Business Email Compromise or BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees to send wire payments or make purchases of merchandise or gift cards. Targeted phishing emails are a common type of attack, but experts say the scammers have been quick to adopt new technologies, like “deep fake” audio generated by artificial intelligence to pretend to be executives at a company and fool subordinates into sending money.
All accounting personnel should be made aware of this scam and if any vendor or business partner requests a change in the bank account for their firm, management should place a call to the requesting company and confirm all details verbally with an authorized company officer.
A reported shopping spree in Beverly Hills, a luxury vacation in Mexico, a bank account that jumped from $299.77 to $1.4 million overnight. From the outside, it looked like Moe and Kateryna Abourched had won the lottery. But this big payday did not come from lucky numbers. Rather, a public school district in Michigan has been tricked into wiring its monthly health insurance payment to the bank account of a California nail salon the Abourcheds owned, according to a search warrant application filed by a Secret Service agent in federal court.
The school district and taxpayers were victims of an online scam called Business Email Compromise, or BEC for short, police say. The couple denies any wrongdoing and has not been charged with any crimes. BEC scams are a type of crime where criminals hack into email accounts, pretend to be someone they are not, and fool victims into sending money (to the wrong party). These crimes get far less attention than the massive ransomware attacks that have resulted in a long-overdue government response, but BEC scams have been by far the costliest type of cybercrime in the U.S. for years, according to the FBI by siphoning untold billions from the unsuspecting victims.
The huge payoffs and low risks associated with BEC scams have attracted criminals worldwide. Some advertise their ill-gotten riches on social media, posing in pictures next to Ferraris, Bentleys and stacks of cash. “The scammers are extremely well organized and law enforcement is not,” said Sherry Williams, a director of a San Francisco nonprofit recently hit by a BEC scam.
Losses in the US to BEC scams in 2021 were nearly $2.4 billion, according to a new report by the FBI. That’s a 33% increase from 2020 and more than a tenfold increase from just seven years ago. Fraud experts say many victims never come forward and the FBI’s numbers only show a small fraction of how much money is stolen.
In the nail salon case involving Grand Rapids, police say $2.8 million was stolen. Banks were able to recall about half that amount once the scam was discovered, court records show. A Secret Service agent said in an affidavit as part of a search warrant application that someone hacked into the email account of one of the school district’s human resource employees and sent emails that persuaded a colleague in the finance department to change the bank account where the health insurance payments were sent. The emails were brief and unfailingly polite. “Please kindly update” the records, one of them said words the real HR employee would later tell police she never uses, according to the affidavit.
Police tracked the money to the salon’s bank account owned by the Abourcheds, the affidavit says. After the theft was detected, Moe Abourched contacted a Grand Rapids police detective and said he’d been fooled by a European woman named “Dora” into accepting the funds and forwarding them to other accounts, according to the affidavit. The Secret Service agent said Abourched’s claims were false and he had used a similar ruse with police after he received money from a BEC scam targeting a Florida storage company.
Local police put the couple under surveillance and in October searched their apartment, offices and BMW, court records show. Police said earlier this year they needed more time to examine the data in the couple’s phones and computers. The Abourcheds’ lawyer, Kevin Gres, said his clients have done nothing wrong and no charges should be filed. “My clients were unwitting victims in this scheme,” he said.
Almost every enterprise is vulnerable to BEC scams, from Fortune 500 companies to small towns. Even the State Department got duped into sending BEC scammers more than $200,000 in grant money meant to help Tunisian farmers, court records show.
The Justice Department has launched months-long operations in recent years that have netted hundreds of arrests worldwide. “Our message to criminals involved in these types of BEC schemes will remain clear: The FBI’s memory and reach is long and wide-ranging, we will relentlessly pursue you no matter where you may be located,” said Brian Turner, executive assistant director of the FBI’s Criminal, Cyber, Response, and Services Branch.
But security experts say the wave of arrests has had little impact, and the FBI’s own numbers show that BEC scams continue to grow at a rapid clip. Many of those arrested by US authorities are lower-level “money mules,” who move stolen money around the banking system until it’s out of reach to authorities. “Mules” don’t need hacking skills and come from a variety of backgrounds.
Sophisticated BEC scams targeting businesses and other organizations started taking off in the mid-2010s. It was also around that time when ransomware attacks in which hackers break into networks and encrypt data started to grow in frequency and severity. For years both BEC scams and ransomware attacks were treated largely as a law enforcement problem. That’s still true for BEC attacks, but ransomware is now a key national security concern after a series of disruptive attacks on critical infrastructure like the one last year against the biggest fuels pipeline in the U.S. that led to gas shortages along the East Coast.
The National Security Agency’s hackers have taken action to disrupt ransomware operators’ networks. The Justice Department set up a ransomware task force to better organize the law enforcement response. And US President Joe Biden has pressed the issue directly with President Vladimir Putin of Russia, where many ransomware operators are located.
Nothing close to those efforts has been deployed against BEC fraud despite the huge financial losses. Unlike ransomware operators who try to keep their communications private, BEC scammers often openly exchange services, share tips, or show off their wealth on social media platforms like Facebook and Telegram.
In the case of the stolen Grand Rapids money, it was social media that helped law enforcement when seeking a federal judge’s approval for a search warrant. Included in the application was a vacation Instagram post by Kateryna Abourched, which linked the timing of her trip with a $3,503 payment to a luxury resort in Mexico made from the bank account that had received the stolen Grand Rapids money. “Vacation is always inspiring,” she wrote in her Instagram post.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments