Federal authorities have arrested hundreds of cybercriminals associated with an international group conducting cyber financial fraud. This group successfully targets and scams accounting services employees through complex schemes involving email, invoice fraud, e-commerce, payroll, and social engineering scams. 

In this blog, we deep dive into a case study on this cybercriminal organization including: 

  • Motivations and target victims
  • Unique attack vectors 
  • Recommendations for policy improvements and more

Why Business Email Compromise?

Business email compromise (BEC) is a recurring attack vector among cybercriminals given its sophistication and impact on organizations, similar to ransomware. In a BEC scam, bad actors often send emails impersonating a legitimate known source, requesting information that ultimately leads to the bad actor conducting fraudulent money transfers. Business email compromise attacks rely heavily on social engineering scams and phishing emails to trick unsuspecting employees. 

In 2020 alone, the FBI received just under 20,000 BEC complaints, making it the number one financial compromise globally with losses totaling over $1.8 billion.1 But where BEC differentiates itself is the heavy effect it can have on individuals and people outside of the target business. BEC attacks are important to look out for throughout the year but especially during the holidays. One specific group of cybercriminals is very successful, with its campaigns taking millions through attacks. Learn more about the group’s tactics below. 

Nigerian Cybercriminals Charged With Financial Crime 

In October 2021, eight Nigerian cybercriminals were charged with conspiring to engage in internet scams and money laundering from South Africa. These cybercriminals were linked to a larger organization that operates in various countries using BEC and social engineering scams to extort money from victims. 

The Cost

According to the U.S. Department of Justice, the compromise led to one business sending more than $2 million into the financial accounts of the threat actors, and one university unknowingly sending more than $4.5 million.2 While these two high-profile compromises total over $6 million in losses, countless other individuals and organizations have also fallen victim to this cybercriminal group’s attacks. 

The Criminals — Black Axe

These eight cybercriminals were connected to a larger organization known as Black Axe, a highly organized and structured group that traces back to the 1970s. Black Axe is headquartered in Nigeria, where the group originally started, but operates subdivisions or “zones” in other countries. 

This group does not stop at simple ransomware and BEC compromises. CrowdStrike and international governments have characterized this group by extreme violence and rampant organized crime.3 Motivated by financial payouts, both the individuals and the organization have no limits when it comes to achieving their goal. 

Hushpuppi

A cybercriminal based out of Dubai was arrested in July 2020 for laundering hundreds of millions of dollars through various cybercrime schemes. This bad actor was quick to post his luxurious lifestyle on social media, drawing attention to his activity and ultimately leading to his arrest. The cybercriminal was found after a co-conspirator’s phone contact labeled “Hush” linked to the individual’s various social media accounts, placing this individual in the cities and places of money laundering crimes.

Image taken from "Hushpuppi" (cybercriminal caught conducting social engineering scams) posing in front of luxury cars with a custom designer robe.

Image of Hushpuppi (cybercriminal involved in social engineering scams) taken from Instagram eating gourmet brunch at beautiful oceanside hotel.

Business Email Compromise and Social Engineering Scam Playbook

  • Step 1: Launch phishing attack. These cybercriminals deploy sophisticated phishing schemes and social engineering scams that go beyond suspicious emails and stolen passwords. Many are known to utilize elicit consent grant attacks.
  • Step 2: Keyword search. Threat actors will search items such as invoice, wire, 401(k), etc. Once they receive hits, they will download targets. If there are no suitable hits, they will find a new user through the organization. 
  • Step 3: Manipulate documents. Threat actors will typically update the bank account number and keep the rest of the document intact. 
  • Step 4: Spoof or reroute emails. Create a new, identical email chain with fake domain and fake email addresses for employees or reroute incoming mail to a new mailbox folder. 
  • Step 5: Launder funds and repeat cycle. 

How Organizations Can Respond To Social Engineering

It’s important to stay vigilant when protecting your organization against cyber threats. Implementing the best cybersecurity practices can help defend against potential threats. We recommend utilizing the following security practices: 

  • Password protection: Choose passwords that are eight characters long and contain a combination of uppercase and lowercase letters, numbers, punctuation marks, and other special characters. 
  • Multifactor authentication (MFA): Enable MFA when available and prioritize the use of an application like Google Authenticator over SMS text messages.  
  • Employee training: Train employees on how to spot phishing emails and social engineering scams and how to respond. 
  • Managed detection and response (MDR): Utilize an MDR service to monitor for threats 24/7, secure data and assets, and remain compliant. 

Interested in learning more about Black Axe, social engineering scams, and ways businesses can respond to potential threats? Check out this webinar: Financial Fraud Through Cybercrime – Commonly Targeting Accounting.

Sources: 

  1. Internet Crime Report 2020, FBI Internet Crime Complaint Center, March 2021. 
  2. Eight Nigerians Charged with Conspiring to Engage in Internet Scams and Money Laundering from Cape Town, South Africa, Department of Justice, U.S. Attorney’s Office District of New Jersey, October 2021. 
  3. Intelligence Report: CSIR – 18004, CrowdStrike, March 2018.

Sign Up for Our Communications