business email compromise hushpuppi

Business email compromise: A case study of Hushpuppi

Business email compromise (BEC) crimes are so rampant and make quite a lot of news on the global scene. It is just unfortunate that these are rarely investigated and prosecuted.

What usually seems like a regrettable mistake involving an experienced employee sending money to a wrong bank account is actually a well-mastered game, in which so many get filthy rich, while others amount losses.

What is a Business Email Compromise?

A BEC, as in its short form, is “a response-based impersonation attack that’s requesting something of value”. It is basically a group of individuals posing as a legitimate business to trick people into giving away their money. It is not a one-day job, neither is it an act by a naive lot! It is one that takes time, requires expertise, and involves many players – each with a role to fulfill.

How does the business email compromise scam happen?

Regardless of what the end result should be, a BEC scam generally begins with someone gaining access to a corporate email account. They, in most cases, use social engineering tactics like phishing. When they get in there, they take their time and don’t steal anything. Instead, they quietly begin forwarding copies of incoming and outgoing emails to themselves as they wait.

They watch the exchange for a number of weeks or months, looking for details of certain payments that are going out, understanding who the customers are, looking at communication patterns. Once they spot an opportunity to strike, they then take over!

This can be in the form of an invoice coming in or out, which they use to insert themselves into an actual payment that is supposed to be due.

Inserting themselves into the payment

If the scammers have compromised the email of the intended recipient of the payment, they create an invoice identical to the real one, swapping in their own bank account details, and resend it from the recipient’s email. This usually comes with “apologies for the mix-up”.

Alternatively, if they’ve compromised the sender, they might send a follow-up invoice from a “spoofed” email that appears at first glance to match the payee’s, or even create an entire company and website, one letter off from the real one.

In either case,  the accountant – meant to clear off the payment – will see a normal email that matches the ones he receives every day, and won’t give it a second look or thought.

How the money from BEC attacks is shared

Like we’ve told you, it is never a one-man’s game. There are numerous of these scammers, and each of these has to take a small cut of the total funds.

There are those who are experts at breaking into email accounts in the first place. Then, there are the “money mules,” usually  people who receive and transfer money obtained from victims of fraud. Some such mules know they’ve been recruited to assist criminal activity, but others become so without realizing their activity is benefiting fraudsters.

Above all these are the “loaders” and the law calls money launderers: the people controlling international accounts that can accept millions of dollars in transfers and then reroute the money around the world to be harvested by heist organizers. This is where the Nigerian, Hushpuppi fell. You can read more about his activity in the link below.


Business email compromise: A case study of Hushpuppi
To Top