The Connections Between West African Cybercrime & Business Email Compromise
When the typical person thinks about cybercrime, they may think of ransomware or identity theft, or perhaps the ubiquitous Nigerian prince scams targeting their unsuspecting grandmother. When you hear the term “cybercrime,” it’s common to think about those attacks that are frequently making news in the headlines.
Less well-known (but growing in popularity by the day) is business email compromise, or BEC, which has been the most costly cybercrime for the past six years and accounted for 44% of all cybercrime losses in 2020. Far from the easy-to-spot royalty schemes, BEC aims to divert vendor, payroll, and other payments on a massive scale, in part by unauthorized email access.
Perhaps most interesting about this type of fraud is that it has evolved from the more popular 419 fraud, or advanced fee scheme, for which West Africa is most well known.
The Evolution of African Cybercrime
Almost as long as the Internet has been around, so has cybercrime. What began immediately in the 1990s with the first widespread use of the Internet was a version of the advanced fee scam, which typically urged respondents to pay a relatively small amount of funds to aid a wealthy foreign prince in return for a lucrative future reward. These scams came pouring out of Africa and into the mailboxes of the world.
And although these seemingly easy-to-spot schemes generally followed a very similar pattern and became the butt of many a cultural joke, they were not wholly unsuccessful, particularly as they moved away from email and toward platforms like Craigslist. This success, despite apparently widespread awareness of the issue, inspired more elaborate schemes as a new generation turned to cybercrime to support themselves and their families.
Fraud actor success only inspired more ambitious African minds to turn to Internet fraud as a career, finding further success as they moved from targeting individuals to targeting entire organizations. Using the same social engineering skills, combined with experience gained over time, these threat actors expanded into more successful categories of fraud.
Often, these threat actors from West Africa pursue a “throw it at the wall and see what sticks” fraud strategy, simultaneously conducting dozens of types of crime. The most prevalent include:
Public programs and benefits fraud. Actors use online portals to submit for unemployment or related benefits, using information obtained through identity theft. The funds are sent to the fraudsters.
Tax fraud. Similar to public programs fraud, actors submit tax returns using stolen identities, then cash the checks.
Romance scams. Actors use fabricated dating profiles to build a close relationship, often with an inability to meet in person, and then extract money from the victim. In some cases, they’ll develop a relationship so close that the victim will turn into a money mule for their crimes. It should be noted that from 2016-2020, victim losses from romance scams rose more than 4x.
And then of course, there is business email compromise, which uses social engineering tactics to divert payments, convince employees to wire money, or provide access to sensitive information that can later be exploited. The most popular types of business email compromise include:
Executive Impersonation. Actors send emails that appear to come from the CEO or other high-profile executive, asking employees to send wire transfers or buy gift cards on behalf of a customer or vendor.
Vendor email compromise and invoice fraud. Threat actors impersonate vendors and other parties, often manipulating real invoices to redirect payments to their own bank accounts. This is generally the costliest and most successful type of BEC fraud.
Payroll misdirection fraud. Actors update direct deposit information with new account information, diverting payroll into their own accounts.
Real estate or escrow fraud. Actors intervene in real estate transactions, impersonating one of the many parties involved to redirect large payments. Depending on where in the process this occurs, victims can be left without any recourse to be made whole again.
If these tactics seem familiar, it’s because nearly every organization has been targeted with at least one of these emails over the course of the last several years. Anyone in a position to be handling funds becomes an attractive target to a BEC actor.
Business Email Compromise and Why It Matters
Despite the dominant perception that the most “high tech” cybercrimes cause the most damage to their victims, the costliest form of cybercrime in 2020 was BEC, which typically requires a low to moderate degree of technical expertise. Business email compromise has dominated the list recently, coming in first for the sixth year in a row as losses continue to rise each year. And yet substantial progress in thwarting these kinds of attacks had not been made, despite growing attention and concern from organizations worldwide.
This is due in large part to the subtlety of many of these incidents. BEC actors may gain access to the email accounts of a vendor, for example, and then exploit the existing trust relationship to successfully socially engineer an unauthorized payment to their account. And even when they don’t compromise a real account, these actors know how to trick their victims. In many cases, they’ll rely on changing small, hard-to-notice details and create a domain to impersonate or spoof a victim company, such as changing a lowercase “L” to a capital “I” to make it difficult for an end user to recognize a BEC attack until it is too late.
There is little doubt that awareness on the topic has increased exponentially over the past few years, yet BEC fraudsters are not given the respect and appreciation they deserve as a serious cyber threat. Perhaps this is because these attacks are seen as less costly to the criminal than ransomware and other traditional cyber threats. Or perhaps it is because people believe there is little they can do to stop BEC, beyond a few security awareness sessions or phishing simulation exercises.
Or perhaps it is because the majority of BEC actors continue to be from West Africa and their diaspora communities, with occasional reports of similar activity from South America and Eastern Europe. With the majority of BEC funds seeming to flow first to Southeast Asia, possibly taking advantage of banking connections where many Nigerians study abroad, it’s clear that West African fraudsters have discovered how to make their money. For better or for worse, this group has emerged as the masters of social engineering and they know how to continue tricking victims into providing them exactly what they need to succeed—money.
If past history tells us anything, it’s that BEC will continue to grow, unless we can find a way to stop the attacks. Because these emails are difficult to detect, they bypass secure email gateways and other security controls. Because these attacks are notorious for being text-only emails, without malicious attachments or suspicious links, and because they often come from a known domain, there are limited ways for traditional tools to determine that the intent behind the email is malicious.
All of this makes detection and mitigation difficult, and good luck pursuing damages internationally with the sheer number of BEC cases and staggering amounts of loss. You can try, but those who have in the past haven’t seen success. Thus, the best way to protect your employees and your organization from these attacks is to stop them before they reach inboxes. It’s only by understanding subtle traits like sender behavior and natural language, and then blocking anything that appears abnormal, that we can truly ensure that West African threat actors can be thwarted so they are forced to turn their attention elsewhere.