The Connections Between West African Cybercrime & Business Email Compromise

January 20, 2022

When the typical person thinks about cybercrime, they may think of ransomware or identity theft, or perhaps the ubiquitous Nigerian prince scams targeting their unsuspecting grandmother. When you hear the term “cybercrime,” it’s common to think about those attacks that are frequently making news in the headlines.

Less well-known (but growing in popularity by the day) is business email compromise, or BEC, which has been the most costly cybercrime for the past six years and accounted for 44% of all cybercrime losses in 2020. Far from the easy-to-spot royalty schemes, BEC aims to divert vendor, payroll, and other payments on a massive scale, in part by unauthorized email access.

Perhaps most interesting about this type of fraud is that it has evolved from the more popular 419 fraud, or advanced fee scheme, for which West Africa is most well known.

The Evolution of African Cybercrime

Almost as long as the Internet has been around, so has cybercrime. What began immediately in the 1990s with the first widespread use of the Internet was a version of the advanced fee scam, which typically urged respondents to pay a relatively small amount of funds to aid a wealthy foreign prince in return for a lucrative future reward. These scams came pouring out of Africa and into the mailboxes of the world.

And although these seemingly easy-to-spot schemes generally followed a very similar pattern and became the butt of many a cultural joke, they were not wholly unsuccessful, particularly as they moved away from email and toward platforms like Craigslist. This success, despite apparently widespread awareness of the issue, inspired more elaborate schemes as a new generation turned to cybercrime to support themselves and their families.

Fraud actor success only inspired more ambitious African minds to turn to Internet fraud as a career, finding further success as they moved from targeting individuals to targeting entire organizations. Using the same social engineering skills, combined with experience gained over time, these threat actors expanded into more successful categories of fraud.

Often, these threat actors from West Africa pursue a “throw it at the wall and see what sticks” fraud strategy, simultaneously conducting dozens of types of crime. The most prevalent include:

  • Public programs and benefits fraud. Actors use online portals to submit for unemployment or related benefits, using information obtained through identity theft. The funds are sent to the fraudsters.

  • Tax fraud. Similar to public programs fraud, actors submit tax returns using stolen identities, then cash the checks.

  • Romance scams. Actors use fabricated dating profiles to build a close relationship, often with an inability to meet in person, and then extract money from the victim. In some cases, they’ll develop a relationship so close that the victim will turn into a money mule for their crimes. It should be noted that from 2016-2020, victim losses from romance scams rose more than 4x.

And then of course, there is business email compromise, which uses social engineering tactics to divert payments, convince employees to wire money, or provide access to sensitive information that can later be exploited. The most popular types of business email compromise include:

  • Executive Impersonation. Actors send emails that appear to come from the CEO or other high-profile executive, asking employees to send wire transfers or buy gift cards on behalf of a customer or vendor.

  • Vendor email compromise and invoice fraud. Threat actors impersonate vendors and other parties, often manipulating real invoices to redirect payments to their own bank accounts. This is generally the costliest and most successful type of BEC fraud.

  • Payroll misdirection fraud. Actors update direct deposit information with new account information, diverting payroll into their own accounts.

  • Real estate or escrow fraud. Actors intervene in real estate transactions, impersonating one of the many parties involved to redirect large payments. Depending on where in the process this occurs, victims can be left without any recourse to be made whole again.

If these tactics seem familiar, it’s because nearly every organization has been targeted with at least one of these emails over the course of the last several years. Anyone in a position to be handling funds becomes an attractive target to a BEC actor.

Business Email Compromise and Why It Matters

Despite the dominant perception that the most “high tech” cybercrimes cause the most damage to their victims, the costliest form of cybercrime in 2020 was BEC, which typically requires a low to moderate degree of technical expertise. Business email compromise has dominated the list recently, coming in first for the sixth year in a row as losses continue to rise each year. And yet substantial progress in thwarting these kinds of attacks had not been made, despite growing attention and concern from organizations worldwide.

This is due in large part to the subtlety of many of these incidents. BEC actors may gain access to the email accounts of a vendor, for example, and then exploit the existing trust relationship to successfully socially engineer an unauthorized payment to their account. And even when they don’t compromise a real account, these actors know how to trick their victims. In many cases, they’ll rely on changing small, hard-to-notice details and create a domain to impersonate or spoof a victim company, such as changing a lowercase “L” to a capital “I” to make it difficult for an end user to recognize a BEC attack until it is too late.

There is little doubt that awareness on the topic has increased exponentially over the past few years, yet BEC fraudsters are not given the respect and appreciation they deserve as a serious cyber threat. Perhaps this is because these attacks are seen as less costly to the criminal than ransomware and other traditional cyber threats. Or perhaps it is because people believe there is little they can do to stop BEC, beyond a few security awareness sessions or phishing simulation exercises.

Or perhaps it is because the majority of BEC actors continue to be from West Africa and their diaspora communities, with occasional reports of similar activity from South America and Eastern Europe. With the majority of BEC funds seeming to flow first to Southeast Asia, possibly taking advantage of banking connections where many Nigerians study abroad, it’s clear that West African fraudsters have discovered how to make their money. For better or for worse, this group has emerged as the masters of social engineering and they know how to continue tricking victims into providing them exactly what they need to succeed—money.

If past history tells us anything, it’s that BEC will continue to grow, unless we can find a way to stop the attacks. Because these emails are difficult to detect, they bypass secure email gateways and other security controls. Because these attacks are notorious for being text-only emails, without malicious attachments or suspicious links, and because they often come from a known domain, there are limited ways for traditional tools to determine that the intent behind the email is malicious.

All of this makes detection and mitigation difficult, and good luck pursuing damages internationally with the sheer number of BEC cases and staggering amounts of loss. You can try, but those who have in the past haven’t seen success. Thus, the best way to protect your employees and your organization from these attacks is to stop them before they reach inboxes. It’s only by understanding subtle traits like sender behavior and natural language, and then blocking anything that appears abnormal, that we can truly ensure that West African threat actors can be thwarted so they are forced to turn their attention elsewhere.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More
B Overhauled Architecture Blog 08 29 22
As our customer base has expanded, so has the volume of emails our system processes. Here’s how we overcame scaling challenges with one service in particular.
Read More
B Winning Back Productivity
Limiting time-wasting email messages makes employees more productive. Here’s how innovative organizations are addressing the challenge.
Read More
B Account Takeover Blog 08 22 22
Learn how threat actors execute account takeovers, how they exploit compromised accounts, and what you can do to reduce your risk.
Read More