Business email compromised (BEC) attacks targeting American companies are exploding, with an increase of over 476% in incidents between Q4 2017 and Q4 2018. Up as well is email fraud with companies experiencing an increase of over 226%.

These highly targeted attacks use social engineering to identify specific company employees, usually in the finance department and then convince these employees to wire large sums of money to third-party banking accounts owned by the attackers.

While many older versions of phishing utilized malicious URLs or attachments to perpetrate their crimes, BEC criminals are much savvier, spoofing the actual company domains they’re targeting, creating convincingly realistic emails that employees believe are legitimate.

In addition, these fraudsters utilize a dynamite-fishing approach, sending vast numbers of these fake emails out under multiple spoofed identities to increasingly larger numbers of targets within the same organization. The idea is that eventually, someone will unwittingly fall for the scheme, rewarding the scammers with a huge financial windfall that has added up to almost $1.1 billion through July of this year alone.

These numbers align with the ones reported by the Federal Bureau of Investigation (FBI) in July 2018. The FBI report stated that BEC scams have continued to grow and evolve and are targeting businesses of all sizes, from large to small, and now includes personal transactions as well. They also reported that between December 2016 and May 2018, there was a 136% increase in identified global exposed losses and that the scams have been reported in all 50 states and in 150 countries.

Critics of the recent GDPR privacy rule enactment point to this sharp rise in cyber crime as a direct result of an unintended interpretation of the regulation that allows criminals to effectively mask their identities online. As discussed before in this blog, registrars, faced with the potential of massive fines for GDPR violations, have resorted to overly cautious approaches when it comes to revealing any private information on their registrants. In many cases, registrars are refusing to share any information with anyone, including organizations and brand holders with legitimate public safety concerns. This approach to privacy has led to the unintended consequence of making it easier for individuals and/or entities with less than honorable intentions to effectively disappear online.

Faced with the ability to create malicious domains and operate online with anonymity, criminals are registering websites and email addresses created specifically to spoof legitimate businesses and employees. As a result, cybercrime has grown into a $600 billion a year business, and is expected to continue to grow until these issues are resolved.

While the ability to track down these individuals has been hampered, the authorities are doing what they can to curtail these digital criminals.

Federal prosecutors in California recently arrested 14 people and charged 66 more with fraud in a conspiracy they say was tied to Nigeria and intended to defraud millions of dollars out of victims. Details on the charges emerged on Thursday following the unsealing of an indictment including allegations of even more BEC attacks.

Officials report that the case is part of an ongoing effort to protect American citizens and businesses from fraudulent online schemes.

United States Attorney Nick Hanna released a statement concerning the indictment: “Today, we have taken a major step to disrupt criminal networks that use BEC schemes, romance scams and other frauds to fleece victims. This indictment sends a message that we will identify perpetrators—no matter where they reside—and we will cut off the flow of ill-gotten gains.”

These arrests and charges are just a small drop in a much larger bucket of cybercriminal issues, a bucket that will continue to grow until the unintended loophole of anonymity is effectively closed and cybercriminals are no longer allowed to operate with impunity.