Feb 2020 – Week 2

News and Reports

FBI’s 2019 Internet Crime Report

Some important takeaways include:

  • FBI’s IC3 received 23,775 complaints in 2019 regarding BEC, recording more than $1.7 billion in losses to individual and business victims.
  • Most common attacks:
    • phishing
    • non-payment/non-delivery scams
    • extortion
  • Some of the targeted sectors:
    • Real estate
    • Legal
    • Personal accounts
  • Attack types commonly seen:
    • Payroll funds
    • Vendor fraud
    • Gift cards/Executive spoofing
    • Requests for W-2s

Taking from the report directly, guidance for anyone experiencing a BEC is as follows:

  • Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal as well as a Hold Harmless Letter or Letter of Indemnity.
  • File a detailed complaint with http://www.ic3.gov. It is vital the complaint contain all required data in provided fields, including banking information.

Proactively, it is suggested to:

  • Visit http://www.ic3.gov for updated PSAs regarding BEC trends as well as other fraud schemes targeting specific populations (real estate, pre-paid cards, W-2, etc.).
  • Never make any payment changes without verifying with the intended recipient; verify email addresses are accurate when checking mail on a cell phone or other mobile device.

Also, this incredibly eye-opening graphic of the last 5 years (all internet crime included):

Agari’s Email Fraud & Identity Deception Trends Report

“Consistent with recent trends, it finds that the success of today’s most pernicious email scams is growing less dependent on technical prowess, and more on social engineering techniques that leverage human emotions like anxiety or curiosity.”

  • 62% of BEC scams last quarter involved gift cards, the most common being:
    • Google Play store
    • eBay
    • Target
    • Walmart
    • Best Buy
  • Threat groups in Eastern Europe may become a larger issue in the upcoming months as attacks from Czech-based webmail platforms have been on the rise.


Out new this week are the following resources and recommendations.

Microsoft Office 365:


  • KnowBe4 posted about the FBI’s report in their Phishing Blog (great historical information).

Romance Scams:

Thanks for looking over my first week’s post! I began this on the later side of the week but want to have each of these published on Friday. If you have anything that you think would make a great addition to this week please email me at the address provided.

Feb 2020 – Week 3/4

Apologies for the combined weeks! The blog may not have been updated but there is a new part of the site that focuses on Romance Scams and the home page has a nice facelift!

Let’s jump into it.


  • Some of the biggest news in the last few week came from Barbara Corcoran of Shark Tank. After loosing $388,xxx in a business email compromise, money was stopped and returned to her.

New Attacks and Methodologies

  • Cofense reported that attackers have been using a scheme to harvest passwords by advising that users “Update their Office 365” using a Google Docs Form.
Copyright Cofense
  • Tax season is underway in the US and we all know what that means:
    • Per SCMagazine, if you receive a W2 attached in an email “The attached W2 file could be a genuine form that the attacker is hoping you’ll fill out and return, because it would give them information that may be used for further frauds and scams. Alternatively, the W2 may be a malware payload that’s triggered when you try to open the attachment.”
    • SpamTitan reported that activity has been seen in the form of both W2 and W9 malicious documents.
    • Proofpoint cautions to not only look for malicious documents but also “legitimate tax-focused websites that are compromised to deliver malware”.
  • Samuel West wrote a LinkedIn article about how scammers and attackers are using fears about the Coronavirus to manipulate victims.


  • Crane Hassold of Agari discussed Exaggerated Lion, a BEC group that favors physical checks and compromising G-Suite. Particularly, their research into how this group interacts with “Tier 1” romance scam victims was interesting:
    “The group’s history of check fraud and romance scams has resulted in a vast network of check mules across the United States. Over the course of our research into Exaggerated Lion, we have uncovered the identities and locations of 28 check mules, including seven “Tier 1” mules who are long-standing romance scam victims that are trusted with large sums of money and who interact more extensively with the main Exaggerated Lion actors.”
    The full report can be downloaded from Agari.
  • Interpol’s “ASEAN Cyberthreat Assessment 2020” report details not only phishing and BEC but also ransomware, cryptojacking, and other threats (report downloadable at the bottom of the page).


  • Patrick Peterson, Founder and CEO of Agari and Teresa Walsh, Head of Financial Services Information Sharing and Analysis Center Inc. (FS-ISAC) presented at RSA on “Disrupting BEC Attacks Utilizing Kill Chain”.
  • I found this a little late but Keith Turpin from Universal Weather and Aviation’s Blackhat presentation was posted on YouTube last month titled “Phishing for Funds: Understanding Business Email Compromise”.
  • The Ping Podcast focused on spear-phishing and Office 365 in an interview with Matt Brennan of SonicWall. This was a good introductory conversation on BECs but had a little sales pitch in there.

Upcoming Webinars

  • I did not find any upcoming in the immediate week but did discover that Agari has a historical record of their webinars on various threat groups posted online.
  • DarkReading has a related Webinar on “Preventing Credential Theft & Account Takeovers” coming up on March 10.

Please feel free to drop a comment below with any upcoming webinars, additions to this, or questions!

About This Space

Hello everyone! My name is Ang and I work as a Digital Forensics and Incident Response (DFIR) Team Lead. My team specializes in investigations and research into Business Email Compromise.

We identified after some time that there were great resources in the community for wider DFIR needs but that the intel regarding BECs was somewhat spread out. This website will be maintained to provide support to victims, education to researchers, and current news. As all things, we expect this to evolve over time and warmly welcome feedback and contributions.

That being said, I’ll keep this introductory post short and get to the important stuff. If you would like to reach me for any reason please contact me in one of the ways below: