Anatomy of a Business Email Compromise Scheme

July 10, 2018

Last month, federal officials announced a recent effort to disrupt business email compromise (BEC) schemes designed to intercept and hijack wire transfers from businesses and individuals.

Operation Keyboard Warrior resulted in the arrest of eight individuals for their roles in a widespread, Africa-based cyber conspiracy that allegedly defrauded U.S. companies and citizens of approximately $15 million since at least 2012.

Here’s a look at how the BEC was carried out:

According to the indictment returned by the U.S. District Court for the Western District, the criminals allegedly gained access to a Memphis-based real estate company’s email server in June and July 2016 through phishing scams. This is one of the dangers of using public email domains such as Gmail.

Two weeks ago, Crye-Leike confirmed it was the targeted company but denied its servers were hacked “in any sale where buyers or sellers lost any funds.” Crye-Leike’s servers are maintained in Memphis and the firm has 115 offices with more than 3,000 licensed sales associates over a nine-state area.

Steve Brown, president of residential sales for Crye-Leike, told the Daily News in Memphis that the real estate company contacted the FBI when agents and customers noticed suspicious emails.

“This resulted in Crye-Leike assisting the FBI with its investigation into criminal cyberattacks targeting the real estate industry in the United States. We are very pleased that the FBI was able to identify suspects and take actions resulting in the recent news release relaying their success.”

Brown went on to say that “Crye-Leike immediately took all the necessary steps to block attacks and Crye-Leike has not discovered nor been made aware of any smuggling or theft of data from its servers”.

The indictment said the criminals used sophisticated anonymization techniques—including the use of spoofed email addresses and Virtual Private Networks—to identify large financial transactions, initiate fraudulent email correspondence with relevant business parties, change wiring instructions and then redirect closing funds through a network of U.S.-based money mules to final destinations in Africa.

Prosecutors in the case allege the compromise began with an email message that appeared to be legitimate. According to the indictment, “The bogus email usually contains either an attachment or a link to a malicious website. Clicking on either will release a virus, worm, spyware or other program applications, also known as malware, that subsequently infects the employee’s email account and/or computer.”

After that, the malware can spread through a company’s computer network and harvest sensitive information. Using spoofed emails, those behind a BEC can send what seem to be legitimate emails that include altered wiring instructions that direct money to a fraudulent account.

In addition to BEC, the Africa-based defendants are also charged with using various romance scams, fraudulent-check scams, gold-buying scams, advance-fee scams and credit card scams. The indictment alleges that the proceeds of these criminal activities were shipped and/or transferred from the United States to locations in Ghana, Nigeria and South Africa through a complex network of individuals who had been recruited through the various Internet scams. The defendants are also charged with concealing their conduct by, among other means, stealing or fraudulently obtaining personal identification information and using that information to create fake online profiles and personas.

Contact ALTA at 202-296-3671 or