The FBI's BEC sweep leads to 74 arrests across the globe

The Justice Department has announced the arrests of 74 people accused of participating in Business Email Compromise (BEC) fraud. 

A six month investigation into lucrative BEC schemes has resulted in the arrest of 42 alleged fraudsters in the US, 29 in Nigeria, and three in Canada, Mauritius and Poland. 

The FBI estimates that businesses worldwide have lost up to $5.3 billion to BEC fraudsters since 2013. 

BEC fraudsters conduct highly targeted phishing attacks, often after studying a target’s procedures, practices and people. 

One form involves impersonating a CEO or financial officers using a spoofed company email address and instructing subordinates to wire money to a supposed  supplier’s account that is actually the attacker’s account. Others involve the scammer using spoofed email address to intermediate a high value transaction, such as a house sale. 

Australia has become a popular target for BEC fraudsters. The ACCC estimates Australian firms lost $22.1 million to the fraud in 2017. Europe's cross-border police organization, Europol, earlier this month announced arrests of Israel-based BEC scammers that defrauded Belgian and French companies of 18 million euros.  

While many victims are SMBs, staff at Google and Facebook fell victim to a scammer posing as a representative of a major Taiwanese generic computer equipment manufacturer.  

The FBI in January kicked off 'Operation Wire Wire' that targeted BEC fraudsters and has been supported by the U.S. Department of Justice, U.S. Department of Homeland Security, U.S. Department of the Treasury and the U.S. Postal Inspection Service, foreign law enforcement, and private sector partners around the world. The arrests occurred over a two week period. 

Despite the large number of arrests relatively little was recovered. Law enforcement seized just under $2.4 million and recovered $14 million in fraudulent wire transfers. 

The Justice Department notes that “foreign citizens perpetrate many BEC scams”, which originated in Nigeria but have spread worldwide. 

It’s not clear how many of the individuals arrested were involved in defrauding businesses. Some cases involved individual victims who’d transferred “high dollar funds” or sensitive records while conducting business, while other victims were small to large sized businesses.   

Attorney General Jeff Sessions focussed on losses to senior citizens in the US.

“Fraudsters can rob people of their life's savings in a matter of minutes. These are malicious and morally repugnant crimes. The Department of Justice has taken aggressive action against fraudsters in recent months, conducting the largest sweep of fraud against American seniors in history back in February,” he said. 

Twenty-three people were charged in the Southern District of Florida with laundering at least $10 million from proceeds of BEC scams. Eight of these defendants are charged with fleecing victims of $5 million, including one corporation in Seattle that lost $1.4 million. 

The US arrests also include two Nigerian nationals residing in the US who conspired to target a real estate closing-attorney using a spoofed email addresses.   

The FBI has identified the following BEC variants as the most common types of scam: 

  • Business Executive: Criminals spoof or compromise e-mail accounts of high-level business executives, including chief information officers and chief financial officers, which result in the processing of a wire transfer to a fraudulent account. 
  • Real Estate Transactions: Criminal impersonate sellers, realtors, title companies, or law firms during a real estate transaction to ask the home buyer for funds to be sent to a fraudulent account
  • Data and W-2 Theft: Criminals, using a compromised business executive’s e-mail account, send fraudulent requests for W-2 information or other personally identifiable information to an entity in an organization that routinely maintains that sort of information
  • Supply Chain: Criminals send fraudulent requests to redirect funds during a pending business deal, transaction, or invoice payment to an account controlled by a money mule or bad actor
  • Law Firms: Criminals find out about trust accounts or litigation and impersonate a law firm client to change the recipient bank information to a fraudulent account.