Email Security Blog

The Global Reach of Business Email Compromise (BEC)

Crane Hassold October 13, 2020 Business Email Compromise
Night time satellite image of south eastern usa

Over the last five years, Business Email Compromise (BEC) has evolved into the predominant cyber threat businesses face today. Since 2016, businesses have lost at least $26 billion as a result of BEC scams and, based on the most recent FBI IC3 report, losses from BEC attacks grew another 37 percent in 2019—accounting for 40 percent of all cybercrime losses over the course of the year.

The information contained in our new report, The Geography of BEC, comes from more than 9,000 active defense engagements conducted by ACID between May 2019 and July 2020. As a result of these engagements, we are able to collect crucial intelligence that allows us to better understand the operations of BEC criminal organizations. This includes the locations of the threat actors who perpetrate these attacks, as well as the money mules who play such an integral role in laundering the proceeds that result from them.

We were able to identify BEC actors in 50 different countries, demonstrating that while Nigeria has been the historical epicenter of social engineering activity, BEC actors and the individuals who enable their attacks can be found all over the world. Within our dataset, Nigeria was only home to half of the BEC operators we observed, which may be surprising given the historical role this country has played in the evolution of this form of fraud.

Graphic depicting BEC actors by region and country

Flat map of the globe showing location of BEC actors

Global locations of BEC threat actors.

Surprisingly, a quarter of all BEC attackers had a home base in the United States. Nearly half of US-based BEC actors were located in five states: California, Georgia, Florida, Texas, and New York. Looking at the data more granularly, we observed clusters of actors around a handful of metro areas, including Atlanta, GA; New York, NY; Los Angeles, CA; Houston, TX; and Miami, FL. Incidentally, these metro areas match the locations where many recent BEC arrests have been made, including those made in Operation reWired, an international law enforcement operation that resulted in 281 arrests worldwide.

Map of the US indicating location of BEC actors

Distribution of BEC actors in the United States.

Money mules, one of the most important components of the BEC financial supply chain, were also observed around the world. Over the course of 15 months, we collected 2,900 mule accounts in 39 countries, through which scammers intended to receive more than $64 million in stolen funds from BEC victims. While 80% of these mule accounts were located in the United States, the requested payment amounts destined for those accounts were significantly lower than those seen in other countries. For example, the average amount of payments to US-based mule accounts was $39,500, while payments directed to mule accounts based in Hong Kong were $257,300—more than six times their stateside counterparts.

Table depicting average BEC payments by country

Average BEC payment requests.

Within the United States, more than 900 mules were identified across all 50 states, as well as the District of Columbia. Many of these mules are likely to be unwitting victims of other social engineering attacks, such as romance scams and work-from-home cons. And a significant number of BEC mules were clustered around a small number of cities, indicating these areas may be hubs of BEC activity in the US. Mirroring the clusters of BEC actors, the top metropolitan areas for US-based money mules were Dallas, TX; New York, NY; Atlanta, GA; Houston, TX, and Los Angeles, CA.

Map of the US depicting location of money mules

Locations of BEC money mules in the United States.

While the global footprint of BEC demonstrates that the source of the problem is not contained to a small part of the world, it also shows that the simplistic geo-blocking capabilities of SEGs and firewalls are not a silver bullet to identifying malicious threats. Cybercriminals can hide behind VPNs and other proxies (something the actors we identified were not using), but our study also shows that a large percentage originate in places you might not expect, like the United States. This reinforces the need for comprehensive identity deception detection capabilities to defend against BEC attacks and other types of cyber threats.

For more information on the location of BEC actors and their money mules, download the full Geography of BEC report and register for the webinar.

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

man working on computer

December 14, 2020 Ronnie Tokazowski

BEC Response Guide— Tips for Responding to Business Email Compromise Incidents

This post originally appeared on Medium and is published here courtesy of Ronnie Tokazowski. For…

woman looking at computer screen

November 10, 2020 Armen Najarian

BEC Attacks: What They Are, How to Spot Them, and What to Do

Here we’ll cover what BEC attacks are, how they work, what they usually look like,…

Agari Blog Image

August 5, 2020 Michael Paiko

Phishing & BEC Scams Soar 3000%: Agari H2 2020 Email Fraud and Identity Deception Trends Report

Coronavirus-related phishing attacks and business email compromise (BEC) scams skyrocketed 3,000% from mid-March through early…

Agari Blog Image

July 17, 2020 Patrick Peterson

Business Email Compromise: New Shift in BEC Threat Landscape Puts CISOs on Notice

A seismic shift in the email threat landscape has CISOs bracing for sophisticated new forms…

mobile image