Operation WireWire – ACH Fraud Takedown
“Operation WireWire—which also included the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Inspection Service—involved a six-month sweep that culminated in over two weeks of intensified law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius, and Poland. The operation also resulted in the seizure of nearly $2.4 million and the disruption and recovery of approximately $14 million in fraudulent wire transfers.” (DOJ.gov)
Business Email Compromise (BEC) is one of the scams aimed at companies that conduct wire transfers and have suppliers abroad. Corporate or publicly available email accounts of executives and high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised, through keyloggers or phishing attacks, to make fraudulent transfers, resulting in hundreds of thousands of dollars in losses. (Trend Micro).
I’ve seen recent comments in the media about how this DOJ crackdown wouldn’t put a big dent in or even make much of an impact on BEC, given the breadth of fraud associated with this outfit. I’d imagine the analysts in these quotes are looking at aggregate totals from the mile-high perspective and not the close-up, full scale of the damage to small businesses in our country. Companies have gone out of business, and schools have been attacked by these perpetrators. Personally, I don’t agree with or support the position that it’s just another routine arrest and it should be glazed over like it was picking off a few credit card skimmers.
The economies of scale with traditional Credit Card Fraud vs. Business E-mail Compromise cannot be directly compared, given who they impact and the average losses. This issue has never been about mitigating an impact on consumers as the criminals have always been focused on attacking small to medium-sized businesses. Typically, it’s the commercial accounts that are vulnerable to this kind of wire transfer fraud, unlike consumer credit cards that have built-in fraud protection that uses randomly generated numbers and a Visa or MasterCard logo. In these cases, the wires are facilitated directly from the account number being compromised.
Criminals obviously have a lot more to gain from raiding the digital coffers of businesses that handle millions in revenue, given that the average consumer credit card limit hovers around a measly $8,000. The average per-incident loss for a successful BEC scam is around $130,000; in comparison, robbing a bank will rake in about $3,800. The losses for traditional credit card fraud reported per incidence are much lower. Take a look at “23 Frightening Credit Card Fraud Statistics,” and you’ll see that in 2014, the median loss was $300 and the average reported loss was $1,343. If you’d ask someone who was ‘crushed’ by these low numbers to compare them to high-volume fraud numbers, you’d see how it wouldn’t make a dent. The reality, however, is that many BEC scams can net over a million dollars from a single source, something that seems unfathomable to people who are still living in the world of old-fashioned credit card fraud. This isn’t like the time somebody bought a $100 pair of sneakers using my debit card.
Not sure if this is a problem yet? Just ask Google and Facebook, who were both perpetrated almost entirely by a single individual in Lithuania. There are Nigerian men who stole almost 4 million dollars in a short time. If you really want to know, ask Leoni AG, a company that lost 44 million dollars in a single scam just a few years back. Are these extreme examples of BEC? No, many of these scams exceed a million dollars in losses in just a single incident. The collateral damage from ripping off employees’ social security numbers could take a long time to remediate. I don’t need to know the exact figures to make the connection that attackers with minimal sophistication are pulling it off for piles of cash. BEC scammers were operating mostly with impunity before this crackdown effort by the DOJ. If not, how could the losses possibly add up to 3 billion dollars? DOJ has been able to lock up a few here and there, but nothing like the 71 people from the Google/Facebook sweep.
Any law enforcement action would be welcomed, as long as it protects companies from scams and sends this clear message to the criminals abroad: If your activity trends upwards, so will our efforts to capture you. Not to mention that the hands of justice are now orienting themselves on how to efficiently take down these networks, thereby opening the door for streamlined enforcement for this type of crime.
The DOJ is doing a good job, and I don’t see it as a “dog and pony show” to expose these scammers in front of the world. It’s about justice and showing people in other countries that the internet may seem like a free plane ticket to communicate overseas, but you can still get arrested where that connection lands, just like you could in an airport. You’ve got to get started sometime, and today works well for tomorrow’s potential victims.
I think people who work on the ground in Cyber Security know that this day is long overdue, and it’s to be celebrated, not shrugged off as a waste of time. I’d never call it a waste of time – who in my industry would?
So let’s not turn the war on BEC into the war on Credit Card Fraud. Great work out there, folks!