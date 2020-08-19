This is the web version of Data Sheet, ’s daily newsletter on the top tech news. To get it delivered daily to your in-box, sign up here.

In June, Obinwanne Okeke, a Nigerian “entrepreneur” who appeared on the cover of the African edition of Forbes in 2016, pleaded guilty to charges of fraud.

Turned out Okeke’s company, Invictus Group, named after Nelson Mandela’s favorite poem, was a front. Between 2015 and 2019, the founder’s crew orchestrated a series of hacks and scams, including one campaign that swindled Unatrac Holding, a sales office of Caterpillar, the construction giant, out of $11 million.

Okeke was in the game of business email compromise. Step one—steal an executive’s email password through phishing. Step two—hijack the person’s email account. Step three—impersonate the victim and fool colleagues into processing fake invoices; a.k.a., profit.

Business email compromise is a big problem. The Federal Bureau of Investigation—yep, the same one that nabbed Okeke—received nearly 24,000 complaints from businesses that reported losing $1.7 billion to the scam last year. That’s half the total $3.5 billion lost to all Internet crime last year, as recorded by the FBI. (No doubt these are lowball figures, given they tally only what has been voluntarily reported.)

The pandemic may be worsening the situation. Payment and invoice fraud attacks increased 112% in the second quarter of the year, during the coronavirus’s wildfire spread, compared with the first quarter, according to a new report from Abnormal Security, a San Francisco-based email security startup that gave me an exclusive first look at the data.

That’s not all. Business email compromise attacks specifically increased 11% over the same period. While that uptick may seem small, it’s actually “significant and somewhat alarming,” the report’s authors point out. Since these attacks are typically highly targeted—involving research and tailor-made inducements, unlike automated, “spray-and-pray”-style spam campaigns—any increase means hackers are deliberately working overtime.

What’s all this got to do with COVID-19? Scammers are exploiting remote workers’ increased reliance on digital tools, says Evan Reiser, an ex-Twitter product manager who now heads Abnormal. Tellingly, the most impersonated brand in fraudulent emails last quarter was Zoom, the darling teleconferencing app of the pandemic, now a workplace staple. (American Express held the No. 1 spot prior.)

Previously, Zoom didn’t even crack the top 10 list.

***

Business email compromise, or some form of it, has gone on as long as the world has been wired up. As one Data Sheet reader— Jonathan Coopersmith, a history professor at Texas A,amp;M University—recently pointed out to me, the tactic predates the Internet. Apparently, before Nigeria’s “Yahoo boys,” there was faxing fraud.

With permission from the author, here’s an excerpt from Coopersmith’s 2016 book, Faxed: The Rise and Fall of the Fax Machine.

Just as a fax proved more effective than a letter in convincing people to pay their bills and respond to surveys, so too did it benefit criminals and fraudsters. The best known example was the “classic Nigerian ‘fax scam,’ a form of fraud so ubiquitous and so successful that legitimate trade with African countries has begun to suffer.” A fax informed the lucky recipient he had a share of millions of dollars trapped in a Nigerian bank account – but a little money and personal bank account information were needed first. Another scam, migrating from telex, was sending an invoice to a firm for its listing in a non-existent fax directory. The assumption, often correct, was that the bookkeeping department would not check but simply pay because the amount was under $1000.

Okeke was no innovator.

