The secret to comedy, according to the old joke, is timing. The same is true of cybercrime.
Mark learned this the hard way in 2017. He runs a real estate company in Seattle and asked us not to include his last name because of the possible repercussions for his business.
"The idea that someone was effectively able to dupe you ... is embarrassing," he says. "We're still kind of scratching our head over how it happened."
It started when someone hacked into his email conversation with a business partner. But the hackers didn't take over the email accounts. Instead, they lurked, monitoring the conversation and waiting for an opportunity.
When Mark and his partner mentioned a $50,000 disbursement owed to the partner, the scammers made their move.
"They were able to insert their own wiring instructions," he says. Pretending to be Mark's partner, they asked him to send the money to a bank account they controlled.
"The cadence and the timing and the email was so normal that it wasn't suspicious at all. It was just like we were continuing to have a conversation, but I just wasn't having it with the person I thought I was," Mark says.
He didn't realize what had happened until his partner said he'd never gotten the money. "Oh, it was just a cold sweat," he says.
By the time they alerted the bank, the $50,000 was long gone, transferred overseas.
It turned out Mark was on the vanguard of a growing wave of something called "business email compromise," or BEC. It's a category of scam that uses phony emails to trick employees at companies to wire money to the wrong accounts. The FBI's Internet Crime Complaint Center says reported BEC amounted to more than $1.2 billion in 2018, nearly triple the figure in 2016.
"The thing to keep in mind about these statistics is this is just what we're aware of," says James Abbott, a supervisory special agent with the FBI. "This is just the victims that are reporting to the FBI."
Some big losses have made the news in recent months, such as the $37 million BEC scam suffered by a Toyota subsidiary and the $11 million lost by a U.K. office of Caterpillar. But cybersecurity consultants say other losses have been kept quiet, even some worth millions of dollars. Companies want to avoid bad publicity, but this secrecy helps the scammers by keeping the threat under the radar. The next potential victims are less likely to expect such a sophisticated attack.
"What we've seen in 2019 is that the wave that's breaking is primarily focused around social engineering," says Patrick Peterson, CEO of Agari, a company that specializes in protecting corporate email systems. "Social engineering" is hacker-speak for scams that rely less on technical tricks and more on taking advantage of human vulnerabilities.
"It's not so much having the most sophisticated, evil technology. It's using our own trust and desire to communicate with others against us," Peterson says.
In the past, scammers have pretended to be business partners and CEOs, urging employees to send money for an urgent matter. But lately there has been a trend toward what Agari calls "vendor email compromise" — scammers pretending to be part of a company's supply chain.
Law enforcement is scrambling to keep up. In one recent operation, the FBI announced the arrest of 281 people worldwide in connection with international BEC networks. Seventy-four of those arrests were in the U.S., and many were allegedly lower-level enablers of the scam — especially "money mules." They're people in the U.S. who set up bank accounts to receive stolen money. American bank accounts are less likely to raise suspicion during a scam.
"It's a big deal across the country," says Miami attorney Nayib Hassan. "And many people are getting caught up in it."
Hassan says he has represented accused money mules in Texas, California and Florida. One defendant was a friend of his, Alfredo Veloso, who was convicted and is now serving a federal sentence.
"In his mind, when it first got presented to him, it sounded possibly legitimate," Hassan says of how Veloso first agreed to become a money mule. He says Veloso may have convinced himself that someone somewhere had innocent reasons to move money quietly, perhaps to hide it from family.
"But then at some point, you understand that it's fraudulent," says Hassan. "And he understood it."
Many mules are recruited with the promise of easy cash — they usually keep some of the funds flowing through their bank accounts. Others start out as victims.
"[The money mule] is often a late-stage romance scam victim," says John Wilson, the field chief technology officer with Agari.
Romance scam victims are people who have been grifted by fake love interests, usually people they meet online. At first they're asked for loans, but later they can find themselves pressured to help the cybercrime network launder its money.
"Very often the victim has perhaps sent compromising photographs or may have moved money once or twice or something," says Wilson. "When they say they want to get out, that's when they may be reminded, 'Hey, I have pictures of you. You moved this money through your bank account — you're part of this now.' "
Romance scams are lucrative in their own right. The FBI says Americans reported losing $362 million to romance and confidence scams last year, a big jump over the $211 million reported the year before. And they can be just as sophisticated as BEC scams in the way they target and manipulate their victims.
"It's not something I would necessarily fall for," says Wilson. "But the folks that get roped into these things are very carefully selected. They [the scammers] know, demographically, the people that are going to be the most susceptible."
He says the fake online love interests use "scripts," conversational gambits that have proved effective for keeping their victims on the hook.
One victim was a divorcée in Texas with children. She asked to stay anonymous because most people in her life don't know she was scammed. She says her fake love interest always seemed to know just what to say.
"Just very complimentary, understanding and ... someone who had a real interest in me, which was new to me," she says.
When he asked her for money, she says she cried. She says she suspected he was a fraud, even as she sent him the funds.
"The best way I could describe it is you have two brains," she says. "When you have this excitement or these feelings of love or passion. Because you know it's wrong, and you've read stories about it and people are telling you. You'd tell your best friend, 'You're crazy — don't do it!' But then you do it."
The Texas romance scam victim bucked the trend and never was turned into a money mule. Instead, she got a warning from cybersecurity researchers at Agari, who'd been investigating a cybercrime gang in South Africa and saw it communicating with her.
"I had to know that they were a scammer," she says. And the warning from Agari "was finally the evidence that proved that to me."
In the end, she sent the scammers almost half a million dollars over three years. She lost her house and is now mired in debt. She's mystified by their powers of manipulation and considers her victimization a matter of "brain chemistry."
"I believed everything that they told me," she says. "It was ... a crime against everything that I thought I knew. I had to change the way I thought about myself."
NPR researcher Katie Daugert contributed to this report.
AUDIE CORNISH, HOST:
By now, cybercrime is a routine danger. But as ordinary as it seems, it's still really bad for businesses. A company can lose thousands, even millions to a single deceptive email to an employee. And as NPR's Martin Kaste reports, business has never been better for the scammers.
(SOUNDBITE OF PHONE RINGING)
MARTIN KASTE, BYLINE: This latest wave of cybercrime against American businesses really got rolling about two years ago, and this is one of the earliest victims. It's a real estate company in Seattle. One of the owners here is named Mark. He'd rather we don't give his last name.
MARK: We're somewhat experienced businesspeople. The idea that we've been duped makes you feel pretty stupid.
KASTE: That reluctance to talk about this? More about that in a minute. But first, the scam. Mark had been wrapping up a project and emailing with an investment partner. What they didn't realize was someone had hacked into their email traffic.
MARK: It was clear that they had studied our conversation.
KASTE: Because the scammers knew just the right moment to insert themselves into that conversation.
MARK: The cadence and the timing and the email was so normal that it wasn't suspicious at all. It was just like we were continuing to have a conversation, but I just wasn't having it with the person I thought I was.
KASTE: That person had picked up on the fact that Mark was about to send his partner some money. So, pretending to be the partner, the scammers sent him wiring instructions to a different account at his usual bank. Mark didn't think twice. A little later, he texted his partner to see if he'd got the money.
MARK: And there was an immediate reaction and response from him, you know, question mark, what wire? And, oh, it was a cold sweat.
KASTE: The $50,000 he'd wired was gone, already rewired from the American bank to an account overseas. Mark was a victim of a growing category of cybercrime that's called business email compromise or BEC. But don't let that bland name fool you.
PATRICK PETERSON: What we've seen in 2019 is that the wave that's breaking is primarily focused around social engineering.
KASTE: Patrick Peterson is CEO of Agari, a company that specializes in protecting corporate email systems. And he sees a lot of these scams up close. When he says social engineering, what he means is hacks that are based not so much on breaking into software, but rather on fooling people.
PETERSON: It's not so much having the most sophisticated evil technology, it's using our own trust and desire to communicate with others against us.
KASTE: He says these schemes are usually run by international networks - you know, those Nigerian prince emails in the early days of the Internet. It's still similar groups, but now they're more focused on researching their victims. When they break into a company's email, they're patient. They just lurk there for a while.
PETERSON: And then they can sit there and watch the email go back and forth. And they can see this person pays a lot of invoices or sends a lot of accounts payable. And at the right time, we'll send one that has our payable instructions.
KASTE: And given the sums that businesses move around on a daily basis, the payoff can be enormous.
JAMES ABBOTT: In 2016, we had business email compromise schemes at $361 million.
KASTE: This is James Abbott. He's a supervisory special agent with the FBI, specializing in BEC fraud.
ABBOTT: 2017, that number jumped to 676 million. In 2018, we're at nearly 1.2 billion. But the thing to keep in mind with these statistics is this is just what we're aware of.
KASTE: Millions of dollars in fraud goes unreported because embarrassed businesses prefer to keep their losses quiet. Investigators say this kind of secrecy helps the scammers because it keeps their tricks less visible. The FBI's Abbott says businesses are also too quick to assume that the culprits are all overseas and untouchable.
ABBOTT: That is absolutely not the case. There are many times where the victim is sending their money to what we consider a money mule located right in their backyard or another part of the United States.
KASTE: Money mules are people here in the country who set up bank accounts to receive the diverted funds. The foreign scammers need these American accounts because overseas bank accounts would raise suspicions. Nayib Hassan is the friend and lawyer of one of these money mules, a man named Alfredo Veloso.
NAYIB HASSAN: Alfredo's just your run-of-the-mill individual that you see anywhere else. I mean, he's not going to be your Nigerian. He's not going to be your - from anywhere else. He's just trying to make it, trying to survive here in Miami.
KASTE: Veloso is serving a federal sentence and didn't want to talk to NPR, but Hassan says his friend is basically a decent guy who was offered easy money to sort of lend his bank account to people who needed some help moving their money.
HASSAN: In his mind, when it first got presented to him, it sounded possibly legitimate because they don't want their loved one or they don't want this individual stealing this money. But then at some point you understand that it's fraudulent, and he understood it.
KASTE: It's people like this who are most likely to get caught. Just in September, the FBI announced the arrest of 74 people here in the U.S. connected to business email compromise, alleged money mules and other enablers for overseas scammers. Meanwhile, this sort of scam is spreading, and it's not targeting just businesses anymore. Nick Selby is director of cyber intelligence and investigations for the New York Police Department.
NICK SELBY: In New York, we have seen over the past year a notable increase in the number of individuals who are receiving these kinds of emails because they fall for it, too.
KASTE: Selby says you have to keep in mind that these business scams are all about researching certain people at companies to figure out what might fool them.
SELBY: And if you think about that, it doesn't take much to imagine how this could work on individuals.
KASTE: So the question is, as this more sophisticated research-based cybercrime spreads, can American law enforcement keep up? When Mark in Seattle was conned out of his $50,000, he says talking to the FBI just left him feeling hopeless.
MARK: They basically said, we're really sorry, but we're going after this same fraud but in the millions and millions and millions of dollars. And so, you know, it's not enough to go after.
KASTE: The banks weren't much help, either. Since he was the one who gave the scammers the account number, they saw this as his responsibility. He has learned one thing - never again trust wiring instructions that are sent by email. He says people in his business now insist on voice calls before sending money. And some colleagues actually put account numbers down on paper to be delivered by hand.
Martin Kaste, NPR News. Transcript provided by NPR, Copyright NPR.