the most costly type of cybercrime in the US for years, according to the FBI.
The huge payouts and low risks associated with BEC fraud have attracted criminals worldwide. Some flaunt their ill-gotten fortunes on social media, posing in pictures alongside Ferraris, Bentleys and stacks of cash.
Almost every business is vulnerable to BEC fraud, from Fortune 500 companies to small towns. Even the US State Department was tricked into sending BEC scammers more than $200,000 in grants intended to help Tunisian farmers, court filings show.
People also read…
“The scammers are extremely well organized and law enforcement is not,” said Sherry Williams, director of a San Francisco nonprofit that was recently the victim of a BEC scam.
Losses in the US due to BEC fraud totaled nearly $2.4 billion in 2021, according to a new report from the FBI. That’s a 33% increase from 2020 and more than a tenfold increase from just seven years ago.
And experts say many victims never come forward, and the FBI’s numbers show only a small fraction of how much money is stolen each year.
BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees into sending transfers or making purchases they shouldn’t. Targeted phishing emails are a common type of attack, but experts say scammers have been quick to adopt new technologies, such as
In the case of Williams, the director of a San Francisco nonprofit, thieves hacked the email account of the nonprofit’s accountant, then included themselves in a lengthy email thread, sent messages asking to to change the transfer instructions for a grantee and walked away with $650,000.
After she found out what happened, Williams said her calls to law enforcement went nowhere.
The FBI told her that the local US Attorney’s Office would not be taking her case. She flew to Odessa, Texas, where the bank that originally received the stolen money was located. The money had long since run out by this point, and the local detective couldn’t help. Williams reached out to her US senators for help and later learned the Secret Service was investigating, but she said he hadn’t given her any updates.
Crane Hassold, an expert on BEC fraud and a former FBI cyber analyst, has heard of federal prosecutors refusing to take on BEC cases unless several million dollars have been stolen, a minimum threshold that shows how out of control the problem is.
“There are so many of them that it’s impossible to handle them all,” said Hassold, now Abnormal Security’s director of threat intelligence.
The Justice Department has launched months-long operations in recent years that have led to hundreds of arrests around the world.
“Our message to criminals involved in these types of BEC programs will remain clear: The FBI’s memory and reach is long and wide, we will pursue you relentlessly wherever you are,” said Brian Turner, Executive Assistant Director of the FBI’s Criminal, Cyber, Response, and Services Divisions.
But security experts say the wave of arrests has had little effect, and the FBI’s own numbers show BEC scams continue to grow at a rapid pace.
Sophisticated BEC scams targeting businesses and other organizations began to flourish in the mid-2010s. It was also around this time that ransomware attacks — in which hackers penetrate networks and encrypt data — increased in frequency and severity.
For years, both BEC fraud and ransomware attacks have largely been treated as a law enforcement issue. That still applies to BEC attacks, but ransomware is now a major national security concern after a series of disruptive attacks on critical infrastructure, such as last year’s against the US’s largest fuel pipeline, which led to gas shortages along the east coast.
National Security Agency hackers have taken action to disrupt ransomware operators’ networks. The Justice Department created a dedicated ransomware task force to better organize the law enforcement response. And US President Joe Biden raised the issue directly with President Vladimir Putin in Russia, where many ransomware operators are located.
Despite the huge financial losses, nothing has been done about BEC fraud that comes close to these efforts.
If the US launched a state-wide response to the BEC scam, it would almost certainly be heavily focused on Nigeria. Nowhere are BEC scammers more active than in Africa’s most populous nation, where scammers have been able to operate almost unchecked for decades.
Ramon Abbas, a well-known Nigerian social media influencer who went by the name Hushpuppi, had more than 2 million followers on Instagram before he was arrested in Dubai. Abbas’ social media posts revealed that he lived a life of total luxury, complete with private jets, ultra-expensive cars, and high-end clothing and watches.
“I hope that one day I’ll inspire more young people to join me on this journey,” read an Instagram post from Abbas, who last year in the United States was involved in international money laundering linked to BEC and other cybercrimes pleaded guilty. His sentencing is currently set for July.
Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or redistributed without permission.