Email scams—often riddled with typos and written by non-native English speakers in Africa—were once crude attempts to steal money from inexperienced computer users. No more.
Federal investigators say these scams have become sophisticated frauds that are costing American businesses and individuals billions of dollars a year.
Estimated losses have soared in the past five years from scams known as business-email compromises, in which swindlers con victims into directing money into accounts controlled by criminals. In 2019, the Federal Bureau of Investigation received 23,775 complaints of business-email and email-account compromises, up from 20,373 the prior year, according to data the bureau published earlier this month.
Annual estimated losses increased as well, to more than $1.7 billion in 2019 from $1.2 billion in 2018, according to the data.
“Now the actors involved are a lot more sophisticated, and share intelligence and organized networks,” said Michael Driscoll, special agent in charge of the cyber-and-counterintelligence division of the FBI’s New York office. He said business-email compromises are of particular interest to the office because New York is a financial hub.
Business-email scams first appeared on the bureau’s radar about a decade ago, officials said. Back then the scams tended to be relatively simple, designed to imitate an email from a chief executive asking an employee to transfer money.
Over the years, the scams shifted. Perpetrators targeted personal email addresses in 2014, pretended to be lawyers in 2015, then moved on to requests for tax information and targeting real-estate transactions, officials said.
One new iteration, federal officials said, involves fake requests to divert payroll funds. In this scam, someone in a business’s payroll or human-resources department receives an email purporting to be from an employee. The email asks to update direct-deposit information for that pay period, which then goes into an account controlled by a swindler.
The scams also have shifted from using “spoofed” emails, often sent from an address similar to one within the company, to the actual hacking of accounts, said Edward McAndrew, a partner at law firm DLA Piper who represents companies that have been victims of the schemes. Once an email account is hacked, the scammers have access to contacts, calendars and detailed email correspondence of company accounts.
“The email gets hacked and the bad guys can step into the email threads,” said Mr. McAndrew, also a former federal cybercrime prosecutor. “This is no longer a situation where some person who wasn’t paying close attention got duped.”
Many of the schemes are operated by groups in Lagos, Nigeria, some of whom work out of office parks, said Stephen Fullington, a supervisory special agent with the New York FBI who leads a team that works on business-email compromise cases. The groups have bosses who run the schemes, and use a network of people that have learned various fraud techniques, he said.
Mr. Fullington recalled interviewing a Nigerian involved in an email scam. “He said, ‘You know how you guys play baseball when you are growing up? Here many of us learn fraud,’” Mr. Fullington said.
Many companies that fall victim to such scams never report them, often because they are embarrassed, officials said. But some cases do result in federal charges.
In one case in New York, an indictment was unsealed in May of last year charging four men for their roles in business-email compromise schemes that targeted victims including a nongovernmental organization in New York City. Prosecutors said the scheme defrauded victims of million of dollars over about two years. As part of the scheme, the men obtained fraudulent documents with fake names, registered shell companies and opened bank accounts with these shell companies and fake identifies, the indictment says.
One of the men, pretending to be an employee, tricked the organization into sending a payment to what he said was a valid vendor of the organization, which had done work related to South Sudan, court documents show.
Three of the men have pleaded not guilty to the charges, including Joshua Ikejimba, who was arrested in Houston. Todd Spodek, a lawyer for Mr. Ikejimba, said his client was an unwitting victim to the richer, more powerful men who ran the scheme. Typically, bosses ask for simple favors, then slowly groom the younger co-conspirators to take a larger role, he said.
his is like organized crime, and they are really just finding flunkies in these cases,” Mr. Spodek said.
Lawyers for two of the other men didn’t respond to requests for comment. The fourth man remains at large.
The case was part of an enforcement effort announced by the Justice Department last September, when officials said that over a four-month period, federal law enforcement arrested 281 people allegedly involved in business-email compromise schemes, including 167 in Nigeria and 74 in the U.S.
Mr. Driscoll, of the FBI, said he hoped that it would become more difficult for swindlers to profit as people became increasingly aware of such scams. The perpetrators would move on to other crimes, he predicted.
Mr. McAndrew, the former prosecutor, suggested one low-tech solution: “If your vendor changed their bank account for the first time in 15 years,” he said, “it’s worth a phone call.”