Sophisticated Email Initiated Crime

Sophisticated Email Initiated Crime & How to Prevent Them With RMail PRE-Crime Services

February 10, 2023 / in Blog / by Zafar Khan, RPost CEO

You may wish you were one of the zombies from The Last of Us after a BEC attack.

Previously on Tech Essentials, we introduced you to the cybercrime phenomenon initiated by Email Eavesdropping and ending in a mis-wire, in part 1 of a 3-part series we’re running.

But while all this exposition is necessary for a basic understanding, to really comprehend how such a scheme works, we’re going to (against the advice of our attorneys 😉) detail the most common steps involved in a targeted business email compromise (BEC) attack so you can really live through it. I warn you, while this is not as scary as the latest episode of The Last of Us, you may feel a bit of a chill…

Of course, everybody has gotten (perhaps even today) a phishing email, but this is not what we’re going to outline here. This is more about sophisticated organized crime rings that target carefully identified individuals in companies with deeper pockets than your average individual. They often have entire teams working in far-flung, shadowy regions that are bent on scoring big with an email-based lure.

Know More:

Secure Email



Here is a brief rundown of this type of sophisticated email-initiated crime:

  1. You (or your Accounts Receivable team) send an ordinary email to a client or customer about a payment due (invoice, purchase order, etc.). Emails like these are sent on a very regular and frequent basis.
  2. Your recipient’s email account is being unknowingly eavesdropped on by a cybercriminal using a discovered reused password and IMAP protocol at their server, for example. See part 1 of our email eavesdropping series for more details. They prefer to access the account using this protocol as they can bypass web-login security and can mirror one’s email in another location easily – that mirrored image updating every time a new email enters or is sent from the recipient’s true email interface.
  3. Within hours of your email going to your recipient, if the email is contemplating a payment, the cybercriminal copies only that email content (often including PDF payment details for a wire or ACH) and changes only one thing—the account where the money is to be sent! All you need is Photoshop and a dream.
    Note that these cybercriminals often have legitimate bank accounts at the same major banks that many of us use. So, if you usually have payments going to your Bank of America account, they will use that same bank, same routing number, but they will use their own account number.
  4. An email will arrive in your recipient’s inbox from what appears to be your email address (or it will come from a lookalike address – your name with a newly purchased domain one letter off from your domain), so the recipient only sees your original request and then a second one – the impostor email. To most people it would appear as if you sent the email twice, and the recipient usually opens the newer/top-of-the-inbox one, which is the one from the cybercriminal.
  5. The cybercriminal then has someone follow-up by phone with your unwitting recipient stating that they are your assistant (or some other yarn), and they are following up to see when the invoice or purchase payment will be sent.
  6. Your recipient sends the payment to the cybercriminal’s bank account (thinking it was your account) and replies to the fake email address from the fake you with confirmation.
  7. The cybercriminal immediately moves the funds from the cybercriminal’s original bank to an offshore account. The money is now, for all intents, gone forever.

Meanwhile, a week or so later, the real you follows-up to find out when payment will be made. The recipient replies quizzically that it was already sent. Panic ensues when the account numbers are found to be wrong, and the funds are gone.

The above highly scalable scheme and its iterations have been so successful that the FBI recently reported more than $2 billion of funds have been mis-wired and unrecoverable in the last year alone, and that is only what is reported to the FBI.

What if you had RMail PRE-Crime services with Email Eavesdropping™ alerts turned on? You would have known when your clients are being drawn into the above scheme before you are cut out of the loop. Put another way: if an email someone sends is being eavesdropped on due to an unknown security issue with the recipient’s email account, you will be alerted. Plus, you and they (if they use RMail), will get alerts after they click SEND, before the message is sent, that they are about to correspond with a cybercriminal unknowingly, preventing the cybercrime while raising e-security awareness at the user level.

For more information on RMail PRE-Crime services and how they can prevent BEC attacks before they are carried out, please review this recent webinar presented by the Florida Bar – and as a bonus, Florida Bar lawyers can receive a CLE credit for watching. Or, contact us to receive our free white paper on PRE-Crime™ Active Threat Hunting.

Feel free to contact us to discuss RMail, its cutting-edge Email Eavesdropping™ alerts, or if you have any concerns about your own systems being eavesdropped on. Stay tuned for our final installment in our email eavesdropping series next week…