The secret to comedy, according to the old joke, is timing. The same is true of cybercrime.
Mark learned this the hard way in 2017. He runs a real estate company in Seattle and asked us not to include his last name because of the possible repercussions for his business.
"The idea that someone was effectively able to dupe you ... is embarrassing," he says. "We're still kind of scratching our head over how it happened."
It started when someone hacked into his email conversation with a business partner. But the hackers didn't take over the email accounts. Instead, they lurked, monitoring the conversation and waiting for an opportunity.
When Mark and his partner mentioned a $50,000 disbursement owed to the partner, the scammers made their move.
"They were able to insert their own wiring instructions," he says. Pretending to be Mark's partner, they asked him to send the money to a bank account they controlled.
"The cadence and the timing and the email was so normal that it wasn't suspicious at all. It was just like we were continuing to have a conversation, but I just wasn't having it with the person I thought I was," Mark says.
He didn't realize what had happened until his partner said he'd never gotten the money. "Oh, it was just a cold sweat," he says.
By the time they alerted the bank, the $50,000 was long gone, transferred overseas.
It turned out Mark was on the vanguard of a growing wave of something called "business email compromise," or BEC. It's a category of scam that uses phony emails to trick employees at companies to wire money to the wrong accounts. The FBI's Internet Crime Complaint Center says reported BEC amounted to more than $1.2 billion in 2018, nearly triple the figure in 2016.
"The thing to keep in mind about these statistics is this is just what we're aware of," says James Abbott, a supervisory special agent with the FBI. "This is just the victims that are reporting to the FBI."
Some big losses have made the news in recent months, such as the $37 million BEC scam suffered by a Toyota subsidiary and the $11 million lost by a U.K. office of Caterpillar. But cybersecurity consultants say other losses have been kept quiet, even some worth millions of dollars. Companies want to avoid bad publicity, but this secrecy helps the scammers by keeping the threat under the radar. The next potential victims are less likely to expect such a sophisticated attack.
"What we've seen in 2019 is that the wave that's breaking is primarily focused around social engineering," says Patrick Peterson, CEO of Agari, a company that specializes in protecting corporate email systems. "Social engineering" is hacker-speak for scams that rely less on technical tricks and more on taking advantage of human vulnerabilities.
"It's not so much having the most sophisticated, evil technology. It's using our own trust and desire to communicate with others against us," Peterson says.
In the past, scammers have pretended to be business partners and CEOs, urging employees to send money for an urgent matter. But lately there has been a trend toward what Agari calls "vendor email compromise" — scammers pretending to be part of a company's supply chain.
Law enforcement is scrambling to keep up. In one recent operation, the FBI announced the arrest of 281 people worldwide in connection with international BEC networks. Seventy-four of those arrests were in the U.S., and many were allegedly lower-level enablers of the scam — especially "money mules." They're people in the U.S. who set up bank accounts to receive stolen money. American bank accounts are less likely to raise suspicion during a scam.
"It's a big deal across the country," says Miami attorney Nayib Hassan. "And many people are getting caught up in it."
Hassan says he has represented accused money mules in Texas, California and Florida. One defendant was a friend of his, Alfredo Veloso, who was convicted and is now serving a federal sentence.
"In his mind, when it first got presented to him, it sounded possibly legitimate," Hassan says of how Veloso first agreed to become a money mule. He says Veloso may have convinced himself that someone somewhere had innocent reasons to move money quietly, perhaps to hide it from family.
"But then at some point, you understand that it's fraudulent," says Hassan. "And he understood it."
Many mules are recruited with the promise of easy cash — they usually keep some of the funds flowing through their bank accounts. Others start out as victims.
"[The money mule] is often a late-stage romance scam victim," says John Wilson, the field chief technology officer with Agari.
Romance scam victims are people who have been grifted by fake love interests, usually people they meet online. At first they're asked for loans, but later they can find themselves pressured to help the cybercrime network launder its money.
"Very often the victim has perhaps sent compromising photographs or may have moved money once or twice or something," says Wilson. "When they say they want to get out, that's when they may be reminded, 'Hey, I have pictures of you. You moved this money through your bank account — you're part of this now.' "
Romance scams are lucrative in their own right. The FBI says Americans reported losing $362 million to romance and confidence scams last year, a big jump over the $211 million reported the year before. And they can be just as sophisticated as BEC scams in the way they target and manipulate their victims.
"It's not something I would necessarily fall for," says Wilson. "But the folks that get roped into these things are very carefully selected. They [the scammers] know, demographically, the people that are going to be the most susceptible."
He says the fake online love interests use "scripts," conversational gambits that have proved effective for keeping their victims on the hook.
One victim was a divorcée in Texas with children. She asked to stay anonymous because most people in her life don't know she was scammed. She says her fake love interest always seemed to know just what to say.
"Just very complimentary, understanding and ... someone who had a real interest in me, which was new to me," she says.
When he asked her for money, she says she cried. She says she suspected he was a fraud, even as she sent him the funds.
"The best way I could describe it is you have two brains," she says. "When you have this excitement or these feelings of love or passion. Because you know it's wrong, and you've read stories about it and people are telling you. You'd tell your best friend, 'You're crazy — don't do it!' But then you do it."
The Texas romance scam victim bucked the trend and never was turned into a money mule. Instead, she got a warning from cybersecurity researchers at Agari, who'd been investigating a cybercrime gang in South Africa and saw it communicating with her.
"I had to know that they were a scammer," she says. And the warning from Agari "was finally the evidence that proved that to me."
In the end, she sent the scammers almost half a million dollars over three years. She lost her house and is now mired in debt. She's mystified by their powers of manipulation and considers her victimization a matter of "brain chemistry."
"I believed everything that they told me," she says. "It was ... a crime against everything that I thought I knew. I had to change the way I thought about myself."
NPR researcher Katie Daugert contributed to this report.