Understanding the criminal network behind BEC attacks

BEC attacks impersonate executives, vendors, or business partners to manipulate employees into authorizing fraudulent wire transfers or giving out sensitive information.

According to the FBI's Internet Crime Complaint Center (IC3), Business Email Compromise attacks resulted in losses of $2.77 billion in 2024 alone. A systematic review titled "Business email compromise: A systematic review of understanding, detection, and challenges" by Almutairi, Kang, and Alhashimy reveals that global financial losses attributed to BEC have surpassed USD $8 billion from 2021 to March 2023 alone, making them one of the most financially devastating categories of cybercrime. In the United States alone, research by Suleman Lazarus in "Cybercriminal Networks and Operational Dynamics of Business Email Compromise (BEC) Scammers: Insights from the 'Black Axe' Confraternity" indicates that BEC accounted for $50 billion in losses.

The scale of this threat goes across all sectors. The Healthcare Email Security Report by Paubox reveals that in 2024 alone, 180 healthcare organizations fell victim to email-related breaches. These aren't one-off operations. They're orchestrated by well-organized criminal networks with defined roles, specialized skills, and international reach.

The criminal system

The network behind BEC attacks operates much like a legitimate business, with various specialists contributing their expertise to the overall operation. However, unlike traditional organized crime with rigid hierarchies, BEC networks are flexible. As Lazarus found through direct interviews with a high-profile BEC offender, "Unlike traditional organized crime, BEC scammers have adopted a nonhierarchical model that is flexible and fluid. I found no evidence of a rigid hierarchy dictating positions and remuneration for BEC roles."

The reconnaissance teams at the foundation spend weeks or months researching target organizations. They go through LinkedIn profiles, company websites, press releases, and social media to understand corporate hierarchies, communication patterns, and ongoing business transactions. These researchers identify decision-makers, learn the organization's language and culture, and find the right time for their attacks. 

Next come the technical specialists who establish the infrastructure for the attack. They register look-alike domains that are nearly identical to legitimate company domains, often changing a single character or using different top-level domains. They compromise email accounts through credential theft, exploiting weak passwords or using information stolen in previous data breaches. Some use techniques like man-in-the-middle attacks, inserting themselves into ongoing email conversations to modify payment instructions.

Then we have the social engineers, these individuals create convincing messages that create urgency and bypass normal verification procedures. They understand authority dynamics, exploit trust relationships, and manipulate victims into acting against standard protocols.

Behind these frontline operators are the money launderers who convert fraudulent transfers into untraceable funds. They coordinate individuals who receive transfers and quickly move funds through cryptocurrency exchanges, international transfers, or gift card purchases before accounts can be frozen. 

A historical case from November 2022 shows the complexity of these money laundering operations. The U.S. Department of Justice announced charges against 10 defendants in what it described as "the Justice Department's first coordinated action against individuals using BEC and money laundering schemes to target public and private health insurers." The defendants allegedly used spoofed email addresses and fraudulent methods to divert payments intended for hospitals—deceiving five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers into sending reimbursements totaling more than $11.1 million to fraudulent accounts. 

According to the DOJ press release, the defendants then "laundered the proceeds fraudulently obtained from these health care benefit plans and from other victims by, among other things, withdrawing large amounts of cash, layering them through other accounts they or their co-conspirators opened in the names of false and stolen identities and shell companies, transferring them overseas, and purchasing luxury goods and exotic automobiles." One defendant, Malachi Mullings, allegedly laundered $310,000 fraudulently diverted from a state Medicaid program and used $260,000 from an elderly romance scam victim to purchase a Ferrari.

Lazarus's research reveals the fluid nature of these roles stating that, "An individual who assumes a specific role in one transaction may readily transition into an entirely different role in another context, mirroring the network's inherent adaptability and fluidity." This flexibility makes these networks difficult to dismantle, as members can shift between functions depending on the needs of each operation.

International coordination and safe havens

Lazarus's investigation into the Black Axe Confraternity, a notorious organization linked to BEC operations, reveals the global nature of these networks. His research shows that BEC operations include "individuals from diverse geographical locations, such as Canada, Australia, the United Kingdom, the United States, and Nigeria, all concurrently participating in BEC operations." Both Canadian and Irish authorities have apprehended members of the Black Axe and exposed their participation in wire frauds, romance scams, and Business Email Compromises.

The IC3 report also reveals the global nature of these crimes, noting that in 2024, the top international destinations for fraudulent wire transactions included Hong Kong (3,043 transactions), Vietnam (2,629), Mexico (1,498), the Philippines (1,322), India (1,270), and China (1,421). 

Evolution and sophistication

These criminal networks continuously change their tactics. Early BEC attacks were often identifiable by poor grammar and obvious red flags. Today's attacks are grammatically perfect, culturally appropriate, and deeply informed by insider knowledge. Some groups employ artificial intelligence to analyze writing patterns and generate convincing impersonations.

The research paper "Business email compromise: A systematic review of understanding, detection, and challenges" shows that in 2023, pretexting, including Business Email Compromise, surpassed traditional phishing as the most prevalent social engineering tactic, with BEC fraud accounting for over 50% of such incidents. The median open rate for text-based BEC fraud is nearly 28%, and BEC served as the attack vector for 9% of data breaches in 2023.

According to the systematic review, "Modern BEC fraud increasingly blends multiple strategies in a single attack cycle. For instance, attackers may use spear-phishing to gain credentials (technical breach), then engage in CEO fraud (social engineering), while redirecting payments via homograph domain attacks (visual deception)." Lazarus's findings support this multi-layered approach, noting that BEC operations now incorporate deepfakes and sophisticated social engineering alongside traditional technical methods.

The Healthcare Email Security Report shows this evolution, noting that "2025 will be the year of highly convincing phishing emails. With AI's rapid advancement, cybercriminals can scrape social media and craft personalized emails designed to steal identities and money." 

The paradox of security spending

The Paubox Report reveals that cybersecurity spending rose by 70% over the past four years, with cybersecurity as part of overall technology budgets increasing by 50% from 2019 to 2023 in the healthcare sector alone.

The report also found that 31.1% of breached organizations were categorized as High Risk, meaning they had multiple security gaps that exposed them to major cybersecurity threats. Furthermore, 37.2% of breached organizations had DMARC email authentication in "monitor-only" mode, effectively allowing phishing attacks to go undetected. 

According to the same report, only 27% of IT leaders feel confident about avoiding breaches in 2025, signaling a gap between security investments and actual protection. 

Escalating losses and recovery efforts

Despite increased awareness and security measures, the problem continues to escalate. The IC3 received 21,442 BEC complaints in 2024, and over a three-year period from 2022 to 2024, BEC has consistently generated losses exceeding $2.7 billion annually. However, the FBI's Recovery Asset Team achieved a 66% success rate in freezing fraudulent funds in 2024, recovering $469.1 million domestically and $92.5 million internationally through the Financial Fraud Kill Chain process.

The systematic review by Almutairi, Kang, and Alhashimy documents that in 2016, a BEC scam targeting Facebook and Google resulted in collective losses exceeding $100 million, with attackers impersonating a legitimate vendor.

The 2022 DOJ case targeting Medicare and Medicaid shows how these networks exploit even trusted public institutions. According to Assistant Attorney General Kenneth A. Polite, Jr., the defendants used "sophisticated business email compromise and money laundering schemes targeting public and private health insurers," with fraudulent emails "from accounts resembling those associated with actual hospitals" requesting that future reimbursements be redirected to fraudulent accounts. The case involved defendants across multiple states proving the interstate and international nature of these criminal operations.

The healthcare sector provides evidence of the financial devastation these attacks can cause. The Paubox Report documents that according to IBM, the true average cost of a data breach in healthcare is $9.8 million. The Solara Medical Supplies case is an example, a phishing attack in 2019 that compromised over 114,000 patient records resulted in a $3 million OCR settlement and a $9.76 million class action lawsuit settlement, totaling nearly $13 million in direct costs, not counting reputational damage and lost business.

The human element

The Healthcare Email Security Report reveals that only 5% of known phishing attacks are reported by employees to their security teams. This underreporting means that most attempted attacks go unnoticed, allowing criminals to refine their tactics and identify which approaches work best within an organization.

The networks also exploit the human tendency to trust. When an email appears to come from a known contact, contains accurate information about ongoing projects, and creates time pressure, even security-conscious individuals can be manipulated into making mistakes.

As the systematic review notes, a fundamental challenge remains: "BEC attacks often do not contain obvious malicious indicators, such as URLs or attachments, making them difficult for supervised learning models to classify accurately." This makes the human element both the primary target.

OCR Director Melanie Fontes Rainer warns, "HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies."

FAQs

How do BEC attacks differ from regular phishing scams?

BEC attacks rely on social engineering and impersonation rather than malicious links or attachments.

What motivates cybercriminals to focus on BEC scams instead of other types of fraud?

BEC scams often give higher financial returns with lower technical barriers than traditional cyberattacks.

Why are healthcare organizations frequently targeted by BEC groups?

Healthcare entities process large volumes of sensitive and financial data, making them lucrative and vulnerable targets.

How do criminals obtain the information needed to impersonate executives or vendors?

They use open-source intelligence (OSINT) from LinkedIn, websites, and social media to profile organizations.

What role does artificial intelligence play in modern BEC operations?

AI tools help attackers craft realistic messages, mimic writing styles, and automate reconnaissance.