FBI Reports Surge of Business Email Compromise and Online Dating Scams
Much like a scene lifted from a movie, a man based in California promised his dying mother that he'll find a “good woman” to marry. Tim McMurray, a 61-year-old Gardena native, sought help from an online dating site where he began talking to several people hoping to make good on the promise. Not long after, his foray into Match.com allowed him to sift through possible wives-to-be. In a short span of time, this online quest led him to what he believed to be a romance scammer.
For him, a really good looking woman asking to marry him sounded too good to be true. And it was. This hunch prompted him to cooperate on an operation that would later save a company from losing money. The minute the Federal Bureau of Investigation (FBI) stepped in, McMurray saved himself from becoming a money mule for a $53,000 deposit headed for a Georgia location. While his participation led to the arrest of a money mule in Georgia, investigations into this case of advanced catfishing are still ongoing. According to the F.B.I., the online crook was part of a Business Email Compromise (B.E.C) ring behind an attack on the Beverly Hills company, and the ruse would have aided the final stages of their operation.
In a press conference held last week, David Bowdich, FBI’s Assistant Director in Charge of the Los Angeles Field Office alerted officials and partners on trending online schemes, particularly the ongoing rise of BEC schemes and online dating scams—including the case of McMurray, which showcases a mix of both tactics. Perpetrators of this kind of scheme play on a target’s emotions and “groom” them into becoming an unknowing accomplice by becoming money mules for illegal fund transfers. Reports also show victims unwittingly opening business accounts for fraudulent corporations.
BEC schemes, as the bureau notes, is “a fraud targeting businesses that regularly perform wire transfer payments. The scam is carried out when perpetrators compromise e-mail accounts through social engineering or through computer intrusion techniques to fraudulently direct electronic fund transfers.” The scheme, albeit simple, has proven to be profitable, no small thanks to careful and extensive planning needed to create one bogus email. According to the FBI, from October 2013 through February 2016, similar schemes have tricked 17,600 victims, amounting to $2.3 billion in losses.
[Read: Dissecting BEC schemes]
In the past month or so, reports show that BEC schemes do not simply rest on direct monetary pursuits. Especially during tax season, cybercriminals behind BEC schemes go for irreplaceable personal data that are of high value either as items sold in the cybercriminal underground or as ingredients for staging further attacks, like tax or IRS fraud. Corporations like Seagate, Snapchat, Sprouts Farmers Market, and Pivotal Software are among some of the most recent incidents added to the string of attacks using this attack tactic. Much more recently, a string of separate attacks hit the education sector using the same email scams, as Tidewater Community College and the Kentucky State University reported falling for the same scam, triggered by an legitimate-looking email message requesting employee W-2 tax information.
Operation Romeo & Juliet
Apart from BEC schemes highlighted by the FBI in the conference, Bowdich also reiterated on the rampancy of scammers found in online dating sites. This isn’t necessarily new or advanced, but toying with the emotions of victims continues to be an effective strategy for cybercriminals. They call it, “Operation Romeo & Juliet”—schemes banking on romance to rake in profit or for transferring illegal funds.
As such, the FBI narrated the story of an 83-year-old woman who fell for a romance scam. Kathy Weil was quickly enamored by a Washington State civil engineer named Fred, whom she met online. A few sweet words and a promise of marriage after, Fred lured Kathy into wiring over $23,000 of her savings to an account in Malaysia. Kathy’s son, Dave knew about the ruse and told the story to the FBI. Kathy still believes that Fred, the love of her life, is real, when in fact, he is what's known as a "catfish".
Kathy is among the many who were trapped by a meticulously-crafted story that hooked them into sending money to a sham account.Catfishing stories continue to pile up as online dating websites continue to flourish. In fact, in the United States alone, dating and matchmaking sites have significantly grown to a billion-dollar industry, cashing in almost $2 Billion and attracting a consumer base of over 49 Million online users in 2015.
[Read: Online Scams Cashing in on Romance]
The FBI noted that dating sites have already been contacted to raise awareness of the common scams that exist on such platforms, but Bowdich stresses that the important thing is to inform the public about developing a stronger security mindset to keep threats like this at bay.
Scammers continue to craft creative and elaborate plots, but even the most carefully developed personas and tactics on online dating sites have indicators that users should look out for. In the end, awareness is the most useful defensive tool against these types of schemes.
The same goes for companies and organizations who continue to be in the crosshairs of BEC schemers. Corporations should invest in developing actionable means to deepen its employees’ security mindset—from inculcating sufficient knowledge on social engineering lures and its damaging repercussions to the individual and the company, down to enforcing even the simplest practices of verifying sources of email messages.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: TargetCompany
- Email Threat Landscape Report: Cybercriminal Tactics, Techniques That Organizations Need to Know
- Preventing an Imminent Ransomware Attack With Early Detection and Investigation
- Inside the Halls of a Cybercrime Business
- Securing Cloud-Native Environments with Zero Trust: Real-World Attack Cases