Compromised emails can sometimes lead to bruised faces

While business email compromise (BEC) might lack the media exposure of ransomware cartels, it’s the true foundation of the global and often brutal cybercrime ecosystem.

Modern email communication has become what the post has been in previous centuries. With instant messaging primarily taking over person-to-person communication online, emails still serve as the backbone of business bureaucracy, with bills and contracts flowing through the digital space.

With this in mind, it’s hardly surprising that business email compromise, or BEC for short, is the most profitable segment of online fraud. Threat actors take over email accounts to impersonate companies and steal data. In other words, where there are bills to be paid, somebody always tries to steal the cash flow.

According to the Federal Bureau of Investigation (FBI), BEC fraud has accounted for an astounding $43 billion over the last six years. To put it in context, Elon Musk had to create PayPal, Tesla, and SpaceX and take out loans to muster almost the same amount of money to buy the influential social platform Twitter.

How it’s made

Being a multi-billion-dollar affair, BEC is a global project with different regions serving as hubs for specific tasks. According to Stephen Dougherty, Financial Fraud Investigator at the US Secret Service, the criminal organizations that run BEC fraud are often set as businesses.

“These are financially motivated, financially driven organizations. I classify it as the enterprise business model. And at the Secret Service, we’re seeing these organizations be organized exactly as a business,” Dougherty said at a SecurWorld Texas conference last week.

For example, C-Suite operators who set designs for targeting businesses rarely do the hacking themselves. Criminal masterminds often tap into the global hacking community for manpower to carry out crooked designs.

Once hackers provide the C-Suite operators with means to penetrate email accounts and valuable information stored there, they employ underworld human resource (HR) operators. HR provides criminals with people who can speak a specific language or specialize in a targeted industry.

"We’ve also seen BEC groups hire these enforcers to try to silence or intimidate witnesses in federal cases. This isn’t just cybercrime now. It’s starting to spill into the real world."

Dougherty said.

Money laundering

With all the pieces in place, operators perform attacks and, in case of a successful attack, end up with illicit funds they need to launder. According to Dougherty, the money laundering area of the cyber underworld has dramatically changed in recent years thanks to cryptocurrencies.

In the past, threat actors had to bounce funds from bank to bank to distance themselves from the victim. Nowadays, funds are almost immediately converted to crypto and put into complex laundering networks that provide greater anonymity.

Earlier this year, researchers discovered that cryptocurrency businesses based in Moscow’s financial district, also known as Moscow City, likely partake in money laundering activities.

According to Chainalysis, these businesses receive hundreds of millions of dollars worth of cryptocurrency per quarter, peaking at nearly $1.2 billion in the second quarter of 2021.

It is estimated that illicit and risky addresses make up between 29% and 48% of all funds received by Moscow City crypto businesses. And that’s hardly the only financial district in the world where illicit funds tend to end up.

US Secret Service
Image by Shutterstock.

Spilling into the real world

Even though cybercrime mainly occurs online, its effects often spill over to the real world. According to Dougherty, cybercriminals often run into other crooks who would like to keep more crime profits than they’re supposed to.

For that reason, BEC operatives hire the so-called enforcers, muscle men that use physical harm to get the global workforce in line. However, victims are often threatened by physical violence to dissuade them from witnessing in court.

“We’ve also seen BEC groups hire these enforcers to try to silence or intimidate witnesses in federal cases. This isn’t just cybercrime now. It’s starting to spill into the real world, and with the level of violence, it’s going a little darker,” Dougherty said.

BEC is a global phenomenon, with victims registered in 186 different countries. Dougherty claims that the BEC landscape is also an evolving one. While the practice likely originated in West Africa, with Eastern Europe serving as the IT hub initially, Russia and other countries in the region have mostly taken over as operational designers.