Some email scams—penis enlargement spam, “Nigerian prince” shakedowns—feel like they’ve been around almost as long as email itself. But the grifts have evolved significantly over the last decade, as scammers have learned that they can extract much bigger payouts from big businesses than lone victims. They’ve tallied billions of dollars in the last few years alone. In the 2020s, it’s only going to get worse.
In these so-called business email compromise schemes, attackers either infiltrate a legitimate email account from a company or create a realistic spoof account. They use that position to broker seemingly legitimate wire transfers for “business transactions” like contract payment; the money instead goes into the criminal’s pockets. The scale is staggering; in September alone, Toyota lost $37 million in a BEC scam, and the Japanese media company Nikkei lost $29 million.
“For a long time cybercriminals believed that the money was within the masses,” says Crane Hassold, senior director of threat research at the email security firm Agari and former digital behavior analyst for the Federal Bureau of Investigation. “But in fits and starts over the past decade and then especially beginning about five years ago you saw a pivot of the entire threat landscape—email scams, ransomware—making more money with targeting businesses than individuals. We’re certainly not at the peak of this wave right now. We are at a point of rapid evolution.”
“The question is going to be, how do people not fall for this?”
Crane Hassold, Agari
It might seem obvious that businesses could be swindled out of more cash than individual victims, given how much more they have to start with. And some attackers were early to the idea; Lithuanian scammer Evaldas Rimasauskas was sentenced to five years in prison last week after pleading guilty to stealing more than $120 million from Facebook and Google in BEC scams that date back to 2013. Overall, though, scammers made good money in the 1990s and early 2000s casting a wide net and racking up a lot of small, incremental payments. As spam filters improved and web users wised up, scammers found themselves hitting a plateau. So they did what any entrepreneur would: innovate and diversify.
Between June 2016 and July 2019 the FBI counted 166,349 BEC incidents in the US and abroad totaling more than $26 billion in losses. The Treasury Department’s Financial Crimes Enforcement Network estimates that BEC losses crossed $300 million per month with more than 1,100 incidents per month in 2018. And that just covers incidents that victims reported.
One catalyst of BEC growth is its reliance on the fundamentals of scamming, rather than requiring advanced hacking skills. Tricking someone into paying a fraudulent invoice over email isn’t that different from charging people to play a rigged carnival game. Often, the most technical part of the scam for attackers involves using techniques like targeted spearphishing or credential stuffing to break into a company email account for legitimacy and to do recon on how to craft the most compelling scam.
“Scams are always present one way or another, but with time the digital environment underwent changes,” says Lukasz Olejnik, an independent cybersecurity advisor and research associate at Oxford University’s Center for Technology and Global Affairs. “BEC is basically all social engineering and manipulation. Targeting the right people at businesses who have substantial power without enough security awareness creates an asymmetry that is worth exploiting for scammers.”
BEC attacks stem from a set of tools and techniques that can be repurposed and combined in all different ways to generate (stolen) cash. Credential phishing, account takeovers, check fraud, money laundering, romance scams, and countless other elements are like tools in a toolbox, as Agari senior threat researcher Ronnie Tokazowski puts it. And while law enforcement has made some progress catching scammers and their money mules in recent years, the diversity of potential attacks makes it extremely difficult to stamp scamming out.