The Connections Between West African Cybercrime & Business Email Compromise

January 20, 2022

When the typical person thinks about cybercrime, they may think of ransomware or identity theft, or perhaps the ubiquitous Nigerian prince scams targeting their unsuspecting grandmother. When you hear the term “cybercrime,” it’s common to think about those attacks that are frequently making news in the headlines.

Less well-known (but growing in popularity by the day) is business email compromise, or BEC, which has been the most costly cybercrime for the past six years and accounted for 44% of all cybercrime losses in 2020. Far from the easy-to-spot royalty schemes, BEC aims to divert vendor, payroll, and other payments on a massive scale, in part by unauthorized email access.

Perhaps most interesting about this type of fraud is that it has evolved from the more popular 419 fraud, or advanced fee scheme, for which West Africa is most well known.

The Evolution of African Cybercrime

Almost as long as the Internet has been around, so has cybercrime. What began immediately in the 1990s with the first widespread use of the Internet was a version of the advanced fee scam, which typically urged respondents to pay a relatively small amount of funds to aid a wealthy foreign prince in return for a lucrative future reward. These scams came pouring out of Africa and into the mailboxes of the world.

And although these seemingly easy-to-spot schemes generally followed a very similar pattern and became the butt of many a cultural joke, they were not wholly unsuccessful, particularly as they moved away from email and toward platforms like Craigslist. This success, despite apparently widespread awareness of the issue, inspired more elaborate schemes as a new generation turned to cybercrime to support themselves and their families.

Fraud actor success only inspired more ambitious African minds to turn to Internet fraud as a career, finding further success as they moved from targeting individuals to targeting entire organizations. Using the same social engineering skills, combined with experience gained over time, these threat actors expanded into more successful categories of fraud.

Often, these threat actors from West Africa pursue a “throw it at the wall and see what sticks” fraud strategy, simultaneously conducting dozens of types of crime. The most prevalent include:

  • Public programs and benefits fraud. Actors use online portals to submit for unemployment or related benefits, using information obtained through identity theft. The funds are sent to the fraudsters.

  • Tax fraud. Similar to public programs fraud, actors submit tax returns using stolen identities, then cash the checks.

  • Romance scams. Actors use fabricated dating profiles to build a close relationship, often with an inability to meet in person, and then extract money from the victim. In some cases, they’ll develop a relationship so close that the victim will turn into a money mule for their crimes. It should be noted that from 2016-2020, victim losses from romance scams rose more than 4x.

And then of course, there is business email compromise, which uses social engineering tactics to divert payments, convince employees to wire money, or provide access to sensitive information that can later be exploited. The most popular types of business email compromise include:

  • Executive Impersonation. Actors send emails that appear to come from the CEO or other high-profile executive, asking employees to send wire transfers or buy gift cards on behalf of a customer or vendor.

  • Vendor email compromise and invoice fraud. Threat actors impersonate vendors and other parties, often manipulating real invoices to redirect payments to their own bank accounts. This is generally the costliest and most successful type of BEC fraud.

  • Payroll misdirection fraud. Actors update direct deposit information with new account information, diverting payroll into their own accounts.

  • Real estate or escrow fraud. Actors intervene in real estate transactions, impersonating one of the many parties involved to redirect large payments. Depending on where in the process this occurs, victims can be left without any recourse to be made whole again.

If these tactics seem familiar, it’s because nearly every organization has been targeted with at least one of these emails over the course of the last several years. Anyone in a position to be handling funds becomes an attractive target to a BEC actor.

Business Email Compromise and Why It Matters

Despite the dominant perception that the most “high tech” cybercrimes cause the most damage to their victims, the costliest form of cybercrime in 2020 was BEC, which typically requires a low to moderate degree of technical expertise. Business email compromise has dominated the list recently, coming in first for the sixth year in a row as losses continue to rise each year. And yet substantial progress in thwarting these kinds of attacks had not been made, despite growing attention and concern from organizations worldwide.

This is due in large part to the subtlety of many of these incidents. BEC actors may gain access to the email accounts of a vendor, for example, and then exploit the existing trust relationship to successfully socially engineer an unauthorized payment to their account. And even when they don’t compromise a real account, these actors know how to trick their victims. In many cases, they’ll rely on changing small, hard-to-notice details and create a domain to impersonate or spoof a victim company, such as changing a lowercase “L” to a capital “I” to make it difficult for an end user to recognize a BEC attack until it is too late.

There is little doubt that awareness on the topic has increased exponentially over the past few years, yet BEC fraudsters are not given the respect and appreciation they deserve as a serious cyber threat. Perhaps this is because these attacks are seen as less costly to the criminal than ransomware and other traditional cyber threats. Or perhaps it is because people believe there is little they can do to stop BEC, beyond a few security awareness sessions or phishing simulation exercises.

Or perhaps it is because the majority of BEC actors continue to be from West Africa and their diaspora communities, with occasional reports of similar activity from South America and Eastern Europe. With the majority of BEC funds seeming to flow first to Southeast Asia, possibly taking advantage of banking connections where many Nigerians study abroad, it’s clear that West African fraudsters have discovered how to make their money. For better or for worse, this group has emerged as the masters of social engineering and they know how to continue tricking victims into providing them exactly what they need to succeed—money.

If past history tells us anything, it’s that BEC will continue to grow, unless we can find a way to stop the attacks. Because these emails are difficult to detect, they bypass secure email gateways and other security controls. Because these attacks are notorious for being text-only emails, without malicious attachments or suspicious links, and because they often come from a known domain, there are limited ways for traditional tools to determine that the intent behind the email is malicious.

All of this makes detection and mitigation difficult, and good luck pursuing damages internationally with the sheer number of BEC cases and staggering amounts of loss. You can try, but those who have in the past haven’t seen success. Thus, the best way to protect your employees and your organization from these attacks is to stop them before they reach inboxes. It’s only by understanding subtle traits like sender behavior and natural language, and then blocking anything that appears abnormal, that we can truly ensure that West African threat actors can be thwarted so they are forced to turn their attention elsewhere.

Interested in how Abnormal can stop BEC for your organization? Schedule a demo today for a full overview.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More