The Decade Big-Money Email Scams Took Over

Some email scams—penis enlargement spam, “Nigerian prince” shakedowns—feel like they’ve been around almost as long as email itself. But the grifts have evolved significantly over the last decade, as scammers have learned that they can extract much bigger payouts from big businesses than lone victims. They’ve tallied billions of dollars in the last few years alone. In the 2020s, it’s only going to get worse.

In these so-called business email compromise schemes, attackers either infiltrate a legitimate email account from a company or create a realistic spoof account. They use that position to broker seemingly legitimate wire transfers for “business transactions” like contract payment; the money instead goes into the criminal’s pockets. The scale is staggering; in September alone, Toyota lost $37 million in a BEC scam, and the Japanese media company Nikkei lost $29 million.

“For a long time cybercriminals believed that the money was within the masses,” says Crane Hassold, senior director of threat research at the email security firm Agari and former digital behavior analyst for the Federal Bureau of Investigation. “But in fits and starts over the past decade and then especially beginning about five years ago you saw a pivot of the entire threat landscape—email scams, ransomware—making more money with targeting businesses than individuals. We’re certainly not at the peak of this wave right now. We are at a point of rapid evolution.”

It might seem obvious that businesses could be swindled out of more cash than individual victims, given how much more they have to start with. And some attackers were early to the idea; Lithuanian scammer Evaldas Rimasauskas was sentenced to five years in prison last week after pleading guilty to stealing more than $120 million from Facebook and Google in BEC scams that date back to 2013. Overall, though, scammers made good money in the 1990s and early 2000s casting a wide net and racking up a lot of small, incremental payments. As spam filters improved and web users wised up, scammers found themselves hitting a plateau. So they did what any entrepreneur would: innovate and diversify.

Between June 2016 and July 2019 the FBI counted 166,349 BEC incidents in the US and abroad totaling more than $26 billion in losses. The Treasury Department’s Financial Crimes Enforcement Network estimates that BEC losses crossed $300 million per month with more than 1,100 incidents per month in 2018. And that just covers incidents that victims reported.

One catalyst of BEC growth is its reliance on the fundamentals of scamming, rather than requiring advanced hacking skills. Tricking someone into paying a fraudulent invoice over email isn’t that different from charging people to play a rigged carnival game. Often, the most technical part of the scam for attackers involves using techniques like targeted spearphishing or credential stuffing to break into a company email account for legitimacy and to do recon on how to craft the most compelling scam.

“Scams are always present one way or another, but with time the digital environment underwent changes,” says Lukasz Olejnik, an independent cybersecurity advisor and research associate at Oxford University’s Center for Technology and Global Affairs. “BEC is basically all social engineering and manipulation. Targeting the right people at businesses who have substantial power without enough security awareness creates an asymmetry that is worth exploiting for scammers.”

BEC attacks stem from a set of tools and techniques that can be repurposed and combined in all different ways to generate (stolen) cash. Credential phishing, account takeovers, check fraud, money laundering, romance scams, and countless other elements are like tools in a toolbox, as Agari senior threat researcher Ronnie Tokazowski puts it. And while law enforcement has made some progress catching scammers and their money mules in recent years, the diversity of potential attacks makes it extremely difficult to stamp scamming out.

The Agari researchers say they see variations on classic schemes every day new. Apartment rental or sublet hustles that scam victims out of deposits can morph into RV rental scams advertised on camper forums. Or a strain of tax refund scam can be repurposed to defraud employees of escort services. “The premise is exactly the same, just a few details are different,” Hassold says. “Like ‘I’m gonna do the exact same thing I’ve been doing with Craiglist rental scams—just on RV sites instead’. Who thinks of that?”

In this way, BEC runs in parallel with other flavors of scamming. That’s particularly true with romance scams, where attackers develop an entirely digital romantic relationship with a victim in order to gain their trust and steal their money. In these hustles, victims are eventually turned into unwitting mules for BEC, because an attacker can tell them to set up bank accounts and receive wire transfers without too many questions asked.

Just in time for the turn of the decade, email fraudsters have even been developing an even more pernicious variation on BEC. Sometimes called vendor email compromise or VEC, the technique specifically focuses on compromising vendors whose whole business involves contracting with other companies and invoicing them for services. In these scams, even people with significant security training would have trouble detecting the fraud, because scammers compromise the vendor, get copies of their legitimate invoices, and send them to real customers with nothing changed but the wire transfer account number. With these frauds it can take weeks or months for either company to realize that something is amiss, and by then the money is long gone.

“With general BEC attacks, you might wonder how anyone can fall for this, because there are probably red flags like misspellings and other inaccuracies,” Agari’s Hassold says. “But with vendor email compromise attacks the question is going to be, how do people not fall for this? Because when you look at it none of that is there. It’s a very realistic email that almost perfectly mimics normal communication from that vendor, because the scammers have everything they need.”

As law enforcement efforts ramp up and businesses take more email security precautions like enabling two factor authentication, there is hope for progress on defense. But as has always been the case, scammers gonna scam. The internet age is certainly no exception.

More Great WIRED Stories

Read More