An Insider View into Business Email Compromise

What happens when a fraudster seizes control of your email account? What does a cybercrime syndicate look like behind the scenes?

In our “To Catch a Fraudster” webinar series, Tom Cronkright, Executive Chairman at CertifID, spoke with Jordyn Kramer, a Senior E-Crimes Investigator at Yahoo, about the explosive growth of the $50B global business email compromise (BEC) scam. 

Yahoo, the largest messaging platform in the world with the most popular email platform, serves nearly 1 billion daily active users. This makes it a top target for fraudsters and a battleground for Yahoo’s E-Crimes team. As global experts in the field, the E-Crimes team sees firsthand the impact of BEC on a business or individual at a massive scale.

Jordyn peeled back the layers of business email compromise and revealed the sophistication behind every attack. Here are the eye-opening takeaways from the webinar.

1. Fighting fraud is a team effort.

(Listen to this at 9:10.)

Business email compromise is one-third of Yahoo’s E-Crime team’s cases. Their team must actively “hunt” for signs of fraud within their platform to keep up with fraudsters. They use a three-step process to eliminate fraud.

• Disruption: This first step is to identify active accounts abusing the platform. They look for signs like suspicious IP addresses accessing the account or complex auto-forwarding rules that are atypical to the original user’s account.
• Deterrence: Remember “Whack-a-mole?” After Yahoo’s team has identified the perpetrators, they begin deactivating all associated accounts from the platform used by the BEC actor. This includes following the trail of connected accounts (e.g. if every account is tied to the same offshore email account) and deleting suspected fraudulent accounts.
  

It’s rarely just one fraudster stalking your account. In one example, Jordyn showed how complex a network of fraudsters can be behind a BEC attack.

• Directed action: Once accounts have been deactivated, Yahoo’s team writes investigative reports and forwards them to law enforcement. By compiling attribution, known losses, and locations, they can help law enforcement pull back the veil on the large criminal organizations orchestrating the chaos.
  
  ICYMI: Years ago, Tom played a critical role in dismantling Black Axe, a Nigerian crime syndicate. Read that story.

2. Fraudsters use simple entry methods to gain access but complex tactics to hide their tracks.‍

(Listen to this at 24:28.)

When was the last time you changed your email password? 

Jordyn explains that many criminals gain access to accounts by buying old passwords leaked in data breaches from the dark web. Criminals also use phishing to trick an account owner into giving up their password.

Once a criminal gains access, they sit in the shadows of your inbox and gather critical information about the transaction. Additionally, they’ll often set up auto-forwarding rules to ensure they see every email in and out of your account. They combine this tactic with rules that delete the forwarded email from your “sent” folder and expertly hide their efforts.

3. No one is immune to fraud.

Title agencies, law firms, realtors, and other real estate industry professionals are prime targets for business email compromise. Real estate transactions take a long time to complete (up to 45 days on average), and include large transfers of money and many different parties; this makes them a feasting ground for fraudsters. Fraudsters use this time to learn the inner workings of the transaction, discover the names of those involved, and begin their clever social engineering attacks.

Listen in as Jordyn shares how one compromised email account resulted in a loss of $350,000 and revealed an extensive network of fraudulent accounts.

4. Look for signs of fraudulent activity.

(Listen to this at 46:12.)

Despite their best efforts to conceal their activity, fraudsters leave behind digital “tells” in your inbox. This includes auto-forwarding rules (as mentioned above) and password reset requests. If you see any of the following signs, take action immediately.

• You’re not receiving emails.
• You’re sending spam to your contacts.
• You see unexpected log-ins from your recent activities page.
• Your password or account info was changed.
  

(Via Yahoo.)

Don’t become their next victim.

Most importantly, Jordyn recommends setting up multi-factor authentication (MFA) on every account — not just your email account — to keep fraudsters out. This adds another layer of security to your account. So even if your password gets leaked, they won’t be able to gain access and begin their malicious acts.

This webinar originally premiered on September 13, 2023. Click here to watch a replay.

Want to know how to keep fraudsters at bay and protect your business? Attend our monthly “To Catch a Fraudster” webinar series.