Phishing scams: The new hotspots for fraud gangs

While business email compromise groups used to operate from just a few locations, gangs are springing up in new locations.
Written by Danny Palmer, Senior Writer

Business email compromise (BEC) phishing scams are one of the most common forms of cybercrime – and new fraud gangs are appearing across the globe to trick firms into handing over money, according to an investigation by cybersecurity researchers.

A number of these scams have in the past been operated out of Nigeria, which is where about half of BEC scams still originate, according to an analysis by researchers at security company Agari. But a quarter of BEC phishing scams operate from within the US.

In total, Agari identified BEC attacks originating from 50 countries around the world and identified South Africa and the UK as high-ranking regions of BEC activity. The UK, for example, is home to a prolific BEC outfit known as London Blue.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

The research also identifies Eastern Europe and Russia as a region with a growing number of BEC scammers. Traditionally home to trojan malware and ransomware groups, the emergence of BEC groups in the region suggests the cyber-threat landscape could be changing as corporate phishing scams become more lucrative.

"While we knew there were some BEC actors operating out of the US, the fact they comprised a quarter of all global BEC actors was a surprise," Crane Hassold, senior director of threat research at Agari, told ZDNet.

Nearly half the BEC scammers in the US are based in five states: California, Georgia, Florida, Texas, and New York, although evidence of people operating BEC attacks has been detected in 45 states in total.

The goal of a BEC attack is to trick an employee of an organisation into transferring a large sum of corporate funds – the average loss is $80,000, but some attacks can cost millions – into a bank account owned by the scammer.

Often these phishing attacks will take the form of a phoney email sent in the name of a real exec or supplier, asking the victim to transfer funds as a matter of urgency to secure a business deal or contract. In some cases, it's known for BEC scammers to compromise legitimate email accounts of real contacts known to the target and use an established level of trust to help push the transfer through.

By the time someone realises the transfer was fraudulent, it's already too late as the money is already in the hands of attackers. The FBI says almost half of reported financial losses to cybercrime in 2019 were lost to BEC scams.

Another element of these campaigns also has a significant footprint in the US; researchers collected information about 2,900 money mule accounts run by people whose job it is to transfer stolen funds and found that 80% of these were also based in the US. That's mostly because businesses in the US have historically been the primary targets of BEC attacks and most of these attacks ask victims to send money to accounts in the same country, said Hassold.

However, while money mules are helping with criminal activity, in many cases the people involved don't know that's what they're doing, having been scammed into providing their aid via social engineering, romance scams or work-from-home scams.

"Like a lot of other types of criminal activity, it's a numbers game. There are a lot of cyber criminals involved in BEC campaigns, both in the US and internationally, and there are only so many arrests law enforcement can make," said Hassold.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened

While BEC attacks can result in significant financial losses for businesses, it is possible to protect against them.

"Organisations first need to make sure they're using an email defense that can protect against these types of basic social engineering attacks," said Hassold.

"Additionally, to verify a payment request is legitimate, organizations should have policies in place that require out-of-band confirmation with the person requesting a payment," he added.


Editorial standards