Cybercrime Booms As Scammers Hack Human Nature To Steal Billions

The secret to comedy, according to the old joke, is timing. The same is true of cybercrime.

Mark learned this the hard way in 2017. He runs a real estate company in Seattle and asked us not to include his last name because of the possible repercussions for his business.

“The idea that someone was effectively able to dupe you … is embarrassing,” he says. “We’re still kind of scratching our head over how it happened.”

It started when someone hacked into his email conversation with a business partner. But the hackers didn’t take over the email accounts. Instead, they lurked, monitoring the conversation and waiting for an opportunity.

When Mark and his partner mentioned a $50,000 disbursement owed to the partner, the scammers made their move.

“They were able to insert their own wiring instructions,” he says. Pretending to be Mark’s partner, they asked him to send the money to a bank account they controlled.

“The cadence and the timing and the email was so normal that it wasn’t suspicious at all. It was just like we were continuing to have a conversation, but I just wasn’t having it with the person I thought I was,” Mark says.

He didn’t realize what had happened until his partner said he’d never gotten the money. “Oh, it was just a cold sweat,” he says.

By the time they alerted the bank, the $50,000 was long gone, transferred overseas.

It turned out Mark was on the vanguard of a growing wave of something called “business email compromise,” or BEC. It’s a category of scam that uses phony emails to trick employees at companies to wire money to the wrong accounts. The FBI’s Internet Crime Complaint Center says reported BEC amounted to more than $1.2 billion in 2018, nearly triple the figure in 2016.

“The thing to keep in mind about these statistics is this is just what we’re aware of,” says James Abbott, a supervisory special agent with the FBI. “This is just the victims that are reporting to the FBI.”

Some big losses have made the news in recent months, such as the $37 million BEC scam suffered by a Toyota subsidiary and the $11 million lost by a U.K. office of Caterpillar. But cybersecurity consultants say other losses have been kept quiet, even some worth millions of dollars. Companies want to avoid bad publicity, but this secrecy helps the scammers by keeping the threat under the radar. The next potential victims are less likely to expect such a sophisticated attack.