Email Security Blog

The Global Reach of Business Email Compromise (BEC)

Crane Hassold October 13, 2020 Business Email Compromise
Night time satellite image of south eastern usa

Over the last five years, Business Email Compromise (BEC) has evolved into the predominant cyber threat businesses face today. Since 2016, businesses have lost at least $26 billion as a result of BEC scams and, based on the most recent FBI IC3 report, losses from BEC attacks grew another 37 percent in 2019—accounting for 40 percent of all cybercrime losses over the course of the year.

The information contained in our new report, The Geography of BEC, comes from more than 9,000 active defense engagements conducted by ACID between May 2019 and July 2020. As a result of these engagements, we are able to collect crucial intelligence that allows us to better understand the operations of BEC criminal organizations. This includes the locations of the threat actors who perpetrate these attacks, as well as the money mules who play such an integral role in laundering the proceeds that result from them.

We were able to identify BEC actors in 50 different countries, demonstrating that while Nigeria has been the historical epicenter of social engineering activity, BEC actors and the individuals who enable their attacks can be found all over the world. Within our dataset, Nigeria was only home to half of the BEC operators we observed, which may be surprising given the historical role this country has played in the evolution of this form of fraud.

Graphic depicting BEC actors by region and country

Flat map of the globe showing location of BEC actors

Global locations of BEC threat actors.

Surprisingly, a quarter of all BEC attackers had a home base in the United States. Nearly half of US-based BEC actors were located in five states: California, Georgia, Florida, Texas, and New York. Looking at the data more granularly, we observed clusters of actors around a handful of metro areas, including Atlanta, GA; New York, NY; Los Angeles, CA; Houston, TX; and Miami, FL. Incidentally, these metro areas match the locations where many recent BEC arrests have been made, including those made in Operation reWired, an international law enforcement operation that resulted in 281 arrests worldwide.

Map of the US indicating location of BEC actors

Distribution of BEC actors in the United States.

Money mules, one of the most important components of the BEC financial supply chain, were also observed around the world. Over the course of 15 months, we collected 2,900 mule accounts in 39 countries, through which scammers intended to receive more than $64 million in stolen funds from BEC victims. While 80% of these mule accounts were located in the United States, the requested payment amounts destined for those accounts were significantly lower than those seen in other countries. For example, the average amount of payments to US-based mule accounts was $39,500, while payments directed to mule accounts based in Hong Kong were $257,300—more than six times their stateside counterparts.

Table depicting average BEC payments by country

Average BEC payment requests.

Within the United States, more than 900 mules were identified across all 50 states, as well as the District of Columbia. Many of these mules are likely to be unwitting victims of other social engineering attacks, such as romance scams and work-from-home cons. And a significant number of BEC mules were clustered around a small number of cities, indicating these areas may be hubs of BEC activity in the US. Mirroring the clusters of BEC actors, the top metropolitan areas for US-based money mules were Dallas, TX; New York, NY; Atlanta, GA; Houston, TX, and Los Angeles, CA.

Map of the US depicting location of money mules

Locations of BEC money mules in the United States.

While the global footprint of BEC demonstrates that the source of the problem is not contained to a small part of the world, it also shows that the simplistic geo-blocking capabilities of SEGs and firewalls are not a silver bullet to identifying malicious threats. Cybercriminals can hide behind VPNs and other proxies (something the actors we identified were not using), but our study also shows that a large percentage originate in places you might not expect, like the United States. This reinforces the need for comprehensive identity deception detection capabilities to defend against BEC attacks and other types of cyber threats.

For more information on the location of BEC actors and their money mules, download the full Geography of BEC report and register for the webinar.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

August 5, 2020 Michael Paiko

Phishing & BEC Scams Soar 3000%: Agari H2 2020 Email Fraud and Identity Deception Trends Report

Coronavirus-related phishing attacks and business email compromise (BEC) scams skyrocketed 3,000% from mid-March through early…

Agari Blog Image

July 17, 2020 Patrick Peterson

Business Email Compromise: New Shift in BEC Threat Landscape Puts CISOs on Notice

A seismic shift in the email threat landscape has CISOs bracing for sophisticated new forms…

Agari Blog Image

July 7, 2020 Crane Hassold

Cosmic Lynx: A Russian Threat Hits the BEC Scene

“At some point, Russian and Eastern European cybercriminals are going to start thinking to themselves,…

Agari Blog Image

June 30, 2020 Michael Paiko

Agari Summer '20 Release: CISOs Gain Unique Threat Intel to Their Organizations

With business email compromise (BEC) scams up sharply amid the coronavirus pandemic, CISOs have been…

Agari Blog Image

June 22, 2020 Michael Paiko

Forrester: Agari Phishing Defense™ Works a 97% ROI Over Three Years

A new Total Economic Impact (TEI) Study from Forrester finds that Agari Phishing Defense™ (APD)…

mobile image