New Techniques Used to Target Business Email

An Internet-security firm Thursday offered new insights into the perpetrators behind an increasingly popular type of cyberfraud targeting small businesses, tracing the attacks to Nigerians involved in earlier types of email scams.

In one variant of the scheme, SecureWorks Inc. said criminals break into email accounts and change bank-account information to capture payments intended for suppliers.

The increasing prevalence of the schemes has drawn the attention of law enforcement. Attackers who once pretended to be executives directing subordinates to transfer money are using new techniques, including malicious software to break into email systems and redirect the payments, said Rick Alwine, a supervisory special agent with the Federal Bureau of Investigation’s Cyber Division.



“We’re seeing an evolution of business email compromises that started around 2013,” he said.

In an alert to businesses last month, the FBI said the frauds “may be harder to detect,” because the wire-transfer requests involved are legitimate. In an analysis of 44 recent fraudulent transfers, 84% of the transfers went to accounts in China and Hong Kong where it is more difficult for victims to recover their money, the FBI alert said. The FBI says it has logged nearly 18,000 reports of business email scams since 2013 accounting for $2.3 billion in losses, and complaints about these scams more than tripled last year, compared with 2014.

On Monday, Interpol said it had arrested a 40-year-old Nigerian man, identified only as “Mike,” who headed a 40-person international network that allegedly stole from small and medium-size businesses in Australia, Canada, India, the U.S. and other countries. One victim paid $15.4 million to the scammers, Interpol said.

Mr. Alwine, the FBI agent, said many others are involved, including gangs in Nigeria, Europe, the Middle East and Asia. “It’s a bit of a whack-a-mole situation where we’ve got one guy, and another one is going to pop up in his place,” he said.

SecureWorks executives said they gained new insight into the perpetrators in May after a participant infected his personal computer with malicious software that posted a screenshot of the computer every five minutes to a public webserver.

The participant, whom SecureWorks dubbed “Mr. X,” effectively published a stop-motion portrait of his digital life, back to February. The screenshots suggested Mr. X’s organization, which also comprises 40 people, had reaped $6 million from the fraud. SecureWorks declined to identify Mr. X, but James Bettke, a security researcher with the company, said the information from the computer screenshots depicted a married, college-educated, middle-aged man with school-aged children who regularly attends church.

“I’ve never stumbled across such a treasure trove of information,” Mr. Bettke said.

SecureWorks says such scams are known in Nigeria as “wire-wire” and are openlydiscussed in songs and online discussions. A Facebook group calling itself “Wire wire zone” offers to connect scammers with money mules who will transfer funds. “It’s an open bazaar for money laundering,” said Joe Stewart, a director of malware research with SecureWorks.

Facebook’s policies prohibit using the service to organize criminal activity, a company spokesman said. “We will remove content if there is a violation.”

What distinguishes Mr. X’s crew from less-sophisticated scammers is that it breaks into web-based email accounts and secretly changes the settings, so that emails from buyers are forwarded to the scammer.

When the buyer sends an order, the scammers step in, ultimately intercepting the seller’s invoice and changing payment instructions before sending it back to the buyer. With the modified invoice, funds are sent to the criminals instead of the seller.

In the U.S., companies are becoming more aware of the risks of email fraud, but Mr. Stewart worries that most businesses aren't protecting themselves against this newer variation. “True business email compromise is almost invisible to both victim companies involved in the transaction,” he said. “It’s going to take a lot more effort to stop it than a simple reminder to phone the CEO before wiring money on his behalf.

Write to Robert McMillan at