The discovery of an alleged international ring of fraudstersstarted with a one-line email. In April 2019, a company accountantreceived an email that appeared to be from her CEO.

"Joanna, Can you mail out a check to to a Vendor today?Barbara," the email said.

The email had some hallmarks of a scam that is becomingincreasingly common. But it also had a few unique attributes thatintrigued cybersecurity experts at the company's email securityprovider, Agari Data Inc. Using a fake email account posing as thecompany accountant, Agari sent back a reply.

"Hi Barbara, Yes, of course. Please send me the details for thepayment and I will take care of it ASAP. Joanna," the replysaid.

Over the next several months, Agari was able to unravel what'sknown as a business email compromise operation. Agari dubbed thegroup sending the emails "Exaggerated Lion" and said its memberswere based in Nigeria, Ghana, and Kenya. Between April and August2019, Exaggerated Lion targeted more than 3,000 people at nearly2,100 companies, all of them in the United States, according to anAgari report published earlier this month.

Similar email attacks are growing problem in the U.S., accordingto the latest Federal Bureau of Investigation report, but one that doesn't get theheadlines of state-sponsored hacks or ransomware attacks. Globallosses from business email compromises increased 100 percent fromMay 2018 to July 2019, according to the FBI, which recorded 166,349incidents from June 2016 to July 2019—and $26.2 billion in lossesduring that period.

See also:

• Impostor Fraud: A Cyber Risk ManagementChallenge
• Mitigating the Risk of Wire Fraud
• Partners in Cybercrime Fighting

In one of its simplest forms, a business email compromiseoperator will send an email to an accounts payable departmentposing as the company's CEO, with an urgent request to transferfunds or fulfill a fake invoice. In another example, payrollrepresentatives will receive an email appearing to be from anemployee requesting to update their direct depositinformation—often to a prepaid-card account. Companies oftenrealize something is amiss only when it's too late to recover thetransferred funds.

"We think of business email compromise as any attack whichclaims to be someone you know and trust and is attempting some kindof theft," said Patrick Peterson, Agari's founder and CEO, in anonline video. "Thishas been far too successful."

Leveraging its position as an email security provider, Agari cansometimes see email scams that target its customers as they happen.In some cases, the company intervenes to communicate with thefraudster, posing as a clueless employee in order to draw out moredetails. That's what happened with Exaggerated Lion, when theoperation sent the email to the company, which Agari declined toname, last April.

Mules to Move the Money

In the months that followed, Agari said, it engaged withExaggerated Lion more than 200 times and discovered the identity of28 "mules" used to ferry payments between victims and the groupitself. Mules are primarily recruited by Exaggerated Lion under thepretense of romance and are likely unaware that they areparticipating in a criminal enterprise, the company said. "Theseromance-victims-turned-money-mules are told they are helping theirromantic partner recover a large inheritance that is tied up withlawyers and is being distributed slowly over time," according toAgari.

In one exchange with a mule included in Agari's report, a memberof Exaggerated Lion wrote, "Okay honey please put the cash in bigenvelope and seal it before taking to FedEx."

The unnamed mule responded, "Honey, that's a lot of money tosend cash that's a heck of a liability it could be lostanywhere."

Exaggerated Lion's representative then wrote, "It can't honey.As long as you insure it. And I've received more than that throughcash mailing when my dad was still alive."

Agari declined to say how it obtained the digitalconversations.

As the fake relationship progresses, mules are asked to launderincreasingly larger sums of money, according to Agari. Once anunsuspecting business parts with its cash, through a paper check orwire transfer, Exaggerated Lion's mules have a variety of ways toget the money back to them. Once a physical check is cashed, themoney can be delivered to Exaggerated Lion via traditional moneytransfer, bitcoin, or gift cards, according to Agari.

Agari said it turned its information on the mules over tofinancial partners and law enforcement.

Paper Checks Avoid Fraud-Detection Efforts

Exaggerated Lion began operating in 2014 by running check scamson Craigslist and has since become more sophisticated, according tothe report. One scam the group allegedly operated for yearsinvolved recruiting people to wrap their car with marketing decalsfor a beverage company in exchange for a fixed amount of moneyevery week. Participants, who responded to an online ad or email,would be sent a fake check, which included the first month's payand money for a specialist to place advertisements on the car.Respondents were then instructed to keep the first month's pay andwire the money to the "specialist," who was really a money mule ora member of Exaggerated Lion, according to Agari.

What makes Exaggerated Lion unique in the world of businessemail compromise is its preference for physical checks, a paymentmethod the group had "experience and comfort with," according toAgari. Paper checks may be helpful in evading systems designed todetect fraudulent wire transfers. Exaggerated Lion requests thesechecks to be sent as fast as possible, through an overnight mailservice, according to exchanges contained in the Agari report. Butwhen a victim is hesitant about sending a check, Exaggerated Lionis quick to suggest a bank account to wire money to, according tothe report.

Exaggerated Lion also used fake invoices, created using a freeinvoice generator, and W-9s, publicly available on the InternalRevenue Service website, "to inject a sense of authenticity intheir attacks," according to Agari. The group also used Google'senterprise email service to send more emails, the security companysaid. "Google doesn't start charging for G Suite until after thefirst month," Agari said in its report. "This means ExaggeratedLion can create a new G Suite account, add compromised credit cardinformation as a payment method, and effectively have at least a30-day free trial on each domain they set up."

If the credit card doesn't work, the group "can simply move onto another account," Agari wrote. With a Google Enterprise account,Exaggerated Lion can send 2,000 emails a day, four times more thana regular gmail account. Google declined to comment.

Among the mules identified by Agari was 63-year-old ReubenAlvarez Sr., of Beaumont, Texas, who was arrested in October 2019and accused of laundering more than $100,000, nearly $70,000 ofwhich came from the United Methodist Church, according to aprobable cause affidavit from the Jefferson County Sheriff'sOffice. The rest came from small-to-medium-sized businesses, suchas an insurance company in Ohio and golf courses in Alabama, all ofwhich were victims of a business email compromise scam, accordingto the affidavit. Agari said its researchers discovered 14 messageswhere Exaggerated Lion directed its targets to send money toAlvarez's bank accounts.

Alvarez's case is pending and he hasn't yet entered a plea,according to the district attorney's office. Neither Alvarez norhis attorney could be located for comment.

In an interview with a detective, Alvarez said the money hereceived came from a woman he believed to be named "Peggy Smith,"who lived in Washington State. Alvarez said he knew Smith fromchatting online for three or four years but had never met her inperson. Alvarez told the detective that he assumed the money cameas part of Smith's inheritance payments after her parents died. ButAlvarez said he knew his activities constituted a crime, accordingto the affidavit. When the detective drove Alvarez home, he handedover a package he had received the day before: It contained a$25,647 check from a Tennessee healthcare company.

Copyright 2020 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.