THE PERILS OF CORPORATE EMAIL
How one company’s security provider unravelled a fraud operation over several months
NEW YORK The discovery of an alleged international ring of fraudsters started with a one-line email. In April 2019, a company accountant received an email that appeared to be from the chief executive officer.
“Joanna, Can you mail out a check to to a Vendor today? Barbara,” the email said.
The email had some hallmarks of a scam that is becoming increasingly common. But it also had a few unique attributes that intrigued cybersecurity experts at the company’s email security provider, Agari Data Inc. Using a fake email account posing as the company accountant, Agari sent back a reply.
“Hi Barbara, Yes, of course. Please send me the details for the payment and I will take care of it ASAP. Joanna,” the reply said.
Over the next several months, Agari said it was able to unravel what’s known as a business email compromise operation. Agari dubbed the group sending the emails Exaggerated Lion, and said its members were based in Nigeria, Ghana and Kenya. Between April and August 2019, Exaggerated Lion targeted more than 3,000 people at nearly 2,100 companies, all of them in the U.S., according to an Agari report published Thursday.
Similar email attacks are a growing problem in the U.S., according to the latest Federal Bureau of Investigation report, but one that doesn’t get the headlines of state-sponsored hacks or ransomware attacks. Global losses from business email compromises increased 100 per cent from May 2018 to July 2019, according to the FBI, which recorded 166,349 incidents from June 2016 to July 2019 and US$26.2 billion in losses during that period.
In one of its simplest forms, a business email compromise operator will send an email posing as the chief executive to an accounts payable department with an urgent request to transfer funds or fulfil a fake invoice. In another example, payroll representatives will receive an email appearing to be from an employee requesting to update their direct deposit information — often to a prepaid card account. Companies often realize something is amiss only when it’s too late to recover the transferred funds.
“We think of business email compromise as any attack which claims to be someone you know and trust and is attempting some kind of theft,” said Patrick Peterson, Agari’s founder and chief executive officer, in an online video. “This has been far too successful.”
Leveraging its position as an email security provider, Agari can sometimes see email scams that target its customers as they happen. In some cases, the company intervenes to communicate with the fraudster, posing as a clueless employee in order to draw out more details. That’s what happened with Exaggerated Lion, when the operation sent the email to the company, which Agari declined to name, last April.
In the months that followed, Agari said it engaged with Exaggerated Lion more than 200 times, and discovered the identity of 28 “mules” used to ferry payments between victims and the group itself. Mules are primarily recruited by Exaggerated Lion under the pretense of romance and likely unaware they are participating in a criminal enterprise, the company said. “These romance-victims-turned-money-mules are told they are helping their romantic partner recover a large inheritance that is tied up with lawyers and is being distributed slowly over time,” according to Agari.
In one exchange with a mule included in Agari’s report, a member of Exaggerated Lion wrote, “Okay honey please put the cash in big envelope and seal it before taking to Fedex.”
The unnamed mule responded, “Honey, that’s a lot of money to send cash that’s a heck of a liability it could be lost anywhere.”
Exaggerated Lion’s representative then wrote, “It can’t honey. As long as you insure it. And I’ve received more than that through cash mailing when my dad was still alive.”
Agari declined to say how it obtained the digital conversations.
As the fake relationship progresses, mules are asked to launder increasingly larger sums of money, according to Agari. Once an unsuspecting business parts with its cash, through a paper cheque or wire transfer, Exaggerated Lion’s mules have a variety of ways to get the money back to them. Once a physical cheque is cashed, the money can be delivered to Exaggerated Lion via traditional money transfer, Bitcoin, or gift cards, according to Agari.
Agari said it turned its information on the mules over to financial partners and law enforcement.
Exaggerated Lion began operating in 2014 by running cheque scams on Craigslist and has since become more sophisticated, according to the report. One scam the group allegedly operated for years involved recruiting people to wrap their car with marketing decals for a beverage company in exchange for a fixed amount of money every week.
Participants, who responded to an online ad or email, would be sent a fake cheque, which included the first month’s pay and money for a specialist to place advertisements on the car. Respondents were then instructed to keep the first month’s pay and wire the money to the “specialist,” who was really a money mule or a member of Exaggerated Lion, according to Agari.
What makes Exaggerated Lion unique in the world of business email compromise is its preference for physical cheques, a payment method the group had “experience and comfort with,” according to Agari. Paper cheques may be helpful in evading systems designed to detect fraudulent wire transfers. Exaggerated Lion requests these cheques to be sent as fast as possible, through an overnight mail service, according to exchanges contained in the Agari report. But when a victim is hesitant about sending a cheque, Exaggerated Lion is quick to suggest a bank account to wire money to, according to the report.
Exaggerated Lion also used fake invoices, created using a free invoice generator, and W-9s, publicly available on the Internal Revenue Service website, “to inject a sense of authenticity in their attacks,” according to Agari. The group also used Google’s enterprise email service to send more emails, the security company said. “Google doesn’t start charging for G Suite until after the first month,” Agari said in its report. “This means Exaggerated Lion can create a new G Suite account, add compromised credit card information as a payment method, and effectively have at least a 30-day free trial on each domain they set up.”
If the credit card doesn’t work, the group “can simply move on to another account,” Agari wrote. With a Google Enterprise account, Exaggerated Lion can send 2,000 emails a day, four times more than a regular Gmail account. Google declined to comment.
Among the mules identified by Agari was 63-year-old Reuben Alvarez Sr., of Beaumont, Texas, who was arrested in October 2019 and accused of laundering more than US$100,000, nearly US$70,000 of which came from the United Methodist Church, according to a probable cause affidavit from the Jefferson County Sheriff ’s Office. The rest came from small-to-medium-sized businesses, such as an insurance company in Ohio and golf courses in Alabama, who were all victims of a business email compromise scam, according to the affidavit. Agari said its researchers discovered 14 messages where Exaggerated Lion directed its targets to send money to Alvarez’s bank accounts.
Alvarez’s case is pending and he hasn’t yet entered a plea, according to the district attorney’s office. Neither Alvarez nor his attorney could be located for comment.
In an interview with a detective, Alvarez said the money he received came from a woman he believed to be named “Peggy Smith,” who lived in Washington State. Alvarez said he knew Smith from chatting online for three or four years but had never met her in person. Alvarez told the detective that he assumed the money came as part of Smith’s inheritance payments after her parents died. But Alvarez said he knew his activities constituted a crime, according to the affidavit. When the detective drove Alvarez home, he handed over a package he had received the day before: It contained a US$25,647 cheque from a Tennessee health-care company.
Business email compromise (is) any attack ... attempting some kind of theft. This has been far too successful.