This is the web version of Data Sheet, Fortune’s daily newsletter on the top tech news. To get it delivered daily to your in-box, sign up here.
In June, Obinwanne Okeke, a Nigerian “entrepreneur” who appeared on the cover of the African edition of Forbes in 2016, pleaded guilty to charges of fraud.
Turned out Okeke’s company, Invictus Group, named after Nelson Mandela’s favorite poem, was a front. Between 2015 and 2019, the founder’s crew orchestrated a series of hacks and scams, including one campaign that swindled Unatrac Holding, a sales office of Caterpillar, the construction giant, out of $11 million.
Okeke was in the game of business email compromise. Step one—steal an executive’s email password through phishing. Step two—hijack the person’s email account. Step three—impersonate the victim and fool colleagues into processing fake invoices; a.k.a., profit.
Business email compromise is a big problem. The Federal Bureau of Investigation—yep, the same one that nabbed Okeke—received nearly 24,000 complaints from businesses that reported losing $1.7 billion to the scam last year. That’s half the total $3.5 billion lost to all Internet crime last year, as recorded by the FBI. (No doubt these are lowball figures, given they tally only what has been voluntarily reported.)
The pandemic may be worsening the situation. Payment and invoice fraud attacks increased 112% in the second quarter of the year, during the coronavirus’s wildfire spread, compared with the first quarter, according to a new report from Abnormal Security, a San Francisco-based email security startup that gave me an exclusive first look at the data.
That’s not all. Business email compromise attacks specifically increased 11% over the same period. While that uptick may seem small, it’s actually “significant and somewhat alarming,” the report’s authors point out. Since these attacks are typically highly targeted—involving research and tailor-made inducements, unlike automated, “spray-and-pray”-style spam campaigns—any increase means hackers are deliberately working overtime.
What’s all this got to do with COVID-19? Scammers are exploiting remote workers’ increased reliance on digital tools, says Evan Reiser, an ex-Twitter product manager who now heads Abnormal. Tellingly, the most impersonated brand in fraudulent emails last quarter was Zoom, the darling teleconferencing app of the pandemic, now a workplace staple. (American Express held the No. 1 spot prior.)
Previously, Zoom didn’t even crack the top 10 list.
***
Business email compromise, or some form of it, has gone on as long as the world has been wired up. As one Data Sheet reader— Jonathan Coopersmith, a history professor at Texas A&M University—recently pointed out to me, the tactic predates the Internet. Apparently, before Nigeria’s “Yahoo boys,” there was faxing fraud.
With permission from the author, here’s an excerpt from Coopersmith’s 2016 book, Faxed: The Rise and Fall of the Fax Machine.
Just as a fax proved more effective than a letter in convincing people to pay their bills and respond to surveys, so too did it benefit criminals and fraudsters. The best known example was the “classic Nigerian ‘fax scam,’ a form of fraud so ubiquitous and so successful that legitimate trade with African countries has begun to suffer.” A fax informed the lucky recipient he had a share of millions of dollars trapped in a Nigerian bank account – but a little money and personal bank account information were needed first. Another scam, migrating from telex, was sending an invoice to a firm for its listing in a non-existent fax directory. The assumption, often correct, was that the bookkeeping department would not check but simply pay because the amount was under $1000.
Okeke was no innovator.
Robert Hackett
Twitter: @rhhackett
This edition of Data Sheet was curated by Aaron Pressman.
THREATS
Elon Mu-u-usk, how I've been missing you, you're the tech boss of my dreams. We can't do a new song parody every week, but if we did, today we would be spoofing Monty Python's brilliant "Henry Kissinger" song about Mr. Tesla, Elon Musk, who just vaulted past French billionaire Bernard Arnault to rank as the world's fourth-richest person. It's Musk's other company, SpaceX, that is having a busy news week. The company just lofted 58 more satellites for its Internet-from-space play, Starlink. SpaceX also disclosed in a filing that its latest round of private fundraising has brought in almost $2 billion.
We don't need no stinkin' bitcoins. As if COVID-19 wasn't bad enough for the travel industry, hackers continue to target the sector as well. Cruise operator Carnival was hit by a ransomware attack that also involved "unauthorized access to personal data of guests and employees," the company said in a filing on Monday. For a more detailed story of just how these ransomware attacks go down, Bloomberg has the tale of the million-dollar payout to regain access to critical data at the epidemiology and biostatistics department of the University of California at San Francisco.
Working for the clampdown. There may have been a human cost to the spying activities of Saudi Arabia at Twitter. Two former Twitter employees have been charged in the scheme and now prosecutors say stolen information was used to target, harass, and arrest government critics. Relating to more recent Twitter security troubles, an investigation by Wired uncovered a boom in the use of the technique known as "voice spear phishing" that hackers used to steal Twitter accounts last month.
I'll get right on that. The latest patch for Microsoft's Windows closed 120 security holes. One of them, with the memorable designation of CVE-2020-1464, related to getting around digital signatures used for validating programs and files. The only problem, according to security researcher Bernardo Quintero who discovered the exploit? It took Microsoft almost two years to make the fix, even as known malware programs exploited the weakness. The company declined to explain the delay.
I'll stop the world and melt with you. The clock is ticking on a deal for Chinese Internet company ByteDance to sell its TikTok app to an American company. Apparently, President Trump has a dog in the fight. Oracle co-founder Larry Ellison is a Trump backer who hosted a fundraiser for the president this year. Asked about Oracle's bid on Tuesday, Trump responded: "Oracle is a great company and I think its owner is a tremendous guy," adding, "I think that Oracle would be certainly somebody that could handle it."
Now you have to be careful who's listening when you unlock your door.
ACCESS GRANTED
The intelligence agencies of the world are ingenious gadget makers, even if James Bond's Q is a fictional creation. Former Apple engineer David Shayer this week shared the fascinating story of the day in 2005 when he first met two mysterious government men who needed an iPod customized for an unusual task.
They had added special hardware to the iPod, which generated data they wanted to record secretly. They were careful to make sure I never saw the hardware, and I never did.
We discussed the best way to hide the data they recorded. As a disk engineer, I suggested they make another partition on the disk to store their data. That way, even if someone plugged the modified iPod into a Mac or PC, iTunes would treat it as a normal iPod, and it would look like a normal iPod in the Mac Finder or Windows Explorer. They liked that, and a hidden partition it was.
FORTUNE RECON
Walmart’s e-commerce sales nearly double as shoppers go beyond groceries in online orders By Phil Wahba
Downtrodden GM stock gets a boost from electric-vehicle spinoff speculation By Aaron Pressman
Facebook and NYU researchers discover a way to speed up MRI scans By Jeremy Kahn
The year’s hottest e-commerce stock is up more than 1,500%. Its founder cashed out before the rally By Bernhard Warner
Exclusive: Ex–Glossier employees describe a company that failed to support Black workers—even as it donated $1 million to racial justice causes By Emma Hinchliffe
Why a year later, the Business Roundtable’s updated statement of purpose is more relevant than ever By Richard C. Shadyac Jr
What to do if you lost money on an event canceled because of COVID-19 By Rachel King
(Some of these stories require a subscription to access.Thank you for supporting our journalism.)
ONE MORE THING
Silicon Valley has a long tradition of unusual job titles, like Jerry Yang's "chief yahoo" and Parisa Tabriz's "security princess" at Google. But Bud Light Seltzer posted for a job opening with a unique title that could become a bit more popular: chief meme officer. Soon, they'll be testing us with "person, woman, man, camera, TV, chief meme officer," I guess.
Aaron Pressman
