Recent Business Email Compromise Arrests Highlight Significance of Email Security

A four-month worldwide investigation into business email compromise (BEC) scams dubbed Operation reWired has led to 281 arrests by the FBI. According to a press release on Sept. 11 from the United States Department of Justice, the scams were “designed to intercept and hijack wire transfers from businesses and individuals, including many senior citizens.”

One hundred sixty-seven arrests – the majority - occurred in Nigeria, which is known for its history with romance and inheritance scams targeting everyday citizens. Notably, 74 arrests came from within the United States, and arrests were also made via international law enforcement collaborations in Turkey, Ghana, the U.K., Japan, France, Italy, Kenya, and Malaysia.

From the Department of Justice announcement:

“The Secret Service has taken a multi-layered approach to combating Business Email Compromise schemes through our Global Investigative Operations Center (GIOC),” said U.S. Secret Service Director James M. Murray. “Domestically, the GIOC assists Secret Service Field Offices and other law enforcement partners with analysis and investigative tactics to enhance the impact of local BEC investigations. Internationally, the GIOC targets and identifies transnational organized crime networks that perpetrate these cyber-enabled financial fraud schemes. Through this approach, the Secret Service continues to strive to protect the citizens of the United States and our financial infrastructure from these complex crimes.”

These arrests led to the seizure of $3.7 million in the U.S., although the global nature of the damage can be considered even wider: 250,000 identities were stolen, 10,000 bogus tax returns were filed, and the suspects netted $91 million in sham tax refunds. 

Business Email Compromise: Scalable and Sweeping

Data suggests these types of scams will continue to be concentrated in certain regions. But collectively, the list of countries involved, the large sums, and the lack of advanced technology in the BEC bring forth an interesting point: business email compromise scams are not just shown to be far-reaching, they also are scalable. This criminal activity shows a propensity for being adapted anywhere, to any size, in the world.

Recent studies - and countless enterprise breaches – have pointed to the exponential increase in business email compromise as this issue rises in importance. A recent study of global IT decisionmakers and infosec professionals indicates that 73 percent have been impacted by business email compromise resulting in financial, data, or customer loss. The Internet Crime Complaint Center, or IC3 as it’s usually known, has said global financial losses from email security scams increased by 100 percent in the last 14 months.

Despite these eye-popping numbers combined with the practical knowledge that hackers will continue to evolve their methods to scam businesses and individuals, there are ways to mitigate risk exposure.

A Practical Guide to Mitigating BEC

Unfortunately, according to Wired’s Lily Hay Newman, email attacks are “relatively easy to learn [the techniques], since the schemes are all intentionally low-tech and depend fundamentally on classic scams that prey on human biases and emotional and behavioral weaknesses, rather than relying on sophisticated malware or other advanced hacking techniques.” With this in mind, the future looks relatively bleak. However, there are steps that individuals and businesses can take to protect their data from a fate like the recent BEC scam.

• Educate senior management, key staff and employees on this specific type of attack. Specifically, all parties should know how it works to remain extra vigilant and aware.
• Review data protection procedures and consider revising how data transfers to external third parties are authorized.
• Implement inbound email stationery that marks and alerts employees to emails that have originated outside of the corporate network.
• Subscribe to domain name registration alerting services that will notify leaders when domains are created that closely resemble the corporate domain.