FBI arrests 74 in global Business Email Compromise takedown

Finally, after years of laughing in the face of a growing list of mainly SMB victims, Business Email Compromise (BEC) criminals appear to have taken one on the chin.

In an FBI action dubbed Operation WireWire, 42 people accused of being involved in BEC have been arrested in the US, plus a further 29 in Nigeria, and one each in Canada, Mauritius and Poland.

These numbers alone make it one of the biggest cybercrime busts ever recorded and that’s without factoring in $16.4 million of fraudulent wire transfers recovered during the operation.

What is BEC? In short: it’s a bit like phishing but without the fake website. Employees at predominantly small companies are contacted – often through spoofed email addresses but also by phone – by criminals impersonating suppliers or customers and conned into wiring money to them.

Its victims tend to be SMBs without lots of financial checks but also individuals conducting certain kinds of high-value transactions, for example people buying houses through a realtor or estate agent.

Once the money has been transferred, it’s incredibly unlikely that much, if any, of it will ever be seen again.  With transfers that are initiated by the victim, there is no comeback and insurance is out of the question. As US Attorney General Jeff Sessions put it:

Fraudsters can rob people of their life’s savings in a matter of minutes.

Or of large sums of money that put entire businesses in peril.

Overshadowed by better-publicised crimes such as ransomware, BEC has surreptitiously grown into one of the most dangerous methods of cybercrime targetting SMBs.

The biggest problem is that, up until now, very little has been done about it. Between 2013 and 2015 losses reported to the FBI’s Internet Crime Complaint Center (IC3) totalled $1.2 billion, a lot of money by any standards.

Three years later and this has grown to $3.7 billion, which underlines how the crooks have been siphoning money from victims at an accelerating rate.

But that’s only for the US – international and unreported losses mean the true scale of BEC is likely to be much bigger and badder than these figures.

Defending against it is complicated, involving better defence for email servers and accounts, improved processes (protocols for checking payments), and of course better targeting of the fraudsters own supply chain.

Central to that are money mules – legitimate account holders who allow their bank accounts to be used as staging posts as money is transferred from victims.

On that score, 15 of the 74 Operation WireWire arrests were said to be of people accused of performing this role in the BEC chain.

WireWire’s wider significance is that it marks a big step up in the scale of police operations. With the exception of an international operation in 2017 which saw 19 people arrested in several countries, BEC cases have tended to be brought against individuals.

The authorities have taken years to even start getting on top of the problem. However, now at least the criminals know that the possibility of being caught is on the increase.

An important final part of the fightback against BEC is reporting it. It’s probably not the first thing on the mind of victims but it provides an important layer of intelligence that’s so far been missing.

In the US, this can be done by filing a complaint with the IC3. In the UK, such instances should be reported to Action Fraud.