"For a long time cybercriminals believed that the money was within the masses," says Crane Hassold, senior director of threat research at the email security firm Agari and former digital behavior analyst for the Federal Bureau of Investigation. "But in fits and starts over the past decade and then especially beginning about five years ago you saw a pivot of the entire threat landscape—email scams, ransomware—making more money with targeting businesses than individuals. We’re certainly not at the peak of this wave right now. We are at a point of rapid evolution."
It might seem obvious that businesses could be swindled out of more cash than individual victims, given how much more they have to start with. And some attackers were early to the idea; Lithuanian scammer Evaldas Rimasauskas was sentenced to five years in prison last week after pleading guilty to stealing more than $120 million from Facebook and Google in BEC scams that date back to 2013. Overall, though, scammers made good money in the 1990s and early 2000s casting a wide net and racking up a lot of small, incremental payments. As spam filters improved and web users wised up, scammers found themselves hitting a plateau. So they did what any entrepreneur would: innovate and diversify.Between June 2016 and July 2019 the FBI counted 166,349 BEC incidents in the US and abroad totaling more than $26 billion in losses. The Treasury Department’s Financial Crimes Enforcement Network estimates that BEC losses crossed $300 million per month with more than 1,100 incidents per month in 2018. And that just covers incidents that victims reported.
"This is just another case where someone has my data, and hundreds of millions of other people’s data, and I’ve absolutely no idea how they got it." Security Researcher Troy Hunt In the exposed database, the researchers also found some of what appear to be Verifications.io’s own internal tools like test email accounts, hundreds of SMTP (email sending) servers, the text of emails, anti-spam evasion infrastructure, keywords to avoid, and IP addresses to blacklist.
One catalyst of BEC growth is its reliance on the fundamentals of scamming, rather than requiring advanced hacking skills. Tricking someone into paying a fraudulent invoice over email isn't that different from charging people to play a rigged carnival game. Often, the most technical part of the scam for attackers involves using techniques like targeted spearphishing or credential stuffing to break into a company email account for legitimacy and to do recon on how to craft the most compelling scam.
"Scams are always present one way or another, but with time the digital environment underwent changes," says Lukasz Olejnik, an independent cybersecurity advisor and research associate at Oxford University's Center for Technology and Global Affairs. "BEC is basically all social engineering and manipulation. Targeting the right people at businesses who have substantial power without enough security awareness creates an asymmetry that is worth exploiting for scammers."BEC attacks stem from a set of tools and techniques that can be repurposed and combined in all different ways to generate (stolen) cash. Credential phishing, account takeovers, check fraud, money laundering, romance scams, and countless other elements are like tools in a toolbox, as Agari senior threat researcher Ronnie Tokazowski puts it. And while law enforcement has made some progress catching scammers and their money mules in recent years, the diversity of potential attacks makes it extremely difficult to stamp scamming out.