A global law-enforcement move to counter email scams and wire transfer fraud has nabbed 281 people in four months, announced the US Department of Justice (DoJ). Titled Operation reWired, the coordinated move of multiple law enforcement agencies from several countries is the biggest offence by scale against business email compromise (BEC) scammers, said the agency.
"Operation reWired… was conducted over a four-month period, resulting in 281 arrests in the United States and overseas, including 167 in Nigeria, 18 in Turkey and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the United Kingdom. The operation also resulted in the seizure of nearly US$3.7 million (£2.9 million)," said the announcement.
Business email compromise (BEC) scams trick individuals into sending money, which are wired back to the perpetrators using strategic mules.
"The same criminal organisations that perpetrate BEC also exploit individual victims, often real estate purchasers, the elderly, and others, by convincing them to make wire transfers to bank accounts controlled by the criminals. This is often accomplished by impersonating a key employee or business partner after obtaining access to that person’s email account or sometimes done through romance and lottery scams," the DoJ announcement said.
"In unraveling this complex, nationwide identity theft and tax fraud scheme, we discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than US$91 million (£73 million) in refunds," Don Fort of IRS Criminal Investigation wrote in the announcement.
"We will continue to work with our international, federal and state partners to pursue all those responsible for perpetrating this fraud, preying on innocent victims and attempting to cheat the US out of millions of dollars."
According to the FBI’s Internet Crime Complaint Center (IC3), BEC scams are growing every year, with a 100 percent increase in the identified global exposes losses between May 2018 and July 2019.
"From an attackers perspective looking to make money, BEC scams are the perfect blend of low cost and high return. BEC scams rarely, if ever, need any malware to be effective and operate on deceiving users," said Javvad Malik, security awareness advocate at KnowBe4.
"More than 99 percent of cyberattacks need humans to click and act—and BEC attacks rely squarely on individuals to take action by preying on human psychological responses to urgent matters such as wiring money and sending confidential data, often to satisfy some immediate but fictional business need," said Kevin Epstein, vice president of threat operations at Proofpoint
"This is why providing appropriate and timely security awareness training is so important, as well as having supporting controls in place so that one person cannot create, authorise, and execute a new payment," Malik explained.
"The increase is also due in part to greater awareness of the scam, which encourages reporting to the IC3 and international and financial partners. The scam has been reported in all 50 states and 177 countries. Fraudulent transfers have been sent to at least 140 countries," said the IC3 report.
Based on the financial data, banks located in China and Hong Kong remain the primary destinations of fraudulent funds. However, the FBI has seen an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey.
"The frequency with which companies were targeted with email impersonation attacks – including BEC – tripled in 2018 relative to 2017 and featured increasingly sophisticated social engineering," said Chris Dawson, threat intelligence lead at Proofpoint.
"Unfortunately, given the overall success rate and low cost of executing email fraud attacks, it is likely that organisations are only seeing the tip of the iceberg in terms of both direct and indirect damages resulting from these types of attacks, which continue to scale and evolve."
The latest DoJ announcement is a follow-up of the indictment on 22 August. The DoJ then indicted dozens of individuals accused of involvement in a global BEC scam and money laundering scheme. Most of the 80 named individuals charged with conspiracy to commit mail and bank fraud, identity theft and money laundering, were based in Nigeria.
The indictments underscore the global nature of cyber-crime, noted Dawson. All these criminals need to initially reach their victims is an internet connection, and this puts the onus of security on the consumers, he explained.
"It’s important that consumers are extremely vigilant when confirming the source of all emails that are sent to their personal and corporate email inboxes. Be sure to verify the legitimacy of emails that urgently request a password change, transfer of money, or a link that has to be clicked," he said.
"Go directly to an organisation’s website to handle any account changes and connect in-person or over the phone with the sender to authenticate a request or solve an urgent problem they are asking you to address immediately. Everyone should also use multifactor authentication wherever it is offered, and monitor their credit reports (or better yet, place a credit freeze) to catch any scammers attempting to use stolen personal information to commit identity fraud."