Sherry Williams, executive director of One Treasure Island, poses for a photo at her office on Tuesday, April 5, 2022, in San Francisco. Business Email Compromise scams are a type of crime where criminals hack into email accounts, pretend to be someone they’re not and fool victims into sending money to places they aren’t supposed to. In the case of Williams, the San Francisco nonprofit director, thieves hacked the email account of the nonprofit’s bookkeeper then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000. (AP Photo/Eric Risberg)
RICHMOND, Va. (AP) — It’s a crime that siphons untold billions from the economy — but many people have never heard of it.
Business Email Compromise scams involve criminals hacking into email accounts, pretending to be someone they’re not and fooling victims into sending money where it doesn’t belong.
Although they get far less attention than the massive ransomware attacks that have triggered a powerful government response, BEC scams have been by far the costliest type of cybercrime in the U.S. for years, according to the FBI.
The huge payoffs and low risks associated with BEC scams have attracted criminals worldwide. Some flaunt their ill-gotten riches on social media, posing in pictures next to Ferraris, Bentleys, and stacks of cash.
Almost every enterprise is vulnerable to BEC scams, from Fortune 500 companies to small towns. Even the U.S. State Department got duped into sending BEC scammers more than $200,000 in grant funds meant to help Tunisian farmers, court records show.
“The scammers are extremely well organized and law enforcement is not,” said Sherry Williams, a director of a San Francisco nonprofit that recently fell victim to a BEC scam.
Sherry Williams, executive director of One Treasure Island, poses for a photo at her office on Tuesday, April 5, 2022, in San Francisco. Business Email Compromise scams are a type of crime where criminals hack into email accounts, pretend to be someone they’re not and fool victims into sending money to places they aren’t supposed to. In the case of Williams, the San Francisco nonprofit director, thieves hacked the email account of the nonprofit’s bookkeeper then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000. (AP Photo/Eric Risberg)
Losses in the U.S. due to BEC scams in 2021 were nearly $2.4 billion, according to a new report by the FBI. That’s a 33% increase from 2020 and more than a tenfold increase from just seven years ago.
And experts say many victims never come forward and the FBI’s numbers only show a small fraction of just how much money is stolen each year.
BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees to send wire payments or make purchases they shouldn’t. Targeted phishing emails are a common type of attack, but experts say the scammers have been quick to adopt new technologies, like “deep fake” audio generated by artificial intelligence to pretend to be executives at a company and fool subordinates into sending money.
In the case of Williams, the San Francisco nonprofit director, thieves hacked the email account of the nonprofit’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000.
After she discovered what happened, Williams said, her calls to law enforcement went nowhere.
The FBI told her the local U.S. attorney’s office won’t take her case. She flew to Odessa, Texas, where the bank that initially received the stolen money was located. The money by then was long gone and the local detective was powerless to help. Williams asked her U.S. senators for help and later learned the Secret Service was investigating, but she said it hasn’t given her any updates.
Sherry Williams, executive director of One Treasure Island, poses for a photo her office on Tuesday, April 5, 2022, in San Francisco. Business Email Compromise scams are a type of crime where criminals hack into email accounts, pretend to be someone they’re not and fool victims into sending money to places they aren’t supposed to. In the case of Williams, the San Francisco nonprofit director, thieves hacked the email account of the nonprofit’s bookkeeper then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000. (AP Photo/Eric Risberg)
Crane Hassold, an expert on BEC scams and former cyber analyst with the FBI, has heard of federal prosecutors declining to take BEC cases unless several million dollars were stolen, a minimum threshold that speaks to how out of control the problem is.
“There’s so many of them they can’t possibly work them all,” said Hassold, now director of threat intelligence at Abnormal Security.
The Justice Department has launched months-long operations in recent years that have netted hundreds of arrests worldwide.
“Our message to criminals involved in these types of BEC schemes will remain clear: The FBI’s memory and reach is long and wide-ranging, we will relentlessly pursue you no matter where you may be located,” said Brian Turner, executive assistant director of the FBI’s Criminal, Cyber, Response, and Services Branch.
But security experts say the wave of arrests has had little impact, and the FBI’s own numbers show that BEC scams continue to grow at a rapid clip.
Sophisticated BEC scams targeting businesses and other organizations started taking off in the mid-2010s. It was also around that time when ransomware attacks — in which hackers break into networks and encrypt data — started to grow in frequency and severity.
For years both BEC scams and ransomware attacks were treated largely as a law enforcement problem. That’s still true for BEC attacks, but ransomware is now a key national security concern after a series of disruptive attacks on critical infrastructure like the one last year against the biggest fuels pipeline in the U.S. that led to gas shortages along the East Coast.
The National Security Agency’s hackers have taken action to disrupt ransomware operators’ networks. The Justice Department set up a special ransomware task force to better organize the law enforcement response. And U.S. President Joe Biden has pressed the issue directly with President Vladimir Putin of Russia, where many ransomware operators are located.
Nothing close to those efforts has been deployed against BEC fraud despite the huge financial losses.
If the U.S. were to launch a whole-of-government response to BEC fraud, it almost certainly would focus heavily on Nigeria. Nowhere are BEC fraudsters more active than in Africa’s most populous nation, where scammers have able to operate almost unchecked for decades.
Ramon Abbas, a well-known social Nigerian media influencer who went by Hushpuppi, had more than 2 million followers on Instagram before he was arrested in Dubai. Abbas’ social media posts showed him living a life of total luxury, complete with private jets, ultra-expensive cars and high-end clothes and watches.
“I hope someday I will be inspiring more young people to join me on this path,” read one Instagram post by Abbas, who pleaded guilty in the U.S. to international money laundering related to BEC and other cybercrimes last year. His sentencing is currently set for July.
___
How to tell you’re being phished and 9 other common online scams to watch out for
How to tell you’re being phished and 9 other common online scams to watch out for
The internet can feel packed with scams sometimes, especially for anyone who’s had their credit card or other information stolen. But most scams fall into a small variety of types that are easy to identify and avoid once you know about them.
There are only so many ways to reinvent the wheel—scammers will usually fall into a set number of categories. Twingate assembled a list of common online scams that internet users should be wary of, drawing on research from government organizations, payment processors, and tech companies.
One of the major categories of scamming is called social engineering. An old-fashioned method that still works surprisingly well, social engineering is any fraud where a human being communicates with you to obtain information in person, online, or over the phone. Scammers will use manipulative, deceptive, or psychological tactics to get someone to reveal confidential information.
As our lives increasingly have shifted online, scammers have followed, posing as everything from fake online boyfriends to made-up charities. So the next time you get a voicemail claiming to be from Microsoft, an email that says your antivirus service is out of date, or a pop-up ad from “newy0rktimes.com,” take a few seconds and think about whether it’s a genuine message before doing anything. Continue reading to learn about the most common online scams today.
Phishing
Phishing is one of the most common online scams. It’s a form of social engineering, meaning a scam in which the “human touch” is used to trick people. One offline form of phishing is when you receive a scam phone call where someone claims to be calling from the fraud department at your bank and requests your account number as verification.
With online phishing, scammers do the same kind of thing but use emails and links to fraudulent websites to fool users. In your spam folder, you’ll often see messages claiming to be from Bank of America and others. These links lead to imitation bank sites designed to capture your personal banking information.
Advanced fee scam
These email messages are notorious—and the stuff of internet legend: “Hello sir, I have a huge sum to send you!” In this scam, a forlorn prince, bank manager, church reverend, or otherwise reputable-sounding stranger has a large amount of money that they need you to hold for them. All you have to do is send them several hundred or thousand dollars to cover some kind of transactional cost upfront.
Never believe any stranger who wants to send you money, and listen to your gut. If something sounds too good to be true, it is highly likely that it is a scam.
Romance scam
Romance scams are one of the darkest and most sinister scams because of the time investment and emotions involved. Romance scammers pretend to be regular people, often older people, who are looking for love and want to meet eligible singles in other countries. They’ll build an emotional connection with their target by exchanging romantic messages and pretending to be in love.
The scam comes in when, eventually, a series of misfortunes befall the romantic partner. They might plan a visit to finally meet—but suddenly won’t have money to pay for the plane ticket. Then they’re hospitalized with a mystery illness and need money to pay the bill. This continues until the victim grows suspicious of the mounting costs.
Formjacking
Formjacking is a web scam that works the same way as a credit card skimmer does in real life. You go to a website to place an order and enter your information as usual. The transaction even goes through and seems to be fine, except that some code hacked into the website has copied your financial data to someone else.
The owners of the website may not even realize something is happening because they don’t pay close attention to their infrastructure. Make sure the websites you deal with are secure.
Phony tech support
Phony tech support is a form of social engineering. This scam may come as an email or a phone call, claiming that your computer has been compromised in some way and that you must call a number or visit a website to fix it.
From there, the scammer may install malware like keyboard capture software (or worse). On the phone, they may request remote access to your computer to help you. These scammers often claim to be from Microsoft or Apple as a way to establish legitimacy.
Ransomware
Ransomware is a kind of malicious software that is installed without your knowledge. This is usually from an email or fraudulent site, meaning it also uses phishing to imitate your bank or another institutional website. Someone calls or emails with a link that installs the ransomware on your machine. What makes ransomware different is what comes next.
The software locks certain kinds of information on your machines, like your saved documents, photos, and other files. You have to pay to unlock the data and get your files, although the FBI cautions against actually paying.
Scareware
Scareware is a form of manipulative scamming that threatens users by making them believe they need new software on their machines. One of the common forms is to tell users they need new antivirus software and to offer that software from a fraudulent source.
It’s often easy to tell these websites or emails apart from real ones: Look closely at the URLs or email addresses, which usually have strange spellings or other clues that signal you’re not dealing with legitimate companies.
Sextortion
Sextortion is an especially grim crime that targets minors, although it can also affect adults. Now that so many people meet romantic partners online, it’s common to exchange explicit photos. That’s also true of teenagers or even of younger children, who can find themselves in online relationships with people who ask for personal information and photos.
Once someone has this material, they can use it as a way to demand more and will threaten to share info or post photos publicly if their target refuses. Unlike the other crimes on this list, sextortion doesn’t always have financial goals.
Charity and disaster fraud
Crowdfunding and mutual aid are becoming more common as a way for people to share resources and help others pay for medical bills and other costs, or to donate following natural disasters. Unfortunately, this well-meaning way to help others in the community has also been targeted by scammers through charity and disaster fraud.
Scammers can make fake Twitter accounts to imitate people in need. They’ll even set up bots to make new accounts that look like your friend’s account to reply with Paypal links that redirect to the scammer. If you aren’t sure about the credibility of a group or crowdfunding page, it is always best to seek more information.
Work from home
This scam is simple and it’s a variation of an age-old, real-life scam. Think of those signs you see on street corners that say, “I make $16,000 a month working from home!” When you call, these people want you to buy training materials to become a real estate agent or something similar.
The same is true of many online ads that say you can work from home and make $500 a day or some other attractive amount. The best advice is also the oldest: If it sounds too good to be true, it probably is.
This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.
Get local news delivered to your inbox!