Email Security Blog

How an Elite Counterintelligence Team Investigates BEC Scams Worldwide

Crane Hassold December 6, 2018 Cybercrime

Marriott Hotels, Dunkin Donuts, even the House GOP. During the final quarter of 2018, a host of high-profile data breaches and cyberattacks have made major headlines.

Some stemmed from business email compromise (BEC) scams, spear phishing campaigns, or other advanced email threats. Others are expected to help fuel such attacks in the future. A few might see somebody fight back through innovative, active defense measures.

If so, chances are good that “somebody” will be us. As leader of the newly announced Agari Cyber Intelligence Division (ACID), I work with an elite group of counterintelligence experts to uncover new tactics and techniques used by cybercriminal groups behind email attacks worldwide. When we can, we even help law enforcement shut these groups down.

ACID is the first and only counterintelligence research team dedicated specifically to global BEC and spear phishing investigations. And it plays a unique role in helping Agari fulfill its mission to protect digital communications so that humanity prevails over evil.

Leveraging a combination of passive intelligence collection and active threat actor engagement, ACID operates as Agari’s dedicated counterintelligence arm, and is dedicated to understanding, surfacing, and publicizing new attack methodologies worldwide. It’s incredibly gratifying work—especially considering the growing threats.

Business Email Compromise is a Digital Sucker Punch

This year, BEC scams have jumped 60 percent worldwide. More than 90 percent of organizations report being hit by targeted email attacks, with 23 percent of those organizations suffering financial losses. Depending on the size of the company, average losses from a successful email scheme can run $1.6 million and up.

Data breaches can be even worse. The average costs associated with a successful breach now run more than $7 million. And that’s before any regulatory fines or potential criminal prosecution.

The groups that run these scams aren’t rinky-dink hooligans, either. They’re as well-funded and professionally organized as any other business today. They have business intelligence teams that actively mine contact databases, company websites, LinkedIn profiles, and more to build dossiers on their targets; email marketing groups for distributing customized attacks; sales teams giving one-on-one attention to victims; even financial and human resource functions for extracting stolen funds and recruiting money mules to launder them. Cybercriminals are rarely single attackers sitting alone in a basement—they are part of organized groups that are using real business tactics to attack enterprises around the world, and they’re doing it well.

In fact, it’s now estimated that the email attacks these groups launch are major drivers of up to 48 percent of all Internet-related business losses from cybercrime, with more than $12.5 billion directly attributed to BEC scams since 2013. Unfortunately, these trends are only going to continue, unless someone does something about it.

Taking Back the Inbox

As it stands now, some advanced email attacks involve malicious links. Others include malware. But today’s most ruthless BEC and spear phishing attacks don’t need either to wreak havoc.

By leveraging sophisticated identity deception techniques paired with socially-engineered mind games, these attacks involve highly-personalized, plain-text emails designed to deliver an irresistible lure to a well-research individual. Maybe it’s a stress-inducing missive from the “CEO,” demanding an urgent wire transfer. Maybe it’s a query from what appears to be an especially lucrative client. Maybe it’s the “Director of HR” asking for an employee’s W-2 information.

Whatever the con, these malicious messages manipulate recipients into meeting these requests before they think to confirm the message’s legitimacy, and the results can be disastrous. According to the SEC, one publicly-traded company recently paid out $45 million in recent BEC scams, and another lost $30 million. And these business email compromise scams are now expected to be the #1 cybersecurity threat organizations face in 2019.

Agari puts an end to all that. Through predictive AI, Agari maps email communications across individuals, organizations, and infrastructures to understand the relationship between sender and receiver, spot anomalies that signal fraud, and stop email attacks from ever reaching their targets.

But what about the cybercriminal groups themselves? That’s where we come in.

Active Defense, Active Investigations

The term “active defense” describes methods by which organizations trace BEC scams, spear phishing, or other forms of attack back to their source.

ACID uses a proprietary approach to active defense, leveraging what we call the BEC Automated Deception System. This tool automates active engagement sessions with cyber threat actors as a way to collect intelligence about the adversary’s tactics and targets.

We do not engage in what’s called “offensive cyber,” which can involve counterstrikes meant to cripple the cybercriminals’ systems. Instead, ACID delivers real-world results by supporting the enterprise, law enforcement, and innocent victims by actively engaging with threat actors to collect in-depth actionable intelligence.

In one recent operation, for instance, members of the ACID team analyzed 78 criminal email accounts and unmasked 10 international cybercrime organizations. By analyzing the thieves’ accounts, we were able to identify nearly 60,000 unique email messages and investigate the tactics, targets and, ultimately, the identities of the criminals. Along the way, we warned financial institutions about accounts being used for criminal activities, and provided evidence to law enforcement.

In another, we documented the working methods of a group we’ve named London Blue, a shadowy, UK- and Nigeria-based cybercrime operation that runs BEC scams against businesses around the world. In the process, we identified the group’s target list of more than 50,000 corporate officials at companies in 82 countries that was generated during a five-month period in early 2018.

By interacting with these criminals and employing active defense techniques, we were able to document the out-of-the-box approaches these organizations use to bring these attacks from prospecting to execution to laundering victims’ money to new accounts. And then share that knowledge with you—bringing to light the ways that these organizations operate and encouraging you to recognize the signs before you become a victim of their attacks.

News You Can Use

As the research arm of Agari, ACID is here to help protect communications so that humanity prevails over evil. The two reports we’ve written thus far are just the beginning, the first of many deliverables we’ll be sharing on an ongoing basis to help the good stay ahead of the bad. Stay tuned for more insights from our team, including threat actor dossiers, quarterly research reports, white papers, blog posts, and more.

To access and subscribe to new reports, information on emerging threats, and insights about new BEC scams and spear phishing attacks and the organizations behind them, visit the ACID website.


Laptop with multiple paddle locks with key holes

January 24, 2022 John Wilson

2022 Data Privacy Week – Education and Inspiration

As the world becomes more and more dependent on online resources to complete daily tasks,…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

Woman-shopping on cell phone

November 30, 2021 Mike Jones

It’s the Most Wonderful Time of the Year… for Cybercriminals

The holiday season is upon us, which means it’s also the busiest time of the…

mobile image