Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Play next
Unveiling Deception: Business Email Compromise Crusaders Unite., a conversation with Ronnie Tokazowski , founder of the BEC Working Group image

Unveiling Deception: Business Email Compromise Crusaders Unite., a conversation with Ronnie Tokazowski , founder of the BEC Working Group

S1 E21 · Scam Rangers
Avatar
469 Plays1 year ago

In this eye-opening episode, we dive into the intricate world of Business Email Compromise (BEC), a sophisticated cybercrime that preys on individuals and organizations. Join us as we uncover the tactics employed by scammers, from romance scam victims turned accomplices to the dark realm of gift card fraud and cryptocurrency conversion. We explore the psychological manipulation that drives scammers and the emotional strain inflicted on victims. Discover how collaborative initiatives, such as the BEC Working Group, are working to combat these scams, and learn practical steps to empower organizations against this pervasive threat. Join the conversation and become informed about BEC scams to create a safer digital landscape for all.

Find Ronnie on LinkedIn: https://www.linkedin.com/in/ronnietokazowski/

This podcast is hosted by Ayelet Biger-Levin  who spent the last 15 years building technology to help financial institutions authenticate their customers and identify fraud. She believes that when it comes to scams, the story starts well before the transaction. She has created this podcast to talk about the human side of scams, and to learn from people who have decided to dedicate their lives to speaking up on behalf of scam victims and who take action to solve this problem. Be sure to follow her on LinkedIn and reach out to learn about her additional activities in this space.   https://www.linkedin.com/in/ayelet-biger-levin/  Also check out https://scamranger.ai if you had received a message that you suspect is a scam

Recommended
The Australian Formula for Tackling Scams: A Shared Responsibility Approach, A conversation with Toby Evans, Head of Economic Crime, Australian Payments Network image
The Australian Formula for Tackling Scams: A Shared Responsibility Approach, A conversation with Toby Evans, Head of Economic Crime, Australian Payments Network
S1 E35 · Scam Rangers
00:45:12·1 month ago
Empowering Customers Against Scams: The Power of Storytelling, A conversation with Kathelijne Swaak and Niels Vink, Fraud prevention leaders at ABN AMRO Bank image
Empowering Customers Against Scams: The Power of Storytelling, A conversation with Kathelijne Swaak and Niels Vink, Fraud prevention leaders at ABN AMRO Bank
S1 E34 · Scam Rangers
00:46:14·2 months ago
Sextortion: The Evil Scam Targeting our Teens in Their Bedrooms, A Conversation with Paul Raffile, Senior Intelligence Analyst image
Sextortion: The Evil Scam Targeting our Teens in Their Bedrooms, A Conversation with Paul Raffile, Senior Intelligence Analyst
S1 E33 · Scam Rangers
00:42:09·5 months ago
Getting in Front of the Scam: How to Build Trust With Your Customers, A conversation with Hailey Windham, a Credit Union Fraud Fighter image
Getting in Front of the Scam: How to Build Trust With Your Customers, A conversation with Hailey Windham, a Credit Union Fraud Fighter
Scam Rangers
00:43:54·6 months ago
Coordinated Action: The Key to a National Strategy Against Scams, A conversation with Ken Westbrook, CEO and Founder of Stop Scams Alliance image
Coordinated Action: The Key to a National Strategy Against Scams, A conversation with Ken Westbrook, CEO and Founder of Stop Scams Alliance
S1 E31 · Scam Rangers
00:40:20·7 months ago
Is Fraud Prevention the New Customer Service? A Conversation with Karen Boyer, SVP Financial Crimes and Fraud Intelligence, M&T Bank image
Is Fraud Prevention the New Customer Service? A Conversation with Karen Boyer, SVP Financial Crimes and Fraud Intelligence, M&T Bank
S1 E30 · Scam Rangers
00:41:58·9 months ago
Will Regulation Drive Action? Reimbursement and Liability in Online Scams, A Conversation with Ken Palla, Retired Director, MUFG Union Bank image
Will Regulation Drive Action? Reimbursement and Liability in Online Scams, A Conversation with Ken Palla, Retired Director, MUFG Union Bank
S1 E29 · Scam Rangers
00:53:42·10 months ago
Online Scam Awareness That Sticks: How to Get Marketing on Board, With Gabriel Friedlander, CEO of Wizer - Free Security Awareness Training image
Online Scam Awareness That Sticks: How to Get Marketing on Board, With Gabriel Friedlander, CEO of Wizer - Free Security Awareness Training
S1 E28 · Scam Rangers
00:41:54·11 months ago
Crypto Investment Scams: How it started. How it's going, with Cezary Podkul ,Reporter at ProPublica image
Crypto Investment Scams: How it started. How it's going, with Cezary Podkul ,Reporter at ProPublica
S1 E27 · Scam Rangers
00:35:31·11 months ago
Identity Theft Forever - The Real People Behind Fake Profile Pics, with Bryan Denny, Co-Founder, Advocating Against Romance Scammers image
Identity Theft Forever - The Real People Behind Fake Profile Pics, with Bryan Denny, Co-Founder, Advocating Against Romance Scammers
S1 E26 · Scam Rangers
00:42:48·1 year ago
Standing Boldly Against Romance Scams: Empowering Victims on the Path to Recovery, with Cecilie Fjellhøy and Anne Rowe, Co-Founder of LoveSaid image
Standing Boldly Against Romance Scams: Empowering Victims on the Path to Recovery, with Cecilie Fjellhøy and Anne Rowe, Co-Founder of LoveSaid
S1 E25 · Scam Rangers
00:47:01·1 year ago
Hearts Exposed: Navigating the Boundaries of Free Speech and Scam Crimes, with Kathy Waters, Executive Director and Co-Founder, Advocating Against Romance Scammers image
Hearts Exposed: Navigating the Boundaries of Free Speech and Scam Crimes, with Kathy Waters, Executive Director and Co-Founder, Advocating Against Romance Scammers
S1 E24 · Scam Rangers
00:30:25·1 year ago
Mind Games: The Psychology Behind Scams, A conversation with Alan Castel, Professor at UCLA Psychology, Expert in Memory, Cognition and Aging image
Mind Games: The Psychology Behind Scams, A conversation with Alan Castel, Professor at UCLA Psychology, Expert in Memory, Cognition and Aging
S1 E23 · Scam Rangers
00:39:21·1 year ago
Defying Romance Scams: Cracking the Seductive Script, A conversation with Ruth Grover, Founder of Scam Haters United image
Defying Romance Scams: Cracking the Seductive Script, A conversation with Ruth Grover, Founder of Scam Haters United
S1 E22 · Scam Rangers
00:42:04·1 year ago
Scam-Proofing Social Media: The Good, The Bad, and The Reality , A conversation with Assaf Kipnis, ex-Facebook Integrity Team lead image
Scam-Proofing Social Media: The Good, The Bad, and The Reality , A conversation with Assaf Kipnis, ex-Facebook Integrity Team lead
S1 E20 · Scam Rangers
00:48:46·1 year ago
The eLegal Challenge of Online Scams - Fighting New Crimes with Old Laws - A conversation with Erin West and Alona Katz, District Attorneys and scam fighters image
The eLegal Challenge of Online Scams - Fighting New Crimes with Old Laws - A conversation with Erin West and Alona Katz, District Attorneys and scam fighters
S1 E19 · Scam Rangers
00:47:49·1 year ago
Hang Up on Fraud: Tackling Robocalls and Scam Calls, A conversation with Alex Quilici, CEO of YouMail image
Hang Up on Fraud: Tackling Robocalls and Scam Calls, A conversation with Alex Quilici, CEO of YouMail
S1 E18 · Scam Rangers
00:37:39·1 year ago
Untangling the Scam - A Fraud Specialist's Mission (im)Possible, A conversation with Tiffany Paulsen, Fraud Specialist image
Untangling the Scam - A Fraud Specialist's Mission (im)Possible, A conversation with Tiffany Paulsen, Fraud Specialist
S1 E17 · Scam Rangers
00:30:36·1 year ago
Insights from the E-Fraud Global Forum on Online Scams and Countermeasures, with Uri Rivner, CEO, Refine Intelligence image
Insights from the E-Fraud Global Forum on Online Scams and Countermeasures, with Uri Rivner, CEO, Refine Intelligence
S1 E16 · Scam Rangers
00:36:24·1 year ago
Fighting Scams on a Global Scale - Collaborating to Win, With Jorij Abraham, Global Anti Scam Alliance image
Fighting Scams on a Global Scale - Collaborating to Win, With Jorij Abraham, Global Anti Scam Alliance
S1 E15 · Scam Rangers
00:31:04·1 year ago
Transcript

Introduction to Business Email Compromise

00:00:01
Speaker
Welcome to Scam Rangers. Today we're going to focus on a class of scams called Business Email Compromise, or BEC.
00:00:09
Speaker
In a business email compromise, we see manipulation that happens in the enterprise. You're at work, sitting in front of your computer all day, on your phone, and cybercriminals know that the big bucks are in the enterprise. Is that type of scam different than the classic scams that we've talked about targeting consumers?
00:00:32
Speaker
or are the same traits and the same psychological elements used in business email compromise? We'll talk about all of that and much more on today's episode. Scam Rangers, a podcast about the human side of fraud and the people who are on a mission to protect us. I'm your host, Ayere Figur Levine, and I'm passionate about driving awareness and solving this problem.

Guest Introduction: Ronnie Tukazowski

00:01:04
Speaker
Today's scam ranger is an expert on business email compromise. Ronnie Tukazowski is a seasoned security professional who has been tracking, hunting, and disrupting scammers for over a decade. Known throughout the industry for his work fighting business email compromise scams, Ronnie has experience hunting advanced persistent threats collaborating with law enforcement
00:01:26
Speaker
Ronnie is an advocate for rethinking how we approach victims of cyber-enabled fraud. His work has been presented at several security conferences, including RSA Conference, SANS, FS ISAC, and others. Welcome to the podcast, Ronnie. Hey, thanks for having me. Thanks for having me. Great.
00:01:44
Speaker
So you're an expert on many things. One of them is business email compromise, and you've been also posting a lot on social media and educating. You're really passionate about that, but you're also passionate about taking action. So we'll talk a lot about all of that today.

Understanding BEC Scams

00:02:00
Speaker
I wanted to start with diving into business email compromise. What is business email compromise? And what is happening in today's ecosystem? We mentioned many times that the FBI published the reports for 2022. And out of $10.3 billion lost to scams that year, 2.7 were lost to business email compromise.

Financial Impact of BEC Scams

00:02:24
Speaker
So maybe let's start with defining what business email compromise is.
00:02:28
Speaker
Yep, I'll go ahead and define it. And then from there, I'll kind of walk through painting the picture of where that 2.7 isn't necessarily a full scope understanding of the problem. So to get it kicked off, when it comes to business email compromise, most people know this as that email that you receive to your organization that usually says something to the extent of, hey, I'm the CEO of the company. Are you in the office? I need you to go and do this wire transfer for me of $40,000.
00:02:58
Speaker
And then the people will usually respond back, be like, why yes, Mr. CEO of the company or Mrs. CEO of the company. I'm happy to do that. What do you need me to do? And unlike most phishing-based attacks where you have a piece of malware that is involved, the scammers are sitting in the inbox waiting for you to reply back. And it becomes a conversational-based attack where the scammers are trying to get information for you. They're trying to get you to do that wire transfer.
00:03:26
Speaker
And that's the big thing is there's elements of social engineering. There's elements of that manipulation. And because of that, there is no malware that ties back to that. So that's why it becomes very difficult to actually catch and detect this. The official number that we have for the IC3 and per FBI is that all across the globe, we have lost $2.7 billion to business email compromise as a whole. The problem is that
00:03:55
Speaker
While many times we track BEC as its own individual thing, that doesn't capture the full scope of what's actually going on. For example, we know that the people behind a lot of these scams are called Yahoo boys or scammers who live in Nigeria, and we can cover Nigeria
00:04:12
Speaker
do we just know that not all Nigerians are scammers. But because of the ecosystem that runs a lot of this, there's a lot more scams that play into this. We have elements of romance scams, we have check fraud, we have money laundering, gift card scams, crypto scams that some of that
00:04:29
Speaker
are being done by the exact same people who are doing business email compromise. So when we say $2.7 billion, that's looking at it in a silo, knowing, okay, one vertical or just this one attack was BEC. And because of that, we know that that was the amount of stolen. It doesn't tell that fuller picture that, Hey, there was all these other scams that are related to, and that's the biggest thing that most people need to realize that there's a lot more that overlaps with that.

Exploiting Chaos in BEC Scams

00:04:55
Speaker
So let's dissect that a little bit more. So you talked about two types of, if I just focus on the business side, there's the, let's call it business takeover type attack, which could involve clicking on a link, opening a PDF, downloading malware,
00:05:12
Speaker
and then perhaps giving acts or even stolen credentials with phishing or even phishing or smishing where the criminal will manipulate the end user into doing something that will give them access and control over the email account.
00:05:29
Speaker
And so that's one. And the other one that you described is really driving the employee to do something, to transfer money posing as the CEO and saying, I need you to make a wire transfer. And I think one of the big opportunities for quote unquote, for scammers was the SBB collapse, where many
00:05:49
Speaker
VCs and startups and other companies were communicating about transferring money, moving funds. So tell me a little bit about that and what you've seen happen in that as an example in that case, but in other cases as well where there were opportunities for scammers to drive those authorized frauds.

Techniques of BEC Scammers

00:06:08
Speaker
Yeah, so one of the biggest areas where they'll go and drive that authorized fraud is again, they'll very much try and open that conversation with the victim organization. We've seen cases where there might be an invoice that's being sent to an organization to say, hey, I need you to make
00:06:25
Speaker
this payment because your company owes me $38,000 for this monthly service. And I'm going to go and put new banking credentials inside of that document. That's one aspect that we'd see where we're now seeing a blending between the accounts that get compromised and
00:06:45
Speaker
them trying to go manipulate that chain of communication, if you will. Those are very difficult to catch because in many cases, we've actually seen it where they're using a trusted email thread that may have been going on for a week back and forth to say, hey, we need to go ahead and do this transfer. Let's go ahead and schedule that payment. Now that we scheduled a payment, where do you send that transfer to? And then once you have that, that's where the scammers come in and say, hey, here's the accounts that you need to send.
00:07:11
Speaker
So many of these communications are riding on known and trusted relationships and because they're weaponizing that known and trusted relationship that's where they're able to manipulate the human in that regard and be able to kind of take all that money if you will.
00:07:26
Speaker
Yeah. And what about, how would you classify the gift card scams? Gift card scams are those that happen when someone receives a text message saying, this is so-and-so, which is a colleague's name. I'm in a customer meeting right now. I can't talk, but I need a favor. Can you help me? And that's the social engineering starts there. And then they ask them to, you know, to go get gift cards and read them the numbers, et cetera, et cetera. That's not email. Does it fall under a business email compromise in your mind?
00:07:55
Speaker
Well, so for me, the way I track it out, let me kind of do a quick history lesson on this, because like I said, I'm going to answer the question. We did a deep dive into a scam group that we called Scattered Canary. And this was back when I was a agar. And what we found was for a 10 year window, that's where we were able to link all of these different crimes, such as gift card scams, BEC, romance scams together as being done by the same actors.
00:08:17
Speaker
So in that visibility that we found, the actor at the time was doing all of these different things. So personally, when it comes to tracking the ecosystem, when it comes to tracking those text messages, pretending to be the CEO, pretending to be somebody authority asking you to go and do this favor for me of going to get gift cards, I totally track that as BEC.
00:08:37
Speaker
Again, some people will track it as something differently, but a lot of the reason I personally do is because the scammers who are doing the BEC attacks, in many cases, are the same ones who are doing these gift card scams. And because of the overlap of it, there are nuances where they're also using different elements of the same BEC attacks.
00:08:59
Speaker
We actually saw cases where they were using templates from the BEC campaigns and using those in the text messages campaigns. So again, they're very much willing to adapt to whatever they can just to make the money.
00:09:12
Speaker
Okay, so we define BEC a little bit, business email compromise. I like to broaden the name, maybe business compromise, as you said, it's beyond that.

Ronnie's Cybersecurity Journey

00:09:21
Speaker
So I want to go back and ask you to tell us a little bit about yourself, your background, how you got to this, what you focused on in the past, and how you got to focus on BEC.
00:09:34
Speaker
Oh, it's been an adventure, let me tell you. So my background, the handle most people know me as is I heart malware. Because when I started in the industry, I started tracking malware. So I back in 2010, when I really kind of started, I was hunting advanced persistent threat attacks, which
00:09:51
Speaker
at the time was mostly Chinese state-sponsored hackers. They were dropping zero-date exploits on the organizations. I was reversing malware. I was doing network forensics trying to track where scammers were coming from. I then made a pivot over to the cybercrime side, where I did some elements on the Russian side at the time, some of the other European stuff, such as the Dyer families of malware.
00:10:15
Speaker
And around that time, that was where I had gotten exposed to this wonderful ecosystem called business email compromise in sort of in the mid 2015. And the way I started tracking BEC was I was working with fish me at the time, which is now they're now currently co fans.
00:10:33
Speaker
And we had received one of those emails that said, Hey, I need you to go ahead and go do me to do this wire transfer. And our I was in the office at the time, and our CFO came into the office absolutely pissed off. He's like, I know this isn't the CEO CEO would never send this information to me. He's like, you guys need to go and figure out what's going on. So
00:10:52
Speaker
We went and we looked at the email and we were like, hey, there's an opportunity for us to respond back. This doesn't fit into the regular bucket of scams at the time, because again, we knew that there was malware. We knew most of the time there was going to be some phishing link that you click and it just didn't have any of those. So.
00:11:09
Speaker
We did that. We responded back to the scammers. We said, hey, here's what's going on. We're the CEO, or we're not the CEO, but this transfer, we can go ahead and do it. And we got information back for them. We've got them to click links that we had sent them. So we knew where the scammers were coming from. We fished the fissures back. And when it came to doing a lot of that stuff, that's what kind of started me tracking business email compromise.
00:11:31
Speaker
From that point, again, this was mid 2015 to December 2015, we started seeing reports of these emails like just coming up. And those of us in information security, we were like, we're seeing this conversational base phishing attack. There's no information about this. And like, we don't know where these are coming from. Like we had speculations, but it didn't
00:11:50
Speaker
fit in what we knew at the time as being like a malicious phishing attack. Because again, most malicious phishing attacks are trying to install malware or something like that. So Chris was a 2015, I had a call with an FBI agent up in New York and
00:12:05
Speaker
And again, we were all trying to track this, trying to figure out what was going on. So I said, hey, man, quick question for you. I'm like, let's go ahead and try and get some collaboration going together where we can start tracking these types of scams. I'm like, we're seeing a lot of this in the information security side. I know you guys are seeing this, and we're all scratching our heads trying to understand what's going on. I'm like, let's go ahead and try and get working together. And he's like, and at the time, he kind of helped me out. He's like, yeah, whatever. Call a couple of your friends, see if your hacker buddy wants to come and help the FBI.
00:12:33
Speaker
I sent a couple emails out, sent a network out, and about three days later, I call him back. I'm like, hey, man, is the FBI ready? He's like, what do you mean, are you ready? I said, I have 100 other security researchers who are on the line, ready to engage with the scammers, ready to start passing you guys information and intelligence on all of these things. I'm like, we're actively seeing this. They're hitting our customers. Our clients are pissed off, and they want answers. I'm like, is the FBI ready to do this? And his jaw dropped on the floor. And you could tell he was not expecting
00:13:02
Speaker
that much of a feedback when people want to come to help out. So he was able to get another 10 agents. And that was when the business email compromise mailing list was born. And what that was, was it was a mailing list where we could go and share and collaborate information. We held it at the TLP red level, which essentially means just everybody who's here don't talk about it. We just need to figure this out. And that's kind of what started the whole operation when it came to tracking business email compromise.
00:13:31
Speaker
So what we did was we knew different elements that were happening. We were able to track a bunch of different things. And because of a lot of that, like I said, we started getting a lot of visibility and pictures into how the scan worked. So that was kind of the element of what kind of started me tracking this wonderful dumpster fire of a hot mess known as a BEC.

Psychological Manipulation in BEC

00:13:52
Speaker
So how does the scam work? Tell me what you discovered with this working group and through the research. What are some known tactics that they use? I know they use LinkedIn or Zoom info or to find the connections between different employees and they attack either
00:14:10
Speaker
the CFO or new employees posing as IT or HR, what have you found in terms of tactics to approach employees of companies to get them to move money around?
00:14:25
Speaker
So we've found a lot of tactics and a lot of overlapping things and we've actually ended up with like more questions and answers for better for worse. So like we've seen elements where we know that in most of the cases when they're asking for a wire transfer, the scammers will provide a bank account. And in many of those cases, they'll provide a bank account, they'll provide a name and address of the beneficiary who's going to be receiving that.
00:14:48
Speaker
And what we found out through engaging with the scammers more times than not that actually ties back to a romance scam victim where they've been socially engineered and pulled into the scam to go and.
00:15:02
Speaker
be an unwitting money mule as a part of this. So you now have an element of romance scam victims who are now becoming unwitting participants of this crime. We found, as we were mentioning earlier, we found elements of gift card fraud that scammers would go and sell those on underground markets and convert that over to Bitcoin and cryptocurrencies.
00:15:20
Speaker
We found elements where we have also seen scammers doing things like invoice scams, where again, they would modify the invoices and send new information like that. I've had discussions with folks that we have people who are considered like cultists, who are literally doing elements of like black magic and voodoo.
00:15:38
Speaker
in order to gain quote unquote special powers to go and do some become better scammers on this. And it's and for some of those people who are listening, like it may seem like an absolutely foreign idea. But unfortunately, this has been a documented phenomenon for quite some time where scammers will go and pull on different universal strings, if you will, that will make them believe that they can go and become a better scammer, if you will. So like I said, we found a lot of elements that
00:16:05
Speaker
overlap with business email compromise. We had no idea what's going to be directly related to things. And recently I've seen videos and rap songs of scammers and documentaries, quote unquote, of how to be a scammer and things like that. So there's this whole culture of how popular it is to be a scammer and getting people or, you know, I don't know if less fortunate is the right term, but
00:16:32
Speaker
getting people to think it's cool and it's hard to get caught and you can get by. Um, so how, how do we deal with all this? So I think the first thing, like, especially when it comes to the rap videos, um, those straight piss me off because you're now having cases where you have people who have been in the scammer and telling people, no, it's okay to go and do this. It's okay to go and take advantage of somebody. It's like, that's not the case. It's absolutely horrible. Like the emotional damages that tied back to a lot of these scams.
00:17:01
Speaker
to actually how you get to have a lot of these, a lot of what it comes down to is just education, where you need to educate people, hey, there are better opportunities out there where you can go and make websites, you can become a software developer, you can go and create a service, get creative and do stuff, because people will go and do these scams thinking it's the easy route out. But at the end of the day, like I said, it creates so much more damages further up the chain, where you just need not to do that.
00:17:29
Speaker
I know people, some people might agree or disagree with me on this, but a lot of what also plays into this is when it comes to Nigeria, you also have a lot of poverty that's out there too. So it's a combination where people want to go and have those opportunities where they want to try and get as much quick money as they can. And for them, they see that as, oh, you can go be a scammer, get all this money.

Socioeconomic Factors in Scamming Culture

00:17:51
Speaker
You can go and pay the cops off. The cops don't care.
00:17:54
Speaker
when it comes to international law enforcement, like international law enforcement can arrest you. And when we look at the arrest records and how many scammers actually get arrested, they're kind of right. It's something where we know that a lot of times all you have to do is pay law enforcement off, give them a couple hundred bucks and they're off to the races. And for context, an average monthly salary in Nigeria is between one to $200. So when you have a case of one to $200 per month,
00:18:21
Speaker
or a $40,000 random wire that you can get like it now becomes a level of green. It's like, okay, which path are you going to take? And that's the decision many people are stuck with is what way do you go in that term? So how are
00:18:37
Speaker
organizations today the enterprises right we're talking about business email compromise and many times the money that's spent on these wire transfers are on the scams is corporate money right so what are enterprises doing to mitigate these scams we know that there are phishing simulations done and cyber security training
00:18:58
Speaker
all around awareness. What else? What controls are there?

Challenges in BEC Prevention

00:19:03
Speaker
Tell me about email security gateways and how those types of vendors are part of the solution. And we can talk about effectiveness in a second. But what is out there to protect organizations?
00:19:15
Speaker
So I would say one of the most effective ways for an organization is actually processes. Understand your processes for wiring money, have an established and trusted way to report something that looks suspicious, and actually follow that. Because so many times we see breakdowns in processes that are actually the result of these wire transfers.
00:19:37
Speaker
Um, like I said, I've got my thoughts on email gateways and we can cover that here in a second. But the way I would like to word it is because so many of these attacks don't have malware because they don't have malicious phishing emails. A lot of people are trying to scramble to understand the fuller scope aspect of this and those traditional methods of detecting a phishing attack are not as successful as, uh, the vendors would want you to believe.
00:20:04
Speaker
So email security gateways are today mostly focused on detecting malware, detecting malicious URLs, less identifying the psychological manipulation that's happening. And it's really tricky because there could be cases where the CEO really needs an urgent wire transfer. And it's not just the CEO, it could be a supplier who changes their
00:20:29
Speaker
account or information and that's the email. So it's not necessarily from an internal actor. It could be an external actor that the organization commonly works with and the procurement team is now needing to rethink and carefully check each and every procurement change. So that's very, very tricky as well when it's an external email that looks legitimate
00:20:54
Speaker
How do you think we could protect against these type of psychological manipulations that are happening? So in regards to that psychological manipulation, first and foremost, know that it's happening. Like we all discuss and kind of talk about, oh, this phishing attack happens. That phishing attack happens. But like having that honest conversation with your employees, raising awareness and educating them that, no, here's how this stuff works.

Mitigating Psychological Manipulation

00:21:18
Speaker
And when it comes to that psychological manipulation, like I said, that's something where they truly don't understand that.
00:21:24
Speaker
Another way to think of it too is for many of your employees, they have so many other things going on in their lives where they're concerned about their spouses, they're concerned about their loved ones. I'm worried about getting to the office or I'm not fired. Those are concerns that those people have. So you need to put the training and education into formats that
00:21:42
Speaker
They understand so many times security has this iron fist of a gavel like oh no, you can't do this I'm gonna fire you if you do this everything and like when somebody is scared to act that perpetuates through the rest of the organization and because of that fear like that's not a way to
00:22:01
Speaker
to teach somebody because the lessons don't really sink in. It's a matter of, again, having that all of this conversation to person to person, be like, look, here's the way these scams work. Here's how this stuff happens. Here's what to look out for. And if you see something seriously, speak up. If it's something where if you doubt, if you don't think it's not going to be the case, it's still okay to speak up and say, hey, we think this might might have been a thing because by speaking up about it, you could you may have to save the company $40,000 from an email that somebody else may have missed.
00:22:30
Speaker
And that's one of the things is you really kind of have to embrace that human and understand that again, there's a lot more at play here on the psychological manipulation than most people realize. So again, have that honest conversation with your employees and treat them as humans. Absolutely. And when we're talking about business email compromise, you said 40,000, but this can go up to millions of dollars in one transaction.

Importance of Quick Reporting in BEC

00:22:53
Speaker
And that's a normal amount that some organizations transact with on a daily basis.
00:22:59
Speaker
And if we cover liability, financial institutions today are not necessarily liable to reimburse companies for these types of transactions. So as you said, earliest people report the quickest the bank and authorities can act to try and recover the funds. And so it's really, really important to act quickly and to create that atmosphere of
00:23:27
Speaker
where we understand these things happen and we need to act quickly and not fear, for sure. And the other thing with that too is when it comes to a lot of the banks and the financials, and again, with a lot of the work that I've done, I've worked with a lot of them behind the scenes, that for many of them and for many of these cases, because of the manipulation that goes in hand here, some of the people will call off the bank and be like, I have to make this transfer, I have to do this, I have to do that.
00:23:52
Speaker
And the banks will know that it's actually part of a scam. And they can say, hey, we believe this is part of scam. No, no, it's not a scam. It's not a scam. A CEO actually messaged me this. So the banks will have to willingly do that because it's the customer's money.
00:24:08
Speaker
And there's been cases where they'll come back after the fact, be like, oh no, this actually wasn't the case. But again, the money's gone at that point because again, they know the scam happened. The customers were so worked up that they couldn't really realize or listen or reason that, hey, this actually wasn't the CEO. So that is another thing that we do see a lot of cases forming the FIs is that again, that transaction, they'll be like, hey, no, I have to send this because this actually is a thing, but actually turns out not to be the case.
00:24:35
Speaker
So what do banks do in that case today? In terms of dealing with, we know there's business email compromise.

Bank Challenges in BEC Prevention

00:24:42
Speaker
We know when someone is calling us under stress, we have to double check. And although they're telling us yes, but we still have the red flags, is there anything that you can do?
00:24:52
Speaker
So it depends on the circumstance. And again, I'm not speaking on behalf of the banks here, it's a bank by bank cases. But at the end of the day, if it's something where if the customer says to send the money even after like being warned about it, it's the customer's money. And if that customer is someone who's bringing in 10, $15 million,
00:25:13
Speaker
into the bank, like you want your customer to be happy. So it's a matter of being like, okay, I need to keep that customer happy and not risk this. But again, it's also something where it's like, you know, it's a scam when you're sending it. So again, that is something that many banks do kind of struggle with.
00:25:28
Speaker
specific to those cases where they're willingly sending the money. I don't know if they flag that internally, if they go and say, Hey, this actually was scam money. If the customer comes back, don't refund it. Like, I don't know what that looks like. I've never had that discussion with them. But like I said, I do know that there are many cases where they're like, no, we know this is part of a scam. You're telling us to send this. You do authorize this and we can't refund it type of thing that that does happen.
00:25:52
Speaker
We do know that there's other cases where a lot of the financials will go and actually be able to flag that early beforehand. And the customer is going to be like, thank you, I didn't realize it was part of that. And there are times where there's notifications from that perspective. But like I said, it's a very, very complex thing where it's almost like you have to treat these on a case by case basis, user by user, company by company, because again,
00:26:16
Speaker
Each one is slightly different. It's hard to make a blanket policy for everybody because, again, there is always going to be that little nuanced thing specific to this case.
00:26:26
Speaker
And one point of commonality or potential collaboration is the beneficiary account. You mentioned mules. So these beneficiary accounts are likely to be used more than once. And once they're flagged with business email compromise or any type of scam, really, that's a good signal that if someone else is trying to transfer money to the same malicious account, that that's not a good transaction.
00:26:50
Speaker
I know that I, in the past as a vendor, helping financial institutions try to instill this account sharing capability many years ago. It was a challenge from a technical challenge, I would say. Is there any conversation about that happening today?
00:27:07
Speaker
So I know when it comes to sharing account information from bank to bank, a lot of those relationships are built and a lot of those relationships do exist. So again, just through some of the efforts that we've done on the BEC list, there are things that banks do do to kind of share information back to back, but that's more of an analyst to analyst perspective. When it comes to the wider sharing of thing, I know that FinCEN, which is a part of the United States government that's responsible for
00:27:37
Speaker
anti-money laundering, a lot of terrorist funding, they do track some of that information. And my understanding is some of those things do get shared through there. And again, they will go and make suspicious activity reports or SARS that can help flag suspicious funds as they come through, but they're one institution that does that. Another institution is FS ISAC, which is the Financial Services Information Showing and Collaboration Group. If I got that acronym right,
00:28:05
Speaker
But it's essentially a bunch of banks and financials that will go and share threat intelligence about groups and entities that are targeting their customers, their clients, their framework and their infrastructure to go and say, hey, we saw this scammer over here, you're a financial institution, you're more likely to see this scammer and this tactic over here. So because of that information sharing those tactics, you get shared across the way.
00:28:31
Speaker
Um, some bank accounts, again, do get shared specific to like the romance scam victims and the money mules. Um, but again, it's where we need to ramp that stuff up because the scale that we're seeing right now is like, yeah, we need to ramp it up because there's a lot more scams going on than we realize. Yeah. And one of the things that we also.

Emotional Impact on BEC Victims

00:28:49
Speaker
I really focus here on the human side of fraud. What happens to an employee that transferred money and was a victim of business email compromise? Obviously, there's financial impact on the company. How does that employee feel? What have you seen in talking to companies about the victims of these scams? First and foremost, your employees feel horrible because
00:29:17
Speaker
At the end of the day, us as humans, we don't want to feel like we were tricked. We don't want to feel like somebody got won over on us, because again, there's a level of shame that plays into that. So first and foremost, your employee feels bad about it. They feel guilty. They feel horrible about that.
00:29:32
Speaker
I had one instance that I actually got to work directly with and I feel so bad for the kid even still. What happened was the CEO sent him a text message and said, hey, are you in the office? I need you to go buy me some gift cards. And this person was like a year out of college, fresh to the field. This was his first job. And it was about two, and it was like a week or two into his job where the CEO messages him that.
00:30:01
Speaker
And he was like, yeah, I can go ahead and go do that. Just let me know why I need. Again, thinking that it's his first job, he wants to go in and press the boss. So he's going to go ahead and do that. Long story short, the scammers after that first gift card request continued keeping contact with him and continued messaging messaging him back and forth. This went on for over six months of this relationship.
00:30:28
Speaker
What ended up happening was he ended up sending cryptocurrencies over to the scammers. He ended up sending information through like pay power requests. He ended up sending multiple gift cards and in total it was about $30,000 in fraud that the guy was on the hook for. It was his personal account because again, he was fresh out and every time
00:30:50
Speaker
that every time the scammer would converse back and forth with them, the victim was told, hey, I'm going to go ahead and just put the money in your paycheck. You don't have to worry about it. I'll get you next week. And next week never came. So in total, it was about $30,000 that the kid had sent. The most unfortunate thing was I got to see some of those messages back and forth between the victim.
00:31:12
Speaker
And the relationship was so strained for the victim that he was eating ramen noodles and couldn't afford to eat normal food. And it was something where the relationship with the employee in the office was strained. And the employee would always glare at the CEO, thinking that he was just sticking up his money and not giving him the way back. The victim was just really awkward with people in the office. And once we approached him and be like, hey, here's what's actually going on,
00:31:42
Speaker
Like I had to explain to him that the reality that was in his head for this person that he thought he was in a relationship with was completely different than this other person. And I know we'll be talking about the mind by connection another time, but for the emotions that went along with that and for those feelings, you have a lot of difficult feelings of anger and animosity, frustration.
00:32:04
Speaker
that that person wasn't able to essentially vocalize because the scammer was like, hey, I'm going to isolate you. This is a secret conversation. Don't tell anybody in the office about it because we're doing this thing here. Um, and that level of isolation is something we see with a lot of people where they will pull you off to the side. So where you won't want to come public or you won't want to talk about about that because of the shame and negativity associated with the stigmas of being a victim in that regard.
00:32:34
Speaker
I also heard a story, same concept. It was a law firm and the head of the office sent a message to a new employee, also fresh out of college, asked him to buy gift cards. Of course, it wasn't the head of the office, it was a scammer. So the person went and got gift cards, came back to the office and told the guy, I got the gift cards that you asked for for our company meeting. And he said, what are you talking about? And he realized that he was scammed.
00:32:59
Speaker
the company reimbursed him for the funds because it wasn't, it was a couple of thousand or something like that. They reimbursed him, but the person felt so ashamed that they quit. So there was a huge, you know, they didn't suffer the financial loss. The company took the hit, but the shame that they felt from what happened was so they couldn't get over it that they quit their job. Yep. And I, uh,
00:33:26
Speaker
Yeah, and working with a lot of victims, I can totally see that because you think people are going to be judging you. You think people are going to be second guessing you. You feel like you can't go and look somebody's eye because of a lot of those things because like, Oh, I did this horrible thing over here. I could have caused this amount of damage to the, to the organization. Like I said, these are all things that goes through the victim's heads.
00:33:48
Speaker
When this stuff happens, um, and again, the victims need to realize that, Hey, it's, you're not alone in that. We all make mistakes and we feel horrible. Our guts will be turned upside down and inside out and 30 ways to Sunday twisted, but it's okay to come forward because.
00:34:05
Speaker
The way that the scammers are manipulating people, we don't fully understand all of the manipulation that goes into it. Case in point, I had another victim I was working with. This was a pig butchering victim, and she ended up losing $450,000. And when I started helping her initially, the first thing that she said was it actually felt like her consciousness was hijacked.
00:34:29
Speaker
So when you have that level of manipulation where your consciousness will actually render your feelings in one way or another, like I said, it just becomes this emotional fight inside your body. Like, no, I need to send this money, but I know this is fake, but this person really loves me or maybe they don't love me and they're fake, but now I have to accept that reality. So like I said, it just becomes this constant ping ponging back and forth.
00:34:52
Speaker
Right. We need to remember that we're talking about well orchestrated, organized criminals, organized crime that is very good at what they're doing, unfortunately for us and for the victims. And there is no shame here. It can really happen to anyone.

Organized Crime and BEC Scams

00:35:10
Speaker
There is a documentary on a group that's called Black Axe. They're a Nigerian con fraternity. So imagine like a college fraternity in the United States mixed with like Black Magic and Voodoo. BBC did a really, really great documentary kind of talking on who Black Axe is, what they do. And they go the extent of like opening shell companies. They run prostitution rigs in Italy. We've seen elements of human trafficking between Nigeria and Ghana. We've seen, we know that they will actually embed politicians into the Nigerian government and other governments around the world.
00:35:40
Speaker
And for how organized they are, they have areas all across the globe where they will have people acting and operating. And they're so popular, they're so large that there's actually legislation in Canada that actually labels this group as a terrorist organization in Canada.
00:35:58
Speaker
So yeah, when it comes to that organization type thing, like we've seen them actually sending cars, shipping cars from the United States over to other parts of the world just to make money. Like we know a lot of the fraud schemes that play into there, but yeah, they're very much, they're extremely large. And yet people need to realize that it's not just some person out in Nigeria who's doing this. It's sophisticated and organized cyber crime groups who
00:36:24
Speaker
will do anything they can to make a dollar, including murdering somebody to make that dollar. So I want you to tell me a little bit more about the BEC working group.

BEC Working Group and Future Efforts

00:36:34
Speaker
I know you started by that story from 2015 with connecting with the FBI and driving that collaboration, bringing 100 researchers. Where are you today? What are your goals with this group? And how can people join?
00:36:50
Speaker
Yeah, so as it stands right now, where we stand right now, we're over 600 people. And what we're doing is because of a lot of the stuff that we've done over the years, we need to actually operationalize that a little bit more. So we're actually looking to convert that over to a nonprofit.
00:37:07
Speaker
just so where we can kind of start taking funding in order to keep doing this stuff, where we can kind of start growing those things, and we're still in the process of doing that. But what that nonprofit's going to be called is it's going to be intelligence for good, because we want to take that information, we want to get it to the right people, and we want to keep stopping the scammers as they can. So if people want to track the stuff of us, like I said, developing that nonprofit, that's the direction we're going with that now. We've held multiple conferences in regards to stopping different types of scams. We've worked with different social media providers,
00:37:36
Speaker
we've worked with retail organizations on a lot of these things. So it's like, we've done a lot of good and because of a lot of that, we don't wanna stop doing that. So we're gonna keep on expanding and keep working with the victims and keep working with the banks and everybody behind the scenes, just so we can kind of get ahead of a lot of this fraud. Again, at the end of the day, we know $2.7 billion has been lost to BEC, but like if I was able to go and actually track how much that we know that ties back to,
00:38:03
Speaker
different small business applications where the scammers pivoted from BEC over

Underreporting of BEC Losses

00:38:08
Speaker
to there. If we track the romance scams, if we track the PPP loans, like we're easily over $500 billion that we can confidently point to. It's like, no, these are related scams because they're being done by the same groups of people. So like that $2.7 billion is so underrepresented of what is actually happening. It's ridiculous.
00:38:30
Speaker
And also remember that this $2.7 billion represents reported fraud to the FBI. And we know that many people are ashamed and don't report these funds. And so it's not necessarily, as you said, it's probably in the billions, if not more than that, hundreds of billions.
00:38:48
Speaker
And very much in that regard, yeah, it's the shame that makes people not want to come forward on this. And there's also the mindset where even if people do come forward, they're like, nothing's going to be done. And I'm going to keep my thoughts to myself on that, but just know that there's a lot of moving things going on right now where we need more stuff done. We need more things to actually be done to actually help
00:39:11
Speaker
the overall problem because again, the couple hundred thousand victims that we have that we know of, like that number is so underrepresented. It's absolutely ridiculous. And you said that you did work with several types of companies like social media, other agencies. Can you share a little bit about that?
00:39:28
Speaker
Yeah, so in regards to, I don't want to specifically call out the specific examples, but we've had some relationships with larger social media providers. And there was a couple cases with one of the organizations where they were going and sharing different types of profiles that we identified.
00:39:45
Speaker
We have worked with some of those social media companies behind the scenes in order to get ahead of a lot of these scams. And in time, I think it was like over 3 million fake profiles that we had shared that were either identified because of, hey, here's this picture that was being used, or here's this other piece going over here where we actually got this information from the victim. And for me, the victims that we're working with, like
00:40:10
Speaker
They are so worked up and so depressed and so sad about this that they come to us absolutely pissed because they're like, I was taken advantage of. I am angry. I am vengeful. I want to go and actually set a bomb off at this place because I'm so angry at these scammers. It's rightfully so. They were taken advantage of.
00:40:28
Speaker
But in working behind the scenes with many of the social media providers, the problem was that we lost a lot of those relationships due to internal politics or whatever it was. And it's something where, like, I know a lot of those providers are fighting a lot of bigger crime, a lot bigger fraud, and I totally understand that.
00:40:44
Speaker
But they've also got to understand that from our perspective, we have somebody who's ready to go and blow their brains out in this suicidal, that's screaming at us, you need to help me, you need to go and do more. And unless they want to step up and go tell those people that they're not going to do more actions, like, I'm not going to be that person to go and say, hey, I can't help you. I'm going to do everything I can that's in my power to go and help them out because it's like my heart goes out to them. And like I said, just the emotional pain and trauma that
00:41:11
Speaker
they go through as a result of this. It's like, you can't not do anything with it. Um, and like I said, I know it's, I don't want to get too political on there, but like I said, it's, we need to do more for the victims because there's just so much hurt right now that people don't understand how much pain actually goes into being a victim on here. Um, and it's only once you start working with the victim's record, it's like, okay, I understand now let's go and set a fire. Yeah. So what are you hopeful about?
00:41:40
Speaker
Yeah, so I'm really hopeful to see where this goes with a nonprofit. Like I said, we've done a lot of good. We want to keep doing that. We've impacted a lot of funds and we've gotten a lot of understanding of how these think dams work and through the groups, through some of the people that we know who are working these different types of crime. There are a lot of people who are working directly with victims. They're literally saving lives.
00:42:00
Speaker
because when you have somebody who is so worked up in that regard, like I said, you're literally saving a life at that point. As you know, just as well as I do, scams are at an all time high right now. They're the highest we have ever seen. And the security companies all across the globe are letting people go. And it's the absolute worst time to do that because here in a couple months from now, and you can quote me on this, let me see, what is today? Today is,
00:42:26
Speaker
August 7th that we're recording this. So within the next couple months, because everybody's letting stuff go, you're gonna see a huge rise in scams come next year. And like I said, we can go and watch this recording again come that point. But like I said, there is gonna be so many more scams that are gonna be happening, so much more losses because of that. Again, people are not working in this. People are not doing as much more as they need to. And we need as many fighters to go and start working with the victims and to start getting ahead of a lot of these scams as we can.
00:42:54
Speaker
There's so many stigmas. It's like, oh, this is a simple crime. No one really cares about that. But it's like, no, people do care about it. We need to start rethinking how we think about these things. Yeah. And I think when kudos to you, regardless of where you work, you're very focused on this and creating change. So thank you so much. It was great to have you on the podcast. Thank you for your time today and have you again on soon. Sounds good. Thanks for having me. Thank you.
00:43:25
Speaker
I hope you enjoyed this episode. For more information about online scams, scam rangers, and recent news on this topic, follow me on LinkedIn. You can also get more news about this podcast on scam rangers on LinkedIn.