The discovery of an alleged international ring of fraudsters started with a one-line email. In April 2019, a company accountant received an email that appeared to be from the chief executive officer. “Joanna, Can you mail out a cheque to a vendor today? Barbara,” the email said.
The email had some hallmarks of a scam. But it also had a few unique attributes that intrigued cybersecurity experts at the company’s email security provider, Agari Data Inc. Using a fake email account posing as the company accountant, Agari sent back a reply.
“Hi Barbara, Yes, of course. Please send me the details for the payment,” the reply said.
Over the next several months, Agari said it was able to unravel what’s known as a business email compromise operation. Agari dubbed the group sending the emails Exaggerated Lion, and said its members were based in Nigeria, Ghana and Kenya. Between April and August 2019, Exaggerated Lion targeted over 3,000 people at nearly 2,100 companies, all in the US.
Similar email attacks are growing problem in the US, according to the latest FBI report.
In its simplest forms, a business email compromise operator will send an email posing as the CEO to an accounts payable department with an urgent request to transfer funds or fulfill a fake invoice. In another example, payroll representatives will receive an email appearing to be from an employee requesting to update their direct deposit information — often to a prepaid card account. Companies often realise something is amiss only when it’s too late.
Leveraging its position as an email security provider, Agari can sometimes see email scams that target its customers. In some cases, the company intervenes to communicate with the fraudster, posing as an employee in order to draw out more details.
In the months that followed, Agari said it engaged with Exaggerated Lion more than 200 times, and discovered the identity of 28 “mules” used to ferry payments between victims and the group. Mules are primarily recruited by Exaggerated Lion under the pretense of romance and likely unaware they are participating in a criminal enterprise, the company said.
As the fake relationship progresses, mules are asked to launder larger sums of money. Once an unsuspecting business parts with its cash, through a paper cheque or wire transfer, Exaggerated Lion’s mules have a variety of ways to get the money back to them. Once a physical cheque is cashed, the money can be delivered to Exaggerated Lion via traditional money transfer, Bitcoin, or gift cards.
What makes Exaggerated Lion unique is its preference for cheques. Cheques may be helpful in evading systems designed to detect fraudulent wire transfers. Exaggerated Lion requests these cheques to be sent through an overnight mail service.