Site icon Sophos News

Massive email fraud bust snares 281 suspects

Operation reWired – a globe-spanning, four-month-long crackdown on email fraud involving law enforcement agencies in 10 countries – has resulted in the arrest of 281 people suspected of running BEC (business email compromise) scams.

The US Department of Justice (DOJ) on Tuesday announced that the operation, which kicked off in May 2019, led to the seizure of nearly $3.7 million in assets and repatriations.

Out of the 281 arrests, 167 were in Nigeria, 74 in the US, 18 in Turkey, and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the UK.

Chief Don Fort, with the US Internal Revenue Service’s (IRS’s) Criminal Investigation unit, said in the DOJ’s release that the criminal network was complex, and it had a lot more going on besides talking businesses into making bogus wire transfers. Investigators discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in tax refunds, he said.

The collection of law enforcement agencies who coordinated their efforts in Operation reWired is a who’s who list: besides the DOJ, it included the US Department of Homeland Security (DHS), the US Department of the Treasury, the US Postal Inspection Service, the US Secret Service, and the US Department of State. Deputy Attorney General Jeffrey Rosen also gave a shout-out to the FBI, as well as to more than two dozen US Attorneys’ Offices, the Internal Revenue Service’s (IRS’s) Criminal Investigation unit, state and local law enforcement partners in the US, and law enforcement partners in Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya, Malaysia, and the UK.

All together, their work resulted in more than 214 domestic actions: besides the arrests, that included warning letters sent to money mules. There were a number of alleged money mules arrested for allegedly helping to rip off people and businesses, as well.

These are just a few of the suspects who were arrested, who their alleged targets were, and how much money the Feds managed to freeze:

What’s a BEC scam?

These scams typically involve legitimate business email accounts that have been hijacked, be it through social engineering or hacking, to initiate unauthorized transfers. The scammers often target employees who hold the pursestrings and businesses that work with foreign suppliers and/or businesses that are in the habit of executing wire transfer payments.

As the DOJ explained in its announcement, the criminal networks that run BEC scams also go after individuals, be it through people buying real estate, the elderly, and others, by convincing them to make wire transfers to bank accounts that the crooks control. We saw an example of a real estate scam earlier this year when we learned about a woman getting swindled out of $150,000 from the overseas sale of her house in Australia.

Sometimes the fraudsters will impersonate a key employee or business partner after they’ve seized control of that person’s email account. Sometimes, they’ll find their victims through romance and lottery scams.

And sometimes, they’ll use dating sites to recruit money mules to help them launder the ill-gotten booty. Last month, the FBI said that this recruitment of money mules on dating sites is on the rise.

BEC scammers aren’t fussy: Besides fraudulent wire transfers, they’ll sometimes go after fraudulent requests for checks… or sensitive personally identifiable information (PII)… or employee tax records… or any/all of the above.

(Watch directly on YouTube if the video won’t play here.)

These scams are getting increasingly sophisticated, and they’re raking in ever more loot. From the FBI’s 2018 Internet Crime Report:

In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.

The report also said that the FBI had received 20,373 BEC/email account compromise (EAC) complaints, reflecting losses of over $1.2 billion, last year: more than double the amount lost as a result of such scams during the previous year.

Also on Tuesday, the FBI put out an updated set of figures that show that between October 2013 and July 2019, $26.2 billion has been lost to BEC scammers. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses, the FBI said – an increase due in part to greater awareness of the scam. which has in turn encouraged more reporting.

They’re coming for payroll

The FBI said that the crooks are increasingly going after payroll funds. It’s seen a spike in spoofed emails sent to companies’ human resources or payroll departments. The emails look like they’re coming from employees requesting a change to their direct deposit account – a tweak to a related scheme, in which a crook gains access to an employee’s direct deposit account and alters the routing to another account.

Typically, the crooks are directing the funds toward pre-paid card accounts.

The FBI had these tips, specifically aimed at helping employees to avoid these payroll scams:

What else to do

Report it!

Like the FBI says, the skyrocketing statistics related to BEC fraud incidents and losses are due at least in part to increased awareness and reporting.

Of course, law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.

In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read our Sophos News article Would you fall for a BEC attack?

Exit mobile version