Business Email Compromise (BEC) , Email Security & Protection , Email Threat Protection
Three Charged in $11 Million BEC ScamPolice Say Cybercriminal Gang Targeted 12 Companies
Spanish authorities say they've arrested three individuals on charges of running a large-scale business email compromise scheme that targeted a dozen companies around the world to steal about 10 million ($11 million).
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The suspects, who are all residents of Spain, allegedly targeted companies in the U.S., U.K., Belgium, Venezuela, Bulgaria, Norway, Germany, Luxembourg, Portugal and Chile. The three arrested, who range in age from 34 to 67, have been charged with "belonging to a criminal organization, continued scam, money laundering, discovery and disclosure of secrets, documentary falsehood and usurpation of marital status," Spanish authorities say.
None of the three suspects were named by the Guardia Civil, Spain's national police force, which led the investigation.
Over the course of a three-year investigation, dubbed "Lavanco," Spanish investigators uncovered a web of over 80 shell companies and 185 bank accounts used as part of the BEC scam, which allegedly helped the suspects avoid detection and allowed them to launder the any stolen.
BEC on the Rise
Business email compromise scams, also known as CEO fraud, have become big money-makers for fraudsters.
A July report from the U.S. Treasury Department found that the scams are costing U.S. companies a total of more than $300 million a month.
In September, the FBI's Internet Crime Complaint Center noted that global losses and attempted thefts from BEC scams increased by 100 percent over a 14-month period. And the U.K. National Cyber Security Center warned in September that schools and universities are also falling victim to BEC schemes.
How the Scam Worked
Authorities in Spain say the suspects in the BEC scam allegedly began by stealing credentials of managers at targeted companies using phishing emails and then taking over their accounts.
Using these stolen executive email credentials, the suspects allegedly sent fraudulent emails to lower-level employees that requested phony wire transfers. To give the scam another layer of legitimacy, the wire transfers were directed to banks with which the victim companies had previously done business, Spanish authorities say.
The suspects also attached fake invoices that looked legitimate, Spanish police note. The gang would then allegedly launder the money they received through various shell companies and bank accounts, authorities say. They also bought real estate to help launder the stolen funds, police allege.
Police say that so far, they’ve recovered about 1.3 million ($1.4 million) in stolen funds from about 16 bank accounts.
Other Recent BEC Arrests
In another recent global BEC crackdown, 281 suspects were arrested as part of the four-month investigation called "Operation reWired." Most of the arrests were made in Nigeria, but others were arrested in the U.K., Italy, Japan, France and elsewhere (see: Business Email Compromise Crackdown: 281 Suspects Busted).
And in August, the U.S. Justice Department indicted 80 suspects for running a global business email compromise scam that led to millions of dollars in fraud and allegedly involved a complex money-laundering operation (see: 80 Indicted for Scams, Including Business Email Compromises).