Accounts deceivable: Email scam costliest type of cybercrime

A shopping spree in Beverly Hills, a luxury vacation in Mexico, a bank account that jumped from $299.77 to $1.4 million overnight.

From the outside, it looked like Moe and Kateryna Abourched had won the lottery.

But this big payday didn’t come from lucky numbers. Rather, a public school district in Michigan was tricked into wiring its monthly health insurance payment to the bank account of a California nail salon the Abourcheds owned, according to a search warrant application filed by a Secret Service agent in federal court.

The district – and taxpayers – fell victim to an online scam called Business Email Compromise, or BEC for short, police say. The couple deny any wrongdoing and have not been charged with any crimes.

BEC scams are a type of crime where criminals hack into email accounts, pretend to be someone they´re not and fool victims into sending money where it doesn’t belong. These crimes get far less attention than the massive ransomware attacks that have triggered a powerful government response, but BEC scams have been by far the costliest type of cybercrime in the U.S. for years, according to the FBI – siphoning untold billions from the economy as authorities struggle to keep up.

The huge payoffs and low risks associated with BEC scams have attracted criminals worldwide. Some flaunt their ill-gotten riches on social media, posing in pictures next to Ferraris, Bentleys and stacks of cash.

The scammers are extremely well organized and law enforcement is not,” said Sherry Williams, a director of a San Francisco nonprofit recently hit by a BEC scam.

Losses in the U.S. to BEC scams in 2021 were nearly $2.4 billion, according to a new report by the FBI. That´s a 33% increase from 2020 and more than a tenfold increase from just seven years ago.
And experts say many victims never come forward and the FBI´s numbers only show a small fraction of how much money is stolen..
“It´s one of the most lucrative things out there,” said Shalabh Mohan, chief product officer at Area 1 Security.

In the nail salon case involving Grand Rapids, police say $2.8 million was stolen. Banks were able to recall about half that amount once the scam was discovered, court records show.

A Secret Service agent said in an affidavit as part of a search warrant application that someone hacked into the email account of one of the school district´s human resource employees and sent emails that persuaded a colleague in the finance department to change the bank account where the health insurance payments were sent.

The emails were brief and unfailingly polite. “Please kindly update” the records, one of them said – words the real HR employee would later tell police she never uses, according to the affidavit.

Police tracked the money to the salon´s bank account owned by the Abourcheds, the affidavit says. After the theft was detected, Moe Abourched contacted a Grand Rapids police detective and said he´d been fooled by a European woman named “Dora” into accepting the funds and forwarding them to other accounts, according to the affidavit.

The Secret Service agent said Abourched´s claims were false and he´d used a similar ruse with police after he received money from a BEC scam targeting a Florida storage company.

Police put the couple under surveillance and in October searched their apartment, offices and BMW, court records show. Police said earlier this year they needed more time to examine the data in the couple’s phones and computers.

The Abourcheds´ lawyer, Kevin Gres, said his clients have done nothing wrong and no charges should be filed.

“My clients were unwitting victims in this scheme,” he said.

BEC scammers use a variety of techniques to hack into legitimate business email accounts and trick employees to send wire payments or make purchases they shouldn´t. Targeted phishing emails are a common type of attack, but experts say the scammers have been quick to adopt new technologies, like “deep fake” audio generated by artificial intelligence to pretend to be executives at a company and fool subordinates into sending money.

In the case of Williams, the San Francisco nonprofit director, thieves hacked the email account of the organization’s bookkeeper, then inserted themselves into a long email thread, sent messages asking to change the wire payment instructions for a grant recipient, and made off with $650,000.