Organized criminals are targeting businesses with identity deception attacks that cause financial losses and broken trust, but Agari is changing the game. Using responsible active defense techniques to analyze criminal email accounts, the Agari Cyber Intelligence Division (ACID) unmasked 10 cybercriminal groups during a 10-month period. ACID has used the results of its work to:

  • Warn financial institutions about compromised accounts;
  • Provide evidence to law enforcement agencies;
  • Notify victims that they’ve been targeted by scammers; and
  • Help recover stolen funds.

Download your copy of “Behind the ‘From’ Lines” to learn the identities and tactics behind the big criminal business of email compromise.

Executive Summary

Nigerian Scammers Target American Businesses

Over the course of the past 10 months, using responsible active defense techniques, Agari captured 78 criminal email accounts, belonging to 10 criminal organizations, and containing 59,652 unique email messages. Agari analyzed the contents of these email accounts to investigate the tactics, targets and identities of the criminals. And now, that analysis enables stronger defensive strategies and measures.

What’s more, Agari has used this analysis to warn financial institutions about accounts being used for criminal activity, and to provide evidence to law enforcement. Agari has also warned victims, and in at least once case, quick action helped a company recover its money.

One of the more interesting findings from this analysis was that while much of the high-profile cybersecurity news of the past year has involved state sponsors like Russia and North Korea, American businesses and individuals are far more likely to be targeted by Nigerian scam artists.

Nigerian scam artists, traditionally associated with implausible get-rich-quick schemes and other scams of individuals, have become more sophisticated and a significant threat to American businesses. The groups Agari captured began ramping up their business email compromise (BEC) attacks between 2016 and 2018. They have targeted the largest corporations, small businesses, real estate agents, and even hospice care providers with sophisticated, commercially purchased malware.

Nigerian scam artists, traditionally associated with implausible get-rich-quick schemes and other scams of individuals, have become more sophisticated and a significant threat to American businesses. The groups Agari captured began ramping up their business email compromise (BEC) attacks between 2016 and 2018. They have targeted the largest corporations, small businesses, real estate agents, and even hospice care providers with sophisticated, commercially purchased malware.

Even as they move into more sophisticated attacks against businesses, these criminal groups continue duping individuals through rental scams (which yield lucrative revenue) and fraudulent romance (which yields new money mules, in addition to revenue). Among these victims, we found two women who had been bilked out of a half-million dollars each. One of them lost her home and was forced to pull her children out of school, while the other appears to have become a knowing accomplice to an online lover who was never real.

Since I can’t send more money, maybe I’m of no use to you now. I certainly feel like that could be the deal here…A realtor is coming over tomorrow to help me list my house for sale. I’m talking to an attorney now about how to keep the collection agencies away and protect my kids. All this time, I’m wondering if I’ve heard from you for the last time. Please don’t let that be the case.

—Romance scam victim email to her attacker

Introduction 

Business email compromise is an advanced email attack that leverages the most common form of identity deception—display name deception—most frequently targeting finance teams to make fraudulent payment requests.

Through social engineering, cybercriminals are completely bypassing traditional perimeter defenses. There’s no malware to detect, nothing suspicious in the code, nothing unfamiliar in the message—it’s just that the person on the other end of the email isn’t who they claim to be.

The 2018 Verizon Data Breach Incident Report recognizes that “we’re only human” when it comes to social engineering. But this human weakness results in the single most common and costly form of cyberattack. According to Verizon, “phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%).” And the FBI reports that BEC has resulted in exposed losses of more than $5 billion.

It’s ironic—and problematic—that many of these attacks are using our own infrastructure against us. Cloud-based email services have commoditized basic email security, but they also offer a low barrier to entry for criminal organizations that want to create dozens of fraudulent accounts to impersonate otherwise trusted identities. Generally, it is more difficult to detect these attacks because they are launched from legitimate infrastructures that traditional security controls have been taught to trust.

Not only are the rewards high for these crimes, the risks are low. These international operations face little consequence in the U.S. for the crimes they commit overseas. However, just like the drug trade, many of these operations make use of U.S.-based mules to aid and abet them. The average U.S. company may be suspicious about wiring money to a Nigerian bank account, but when the bank is in the U.S. (thanks to a mule) it is less likely to raise a red flag.

In short, these criminals have used identity deception and trusted infrastructures to circumvent traditional security. But there is a solution. Thanks to recent advanced in AI-powered defense systems, we can change the equation, turn the tables and fight back against the epidemic of BEC and identity deception—and we must.

This report fills critical gaps in our awareness of these attacks, provides direct insight into the organizations and individuals committing these crimes, and demonstrates the value of proactive protection against identity deception. With this new insight, it is our goal to foster better cooperation and information sharing between law enforcement, the security industry and the organizations they each serve to protect.

Close button
Mail Letter

Would you like the confidence to trust your inbox?