While many cybercriminal gangs scam medium-sized and large corporations, Agari has now uncovered and documented the practices of a Nigeria-based scammer group, dubbed Scarlet Widow, that has evolved a different strategy focused on more vulnerable sectors such as school districts, universities, and nonprofits.

In this report, we uncover:

  • How Scarlet Widow transitioned from romance scams to tax fraud to BEC
  • Why the group focuses on school districts, universities, and nonprofits
  • What kinds of emails Scarlet Widow uses to target their victims, and
  • How the cybercriminals launder the money through legitimate online services

Download Scarlet Widow: BEC Bitcoin Laundry—Scam, Rinse, Repeat to see why cybercriminals are going after more vulnerable populations in their scams.

Easy Targets, Easy Money:
Scarlet Widow’s Targets

Since November 2017, Scarlet Widow has gathered targeting information for more than 30,000 individuals associated with more than 13,000 organizations in 12 countries.

Nearly all of the leads collected by Scarlet Widow were for employees located in two countries—with 73% in the United States and 20% in the United Kingdom.

Individuals Targeted by Scarlet Widow by Country


Targeting Nonprofits

Scarlet Widow has actively targeted the nonprofit sector with their phishing campaigns. More than a quarter of the companies the group has collected targeting information for are charities and other nonprofit organizations. The choice to specifically target these kinds of marks with BEC attacks may indicate that the group believes that they are softer targets than for-profit companies, which typically have greater email security measures in place.

Indeed, while financial institutions and category leaders in other industries have begun hardening defenses in recent years, a general latency in adoption of cybersecurity has been a growing issue in the nonprofit sector. The fundraising capabilities on which this sector depends have not always been matched by suitable protections—at least not in real time.

A review of Scarlet Widow’s targeting database shows the diverse array of nonprofits targeted by the group. While the Boy Scouts of America was the nonprofit with the highest number of individual targets at 190, other organizations appear frequently in Scarlet Widow’s target database. This list includes a West Coast chapter of the United Way, a nationwide anti-hunger charity, a Texas ballet foundation, a large hospital and physician group in North Carolina, a Midwest Archdiocese of the Catholic Church, a well-known annual arts festival, and numerous chapters of the YMCA.

In the United Kingdom, Scarlet Widow secured email addresses for individuals at more than 1,300 large and small nonprofits, including the country’s leading children’s charity, a large advocacy and support group for the disabled, the national Salvation Army organization, and a family services hub for a borough of London.

It is important to note that while these nonprofits were targeted, the attacks weren’t necessarily successful. Any individual email has a low probability of success—previous Agari research found a success rate of 0.37%—with the scam groups depending on a huge volume of attacks to gain a satisfactory return.

Educational Institutions and Tax Firms Take a Hit

Another sector that Scarlet Widow has specifically targeted with focused BEC attacks is educational institutions. Scarlet Widow’s targeting list included more than 1,800 individuals at 660 educational institutions, ranging from rural K-12 school districts in the United States to prominent universities in New Zealand.

Academic Scarlet Widow Targets by Country

Since September 2018, the group has aggressively targeted schools in five countries—New Zealand, the United States, the United Kingdom, Australia, and Germany—with more than 1,600 BEC attacks. Kiwi universities have made up nearly 60% of Scarlet Widow’s academic targets during that timeframe.

When targeting academic institutions, Scarlet Widow’s tactics change slightly. Instead of impersonating a company CEO and sending an email to a single employee, the group impersonates multiple department heads and sends attack communications to a number of different administrators and coordinators, hoping that one of them will take the bait.

Tax preparation accounting firms have also been a prime target for Scarlet Widow. These companies are attractive targets for BEC scammers looking to obtain W-2s for tax filers, especially before tax season. Over the past eighteen months, the group has collected contact information for more than 9,500 employees at more than 1,500 tax preparation firms. Most of the target data collection for these companies occurred in or around September 2018, likely in preparation for campaigns that have already launched or will launch in early 2019. With a consumer’s earnings information, social security number, and other personal information in hand, a scammer can file a false return and collect an electronic refund from the IRS—making this a prime target for easy money

Scarlet Widow Targets since November 2017

How Scarlet Widow Identifies Its Targets

Like other email fraud operations, Scarlet Widow actively collects and shares leads among other members of its network. Similar to other BEC groups we have recently tracked, Scarlet Widow uses legitimate commercial services to identify potential targets. Since 2016, the group has used at least five different online services to collect data for future campaigns. In an effort to be cost-effective, members of the group have taken advantage of free trial periods offered by these services and used them to quickly gather leads during the few days they have access to the service.

While the groups uses commercial tools to identify individual targets within businesses, when Scarlet Widow goes after nonprofit organizations, the group primarily uses publicly-accessible websites to scrape contact information for employees. One of the artifacts that we identified during our research into the group (shown on the next page) provides insight into the tactics the group used to collect information.

Working off a list of identified websites that contain directories of nonprofit organizations, Scarlet Widow uses a web scraper to traverse the online directory and collect email addresses associated with each organization. The group refers to this process as “bombing” an online directory

How Scarlet Widow Scrapes Target Data from Online Directories

Close button
Mail Letter

Would you like the confidence to trust your inbox?