AUDIE CORNISH, HOST:
By now, cybercrime is a routine danger. But as ordinary as it seems, it's still really bad for businesses. A company can lose thousands, even millions to a single deceptive email to an employee. And as NPR's Martin Kaste reports, business has never been better for the scammers.
(SOUNDBITE OF PHONE RINGING)
MARTIN KASTE, BYLINE: This latest wave of cybercrime against American businesses really got rolling about two years ago, and this is one of the earliest victims. It's a real estate company in Seattle. One of the owners here is named Mark. He'd rather we don't give his last name.
MARK: We're somewhat experienced businesspeople. The idea that we've been duped makes you feel pretty stupid.
KASTE: That reluctance to talk about this? More about that in a minute. But first, the scam. Mark had been wrapping up a project and emailing with an investment partner. What they didn't realize was someone had hacked into their email traffic.
MARK: It was clear that they had studied our conversation.
KASTE: Because the scammers knew just the right moment to insert themselves into that conversation.
MARK: The cadence and the timing and the email was so normal that it wasn't suspicious at all. It was just like we were continuing to have a conversation, but I just wasn't having it with the person I thought I was.
KASTE: That person had picked up on the fact that Mark was about to send his partner some money. So, pretending to be the partner, the scammers sent him wiring instructions to a different account at his usual bank. Mark didn't think twice. A little later, he texted his partner to see if he'd got the money.
MARK: And there was an immediate reaction and response from him, you know, question mark, what wire? And, oh, it was a cold sweat.
KASTE: The $50,000 he'd wired was gone, already rewired from the American bank to an account overseas. Mark was a victim of a growing category of cybercrime that's called business email compromise or BEC. But don't let that bland name fool you.
PATRICK PETERSON: What we've seen in 2019 is that the wave that's breaking is primarily focused around social engineering.
KASTE: Patrick Peterson is CEO of Agari, a company that specializes in protecting corporate email systems. And he sees a lot of these scams up close. When he says social engineering, what he means is hacks that are based not so much on breaking into software, but rather on fooling people.
PETERSON: It's not so much having the most sophisticated evil technology, it's using our own trust and desire to communicate with others against us.
KASTE: He says these schemes are usually run by international networks - you know, those Nigerian prince emails in the early days of the Internet. It's still similar groups, but now they're more focused on researching their victims. When they break into a company's email, they're patient. They just lurk there for a while.
PETERSON: And then they can sit there and watch the email go back and forth. And they can see this person pays a lot of invoices or sends a lot of accounts payable. And at the right time, we'll send one that has our payable instructions.
KASTE: And given the sums that businesses move around on a daily basis, the payoff can be enormous.
JAMES ABBOTT: In 2016, we had business email compromise schemes at $361 million.
KASTE: This is James Abbott. He's a supervisory special agent with the FBI, specializing in BEC fraud.
ABBOTT: 2017, that number jumped to 676 million. In 2018, we're at nearly 1.2 billion. But the thing to keep in mind with these statistics is this is just what we're aware of.
KASTE: Millions of dollars in fraud goes unreported because embarrassed businesses prefer to keep their losses quiet. Investigators say this kind of secrecy helps the scammers because it keeps their tricks less visible. The FBI's Abbott says businesses are also too quick to assume that the culprits are all overseas and untouchable.
ABBOTT: That is absolutely not the case. There are many times where the victim is sending their money to what we consider a money mule located right in their backyard or another part of the United States.
KASTE: Money mules are people here in the country who set up bank accounts to receive the diverted funds. The foreign scammers need these American accounts because overseas bank accounts would raise suspicions. Nayib Hassan is the friend and lawyer of one of these money mules, a man named Alfredo Veloso.
NAYIB HASSAN: Alfredo's just your run-of-the-mill individual that you see anywhere else. I mean, he's not going to be your Nigerian. He's not going to be your - from anywhere else. He's just trying to make it, trying to survive here in Miami.
KASTE: Veloso is serving a federal sentence and didn't want to talk to NPR, but Hassan says his friend is basically a decent guy who was offered easy money to sort of lend his bank account to people who needed some help moving their money.
HASSAN: In his mind, when it first got presented to him, it sounded possibly legitimate because they don't want their loved one or they don't want this individual stealing this money. But then at some point you understand that it's fraudulent, and he understood it.
KASTE: It's people like this who are most likely to get caught. Just in September, the FBI announced the arrest of 74 people here in the U.S. connected to business email compromise, alleged money mules and other enablers for overseas scammers. Meanwhile, this sort of scam is spreading, and it's not targeting just businesses anymore. Nick Selby is director of cyber intelligence and investigations for the New York Police Department.
NICK SELBY: In New York, we have seen over the past year a notable increase in the number of individuals who are receiving these kinds of emails because they fall for it, too.
KASTE: Selby says you have to keep in mind that these business scams are all about researching certain people at companies to figure out what might fool them.
SELBY: And if you think about that, it doesn't take much to imagine how this could work on individuals.
KASTE: So the question is, as this more sophisticated research-based cybercrime spreads, can American law enforcement keep up? When Mark in Seattle was conned out of his $50,000, he says talking to the FBI just left him feeling hopeless.
MARK: They basically said, we're really sorry, but we're going after this same fraud but in the millions and millions and millions of dollars. And so, you know, it's not enough to go after.
KASTE: The banks weren't much help, either. Since he was the one who gave the scammers the account number, they saw this as his responsibility. He has learned one thing - never again trust wiring instructions that are sent by email. He says people in his business now insist on voice calls before sending money. And some colleagues actually put account numbers down on paper to be delivered by hand.
Martin Kaste, NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.