The FBI announced that 65 people were arrested as part of an international law enforcement crackdown on business email compromise (BEC) attackers, which started in September and lasted three months.
The suspects in the U.S., Nigeria, South Africa, Canada and Cambodia are allegedly responsible for scamming over 500 U.S. victims and causing losses of over $51 million, according to the FBI, which funded and coordinated the operation.
“With actors behind BEC being responsible for hundreds of billions of U.S. dollars in fraud, this is quickly becoming a threat to national security that we can no longer ignore,” said Ronnie Tokazowski, principal threat advisor with Cofense. “I hope this serves as a wake-up call that BEC, as well as other types of phishing attacks, continues to be a problem plaguing every industry, vertical, and citizen across the globe."
As part of the operation, the Nigerian Economic and Financial Crimes Commission arrested Oluwasegun Baiyewu, 36, of Houston, Texas, and Leo Omorogieva Eghaghe, 39, of Lagos, Nigeria. The two are charged with being involved in an international money laundering conspiracy where money mules moved at least $4.5 million in fraud funds, obtained via BEC and other fraud schemes, from the U.S. to Nigeria. The conspiracy impacted a Puerto Rico-based renewable energy supplier.
Also arrested were Bright Osaghni, 41, and Osatohanmwen Oriakhi, 41, both of Toronto. The Toronto Police Service arrested the two, suspected of being connected with a BEC scam and check fraud scheme that impacted hundreds of victims in the U.S. and Canada, with attempted losses of $16 million. Another eight suspects arrested, all from Houston, Texas, were indicted on charges of laundering almost $900,000 of proceeds from a BEC scam.
“This group, and several others, are believed to have laundered almost $4.5 million over a period of two years, with the laundered funds consisting of payments they received from victim businesses all over the world,” according to the FBI in a Wednesday statement.
The operation comes after a number of previous law enforcement attempts to curb this type of activity through arrests, including one in 2018 that led to the arrest of 74 suspects worldwide and one in 2019 that resulted in 281 arrests.
"With actors behind BEC being responsible for hundreds of billions of U.S. dollars in fraud, this is quickly becoming a threat to national security that we can no longer ignore."
However, Crane Hassold, director of threat intelligence with Abnormal Security, said that with BEC, it is difficult to actually make a significant disruption through arrests. Unlike ransomware groups, where one centralized, primary group drives the majority of the activity, BEC schemes are made up of thousands of individual actors working on their own and sharing information with one another, Hassold said.
BEC schemes involve intricate networks of money mules, for instance, which set up bank accounts in order to split, transfer, deposit or withdraw the funds stolen from victims. In some cases these money mules are victims themselves and are unaware they are doing anything wrong.
“If you arrest dozens or hundreds of these guys you won’t make an impact on the attacks that are going on, because it’s so decentralized,” he said. “But the FBI has also been pivoting its overall strategy and implementing a better way to deal with it. Instead of arrests as the primary metric of success, the FBI is focusing on recovering financial losses.”
Despite BEC being a prevalent type of attack, it continues to cost businesses millions of dollars, with the recently released Internet Crime Complaint Center (IC3) showing that BEC (and email account compromise) victims reported nearly $2.4 billion in losses in 2021. Part of the challenge in defending against the attack is that it is difficult to detect: BEC is typically carried out when legitimate business email accounts are compromised through social engineering techniques and used to conduct unauthorized transfers of funds.
At the same time, attackers are becoming more sophisticated. One new BEC trend highlighted in the IC3 report involves attackers using virtual meetings to instruct victims to send fraudulent wire transfers. The attackers would compromise a company CEO’s email and request employees participate in a virtual meeting platform. In those meetings, the attackers then insert a still picture of the CEO along with a deepfake audio impersonation. Employees would be directed to initiate wire transfers.
“When it comes to BEC in general this is not a problem that has gotten any better,” said Hassold. “More sophisticated actors are pivoting into the BEC space and we will see actors that will put more time and effort into creating more realistic pretexts and lures.”