On the long list of cybersecurity threats facing corporate leaders, romance scams would at first glance hardly seem to crack the top 10. What could cons of lonely middle-aged singles have to do with the business email compromise (BEC) attacks increasingly targeting American corporations? Plenty, it turns out. Recent Justice Department enforcement actions and published research reports have illuminated the connection: Romance scam victims are turned into money mules — conduits for funds stolen from corporations and other victims.
Scamming people online is relatively easy. The harder part is getting money out of the U.S. and back to Nigeria, where many of the scammers are based. A corporate treasurer is likely to hesitate before wiring tens of thousands of dollars to an unknown person or company in Nigeria, even if asked to do so by the company’s CEO. A transfer request like this is also more likely to raise eyebrows at the company’s bank, but a “consulting company” with a U.S. bank account is more likely to slip through unquestioned. The romance scam victim, who has an established history of transferring money to Nigeria, is the
“consulting company” receiving the funds and transferring them onward. Why would these victims agree to do this? In many cases, they remain under the scammer’s spell and are willing to do whatever they are asked to do. In other cases, they have become financially desperate or they are being blackmailed to force their ongoing cooperation.
Romance scammers frequently target women who are 40 or older. They will often pose as an American military man living overseas, using photos grabbed from Facebook or other sites. After a period of relationship building, the male partner will start asking for money. He may say he needs surgery, but the military will cover only 80% and he asks to borrow the remaining 20%. Or perhaps he has been arrested in a dangerous part of the world and needs money to buy his freedom.
Caution and prudence are no match for hope and loneliness. It’s surprising how often this works — how willing people are to ignore the warning signs and repeated disappointments. Time after time the scammer finds an excuse about why he can’t come to visit his romantic victim, yet he always finds a way to ask for more money. In one especially sad case we tracked, a divorced woman with two children sent more than half a million dollars to a Nigerian scam artist, losing her home and forcing her to move her children out of their school.
There’s a long history of Nigeria-based scams. These criminals have had little fear of being brought to justice, bragging about their ill-gotten gains in their Facebook posts. The long arm of the law is finally reaching them. The U.S. Justice Department and other U.S. agencies are increasingly going after Africa-based scammers, including in two recently announced enforcement actions, and have succeeded in getting accused criminals extradited to the United States for prosecution.
On June 11, the Justice Department and a group of other U.S. federal agencies announced the arrest of 74 individuals involved in scamming in an enforcement action it called Operation Wire Wire. Among them, 23 individuals were charged with money laundering of at least $10 million from BEC scams, which they also call “cyber-enabled financial fraud.” Of the 23, 8 people were charged with laundering $5 million stolen from a Seattle corporation, a law firm and several title companies.
“The fraudsters enlist and manipulate the money mules through romance scams or ‘work-at-home’ scams,” the Justice Department said.
The same Nigerian scammers (both individuals and groups) who have long run romance scams are now unleashing BEC attacks against corporations. Agari recently analyzed the contents of 78 criminal email accounts captured from 10 organized crime groups and dating as far back as 2009. It found after focusing for years on simple romance and rental scams, most of the groups began conducting BEC attacks between 2016 and 2018. BEC has become the most popular attack vector (24% of all attacks over the life of the accounts), a surprising finding given that most of these groups did not begin BEC attacks until 2016 or later. Most of the groups also engage in apartment rental scams, which aren’t as lucrative as BEC or romance scams but are much easier to pull off and replicate.
“The same criminal organizations that perpetrate BEC also exploit individual victims, often real estate purchasers, the elderly and others, by convincing them to make wire transfers to bank accounts controlled by the criminals,” the Justice Department said in its June 11 announcement. In a separate set of eight arrests announced on June 25, dubbed Operation Keyboard Warrior, a group of Africa-based defendants were charged with perpetrating “romance scams, fraudulent-check scams, gold-buying scams, advance-fee scams and credit card scams,” and sending the proceeds of those scams from the U.S. to Ghana, Nigeria and South Africa “through a complex network of both complicit and unwitting individuals that had been recruited through the various internet scams.”
In one of the accompanying indictments, the defendants were charged with carrying out “fictitious online romance relationships … in order to convince them to carry out” acts including “receiving and shipping merchandise, depositing and forwarding counterfeit checks and transferring the proceeds of the conspiracy via wire, U.S. Mail, ocean freight and express package delivery services.”
Amid the crackdown, however, losses are mushrooming. The FBI’s Internet Crime Complaint Center (IC3) in July reported a 136% increase in identified global exposed losses between December 2016 and May 2018.
It’s a tough problem. The victims I’ve spoken with have a gambler’s mentality. Deep down they know it’s a scam, but if they cut off the communication they know they’ll never see the money the scammer supposedly borrowed from them. Better to keep playing, hoping their luck will change. Sadly, the odds they’ll ever see a dime are zero. They’d be better off in Vegas, where winning is at least a possibility. Emotionally and financially broken, they are easily manipulated into aiding the scammer by helping to launder the proceeds of BEC scams.