FBI disrupts BEC cybercrime gangs targeting victims worldwide

A coordinated operation conducted by the FBI and its international law enforcement partners has resulted in disrupting business email compromise (BEC) schemes in several countries.

The operation, called “Eagle Sweep”, lasted for three months, starting in September 2021, and resulted in the arrest of 65 suspects in the United States, Nigeria, South Africa, Cambodia, and Canada.

BEC actors are high-level scammers who trick employees of real companies into making payments to bank accounts under their control, pretending to be a business partner or a firm submitting a legitimate payment order.

Often, these threat actors monitor the communications of their targets, having compromised their corporate network, to identify weak, exploitable points in the financial transactions process.

They typically hit at precisely the right moment by hijacking email threads or using spoofed accounts to request the diversion of an actual invoice payment to a new bank account.

According to the FBI’s Internet Crime Complaint Center (IC3) 2021 crime report, the financial damage attributed to BEC scams in the year that passed reached $2.4 billion, only for the reported incidents.

Highlight arrests

The FBI announcement states the scammers they apprehended are considered responsible for targeting over 500 firms in the United States, causing financial losses of at least $51,000,000.

Among the arrested individuals, those who stand out are:

• Oluwasegun Baiyewu, 36, of Houston, Texas, and Leo Omorogieva Eghaghe, 39, of Lagos, Nigeria, who victimized a Puerto Rican renewable energy supplier and laundered (together with other groups) about $4,500,000.
• Ashley Crespo, 27; David Alvarado, 21; Wendy Elizabeth Ramos Lopez, 29; Dayana Zaila Ramos, 32; Alvaro Umanzor, 23; Luis Lopez, 39; Jerome Crawford, 25; and Jamal Moore, 25, all of Houston, Texas. The group has laundered (together with others) $4,500,000 over two years and $900,000 in just one BEC scam instance.
• Bright Osaghni, 41, and Osatohanmwen Oriakhi, 41, both of Toronto, Canada, who attempted to divert over $16,000,000 from hundreds of victims in the United States and Canada.

In parallel with Operation Eagle Sweep, the law enforcement agencies in Australia, Japan, and Nigeria conducted local operations targeting BEC actors.

How to spot BEC scams

The foolproof way to avoid sending money to a BEC scammer is always to call your business partner when you receive a request to send payments to a new bank account via email.

For this confirmation, use the phone number you have previously confirmed to be genuine and not any numbers that may be provided in the suspicious email.

Additionally, activate multi-factor authentication on your email account and use a strong and unique password to protect it from takeover.

Organizations should also ensure that their domain can’t be easily spoofed by registering potentially risky typo-squatting domains themselves.