Season 3, EP 5

The Silent Epidemic of Business Email Compromise (BEC) Attacks

December 15, 2022

In this episode, host Paul Roberts chats with Ronnie Tokazowski, a Principal Threat Analyst at the firm Cofense and “that BEC guy” - about  the scourge of business email compromise (BEC) attacks and the larger issue of online fraud which is impacting both organizations and individuals. 

EPISODE TRANSCRIPT

PAUL ROBERTS
Hey there. Welcome back to another episode of the ConversingLabs podcast. I'm your host, Paul Roberts. I'm the cyber content lead here at ReversingLabs. I'm editor in chief at the Security Ledger, and it's just great to have you back. And today we have an amazing and informative ConversingLabs episode for you. I'm really excited to bring it to you, as you know, from watching our previous episodes here at ConversingLabs, we speak with the top experts in areas like malware hunting, threat intelligence, as well as software assurance, software supply chain, source code analysis, all those areas. This week, we're going to be doing a deep dive on a cyber threat that doesn't really get as much attention as it deserves, but that is among the costliest and most devastating, both for private individuals as well as for corporations, enterprises, and organizations everywhere... That is business email compromise, or BEC, as it's known in industry parlance. And to learn more about what's happening with BEC scams, we've invited one of the most recognized experts in BEC attacks, which is Ronnie Tokazowski, into the studio. Ronnie is a principal threat advisor at the firm Cofence and widely recognized as "that BEC guy," and he's an expert on business email compromise scam, and he also hosts a YouTube channel, RonnieRantz, which explores a lot of the issues related to cyber crime, online scams and more. And you should definitely check it out and we'll put a link to it in the post. But anyway, Ronnie, welcome. It's great to have you as a guest on ConversingLabs.

RONNIE TOKAZOWSKI
Thanks for having me. Thanks for having me. And happy to come and talk all of the, quote unquote, wonderful things that we have on the BEC side of the world.

PAUL ROBERTS
Yeah, and it's funny because you on your LinkedIn profile and your Twitter handle, you're sort of like, "I'm the BEC guy." This is my passion project, or the thing I really am focused on.

RONNIE TOKAZOWSKI
Yeah, I was excited. The most ironic thing with that was when I started this seven years ago, it was a, hey, let's start a mailing list and start tracking this stuff. And I never realized how big of a problem I would be inheriting trying to find this stuff. So I try and make it easy because it's like if you whisper BEC somewhere on the Internet three times, like, I magically go, boof, here I am.

PAUL ROBERTS
Here you have very good Google cred around the BEC topic.

RONNIE TOKAZOWSKI
Thank you.

PAUL ROBERTS
And we'll talk about that actually, because that's very helpful in some ways. In a lot of ways. So your Twitter handle for folks who might be looking is I heart malware, that's I-H-E-A-R-T malware, which I love, but sort of suggests your interests are not simply business email compromise scams your history in this field goes further back. So tell us just a little bit about sort of yourself and your origin story and how you got into the business of analyzing malware and then online scams.

RONNIE TOKAZOWSKI
Sure. So, yeah. Ronnie Tokazowski, principal threat advisor here at Cofence. I got started in a career, in my career working at a defense contractor out in the DC area. So when I started there, I went on as a Tier One Analyst where I was looking at different logs, different intrusions that were coming into the organization. And I always had an interest with computer viruses for some weird reason. Even, like growing up, I would do tech support for local home calls growing up on the Outer Banks. And if I couldn't get the virus off the computer with AV, I would always surgically go in there. This is like the Windows 98 days, Windows XP days. 

PAUL ROBERTS
Melissa, I love you. That type of stuff. Yeah. Blaster...

RONNIE TOKAZOWSKI
MS Blaster. Those fun days. But working at the defense contractor, I eventually got promoted up to a malware analyst. And at the time, we were fighting and responding to a lot of advanced persistent threat attacks. So we would respond to things like Comment Crew. We would work with UPS, we would work with folks like King Kong. We worked with dozens and dozens of different APT groups. And my role was to go and reverse that malware, identify indicators of compromise that was looking at the malware from not just from, okay, here's a hash, but try and think one layer deeper to where, okay, what is a signature that I can create that the scammers would not think of taking that out? And then we would take that and put that into our suite of tools to try and identify those patterns. So growing up, I always love puzzles, I always love problem solving, and that's just how I'm wired. And that's where the name "I heart malware" came from, was because I absolutely loved taking the viruses apart, figuring out how they work.

PAUL ROBERTS
It's funny, that sort of core interest in sort of puzzle solving, right? Taking things apart and kind of figuring out how they work, that you talk to people who do malware reverse analysis or threat hunting, incident response, all this type of stuff, that is just a common thread that ties them all together, like that core personality trait. So not surprising to hear you say that. Interesting, you were working in the defense sector. That the defense sector is kind of what gave us APT as an acronym and as a term. And if I understand it correctly, APT was initially kind of a euphemism talking about nation states before we talked openly about the fact that countries like China were hacking into government networks and government contractors. And this is kind of a friendly or non provocative way of referring to, like, China, basically, right?

RONNIE TOKAZOWSKI
Exactly. Yeah, we can talk all around, but yeah, it was pretty much saying Chinese hackers hacking into defense contractors. There you go. Anybody who's doing that's, what we call it.

PAUL ROBERTS
Applies to a lot of things. Not just nation state actors, but cybercriminal actors. Right. It's more of a collection of tactics and technical.

RONNIE TOKAZOWSKI
Yeah, I was saying now the definition APT means some hacker hacked into my company and I couldn't figure out why they did it or how they got into it. So we're going to slap the term APT on there to make us sound special, that we really got taken advantage by something. But that's how it is now. It's a lot looser than it really is...

PAUL ROBERTS
This is like a euphemism for like, somebody dunked on me, basically.

RONNIE TOKAZOWSKI
Yeah, I got hacked. I want the FBI to come help. Call it APT. There we go.

PAUL ROBERTS
"This APT appears to be a 14-year-old in England."

RONNIE TOKAZOWSKI
Quit leaking their secrets, Paul. Quit leaking the secrets.

PAUL ROBERTS
So business email compromise is so you started out doing malware analysis, kind of traditional kind of incident response malware analysis, taking apart bad software that ended up on government networks or corporate networks. How did you kind of go from that to focusing more on online frauds and scams, in particular, business email compromise scams.

RONNIE TOKAZOWSKI
So when I was working at the defense contractor, one of the things I liked doing was I liked letting the malware run live and I liked interacting with it. And some of the times when we would get a phishing email, sometimes I'd actually just respond back and see what would happen. So one of the things I liked doing was always looking at the human behind it. So I end up leaving the defense contractor came over to Fishmee or now Cofence, and one of the things that we saw was our chief financial officer had gotten an email from Rohit Balani, who's our, one of our CEOs. And it said, "Hey, Sam, are you in the office? I need to go into a wire transfer." And it was one of those days where I was in the office, I was meeting with Aaron Higby, who was our CTO at the time. And Sam came in, he was like, "Ronnie, Aaron, I don't know what is going on, but Rohit just sent me this email." He's like, "go figure it out." So what we did was we looked at the email and it was something where, like with most phishing emails, there's some lore, there's some malware, there's some payload, there was always something with it. And this was one where it looked like it needed a response. It looked like the scammers were iliciting a response. So we gave the attackers exactly what they wanted. We responded back, and to our surprise at the time we got a response back, it's like, oh, hey, I need you to do this wire transfer. So us being the trolls that we are over at Cofence, we were like, hey, let's go ahead and actually engage with the scammer, see what we can do. We got them to send a bank account. By saying, yes, we're happy to do the transfer. We were able to track where they were sending the email from. They were, they were coming from the UK. And then we blogged about it. This is going back, I think it was September 2015 at this point, and it was just small name fraud that we didn't realize and understand what was going on. There was really no name for business email compromise at the time. So we started talking to a bunch of private researchers, we started talking to a bunch of colleagues, law enforcement, and it was this new trend that we were seeing that was conversational based phishing attacks, that didn't have malware, that didn't have a payload, and it was pure financially driven. And starting around Christmas of 2015, this was kind of when I inherited this BEC problem. I made a mailing list and it included a bunch of private researchers, included law enforcement, to try and understand what this was. And that was my first forays into understanding this thing called again, business email compromise, and trying to pick up how this stuff works well, overlaps with it. And that's kind of how it started to spiral.

PAUL ROBERTS
In that initial email that you got, were you able to look and say, oh, this is not from Rohit, so it's clearly a fraudulent email, or had they compromised his because sometimes they actually compromised the source's account. So it is basically a legitimate email from their account, but the accounts. But this in this case, it was a sufficient email, basically.

RONNIE TOKAZOWSKI
Yeah, there was no compromise with this one. The attack they were using was CEO impersonation. So they were saying Rohit coming from a different email account that was not Rohit. And they were sending the email to Sam, again, who was our CFO at the time, trying to get him to do a wire transfer. Again, they've got access to that. Like I said, that was the tactic that we saw in that specific attack.

PAUL ROBERTS
And that's a pretty common one. And that's what you read about the sort of executive emailing, sort of, well, CFO is pretty senior, but often it's a lower level, especially in larger companies, they might have lower level employees who actually have authority to do wire transfers. And it's sort of, we need this now, we're doing an acquisition and this has to go through, and that type of stuff. So that was seven years ago. What form do these scams take now? Is that still basically the template that most of these use, or has it, has it evolved?

RONNIE TOKAZOWSKI
So the form they take now is yes, like, like just yes, they do. There are so many different types of crimes that we have tracked back to BEC actors doing stuff. So I'll kind of take a quick step back and kind of define what is business email compromise. So, for a lot of the email attacks that we saw, again, most people think of BEC is just a CEO, or someone pretending to be the CEO, sending an email to someone in financial authority to go and make a wire transfer and that was kind of the de facto definition for a really long time. However, when I was over at Garry we actually got some visibility into a route called Scatter Canary. And what we discovered was this thing that we were tracking in the industry as BEC was much older than we realized. And the name that that actually was was called 419 Scams. Everybody knows what a 419 Scam is, it's your Nigerian print scam. But what had happened, what we observed.

PAUL ROBERTS
I'm the widow of Mabutu Sasit Sayko and I have billions of dollars in gold, you need to help me get it out of it. Anyway...

RONNIE TOKAZOWSKI
Exactly what happened was the scammers realized that they can go and target businesses and other organizations in order to get them to wire money. So BEC was a more of a shifting of tactic than some brand new thing. And for crimes that we've seen tied back to the BEC actors doing this stuff, again, this was based off of our initial Scattered Canary report. We saw them targeting FEMA, we saw them targeting, doing traditional BEC. We saw romance scams, check fraud, car wrapping scams. We saw email compromises where they would either compromise the email account and send fishes through there and digging deeper. We actually saw cases of like voodoo and human sacrifices tied back to some of this stuff because of some of the things they were doing over in Nigeria. But it's an entire laundry list of scams that these scammers are doing and that's one of the biggest things I would say to take away from this is that when it comes to BEC, it's not just the email side that we see here in the industry. There's a whole underlying ecosystem of suck that the scammers are doing and that's kind of part of this whole fraud if you will.

PAUL ROBERTS
In addition to the scenario that you just sketched out, I know that these scams also affect individual consumers. So there was a whole branch of these type of business email compromise attacks that were around like closing on houses right, where the attackers would kind of infiltrate and get either the deposit or the actual transfer of funds for the purchase of the house sent to another account. And there are a whole bunch of stories about that or other kind of big purchases. Do these mostly affect businesses or are they equally affecting consumers and business or enterprises?

RONNIE TOKAZOWSKI
I would say they're fairly equally hitting the businesses and the consumer. So for the larger amount of money they'll go and hit the businesses. But the consumers are losing a lot of money too. And for the consumers it's not just, hey, you lost a bunch of money. It's also the emotional damage, too, because for many of them, it's romance victims who didn't realize they were being socially engineered. And they're now on the hook for millions of dollars or hundreds of thousands of dollars. Or in the case of, like, the real estate scam side, it's, hey, I'm going to buy my first home. And I wired money to the wrong escrow account because the real estate broker was compromised. And at that point it becomes hard because that's now somebody's life savings in both cases. That is now gone in a lot of cases. 

PAUL ROBERTS
Just devastating.

RONNIE TOKAZOWSKI
And that's the thing that's absolutely devastating for a lot of people who are pulled into this and they don't realize it.

PAUL ROBERTS
When we talk about the business email compromise kind of toolkit for the attackers, what's in it? Is malware a part of these ever, sometimes never and kind of what are the building blocks of these attacks?

RONNIE TOKAZOWSKI
Yeah so we've seen some malware tied back to this but comparatively it's very, very small. Most of the attacks are flavors of social engineering where they'll use bodies of text that they can copy paste back and forth to victims and say hey I love you, I want to build this relationship with you or hey I need you to go and update my payroll, here's my new bank account. And that's one of the big things that they use as part of the repertoire is go ahead and using that to do these attacks. In addition to that many scammers will go and use lead generation services very much the same tools that our marketing teams use in order to find targets. I know I mentioned beforehand but like our church was a good example where people at our church got hit with a gift card BEC where they wanted to go and say, hey go and can you give me a gift card and send it over. We've also seen cases where again they'll go and pull information such as people who are controllers of financial information. That's one of the words they like to use to see who has that authority. And they'll go and do those queries in these back end systems to go and pull a listing of 200 companies and they'll go and get the names and businesses and email accounts again right from those lead generation services that many of our marketing teams use today.

PAUL ROBERTS
My dad got caught up in one of these scams. He's in his mid-80s and for him he visited some website and there was a little pop up ad that said oh you know, your computer has been infected, please call this number. We're Microsoft. And then called the number and the person it was a very sophisticated scam. I'm Microsoft employee 35926 and here's my name and just kind of credentialing themselves to my dad who didn't know any better. And the same thing they had him marching down to Walgreens and buying gift cards to send to Microsoft Corporation a billion dollar company and lo and behold I hear that Walgreens because Best Buy and Target do better jobs about signage and stuff around gift card purchases to kind of warn people. Like if you're on the phone talking to somebody and they're telling you to buy a gift card, you're being scammed. And told him to put his phone away when he went into the store because they've told their clerks to be on the lookout for this and so on. But it still cost him hundreds of dollars and it was a real painful lesson for him. So it's not an email in this case. It's a pop up. But same idea. Same concept.

RONNIE TOKAZOWSKI
Yeah. And on the consumer fraud side, a lot of the attacks play out very similarly emotionally for the victims is because a lot of the scammers will use scare tactic or for the Indian tech sports, which it sounds like he was hit with, they'll use scare tactics. They'll make you think that your computer is infected. And for the people who are in this, they're vulnerable and they're super tech support up. I was actually doing some research on the age demographic for people who tend to be targeted like this and for a lot of people who end up being pulled in the scam, the primary age group is usually like 50 and older. That generation grew up during times of war, during times of the Cold War. So that fear and tension is something that is deeply ingrained in them. So these scammers have figured out, albeit whether they know they're doing this or whether they're not, that they can go and weaponize that fear and take advantage of that person and scare them into it. And that's one of the things that's really hard psychologically is breaking through so many of those victims is because they feel shameful, they feel guilty, they feel dumb for doing it. But it's something where many of the victims just don't realize that that's a thing that people do. And the analogy I like to give is like different knowledge. It's like, I'm horrible looking on cars, so I would go bring my car, my mechanic, but my mechanic is not going to go, hey, you're dumb for falling for this. It's like I just truly don't know cars. And likewise, many of these people truly don't know computers and they don't know scams. And as professionals, our jobs kind of help break that barrier down to help articulate that.

PAUL ROBERTS
Yes, absolutely. Yeah. I often make the analogy of if somebody came up to you in the supermarket parking lot and tried to sell you a luxury watch or something, even in that age group, they'd say, yeah, this is where you buy a luxury watch. This is the wrong context.

RONNIE TOKAZOWSKI
Exactly.

PAUL ROBERTS
But they don't have the same sense of context and what's appropriate and inappropriate online. Everything is kind of flat, right, in terms of spaces and authority.

RONNIE TOKAZOWSKI
And it's one of those things where when you see something online and when you see that pop up as an industry, we scare people to be watch out for viruses, watch out for scams. And then when someone is threatened with that concept of, oh, hey, you might have a virus. Oh, hey, you might be part of a scam, let me pay me $300, I'll help walk you through it. We're literally training people to be afraid of this stuff and not be skeptical or try and have that critical thing of, okay, people are saying that it's a scam, but who do I trust? Or I trust this person who might be scamming me? Or is there more to it?

PAUL ROBERTS
One of the things that you pointed out that I think is really interesting and important to note is that within cybersecurity circles, often researchers like yourself or experts tend to look down their nose at BEC attacks simply because there isn't really a technical aspect to them. They are phishing attacks. They're manipulating people's trust and anxieties, like you said. But often there isn't code to analyze or any technical aspect to the attack itself. And so they tend to sort of like you said, people are often kind of dismissive of them. You're really trying to change that. But with both all the work you do and also your YouTube channel, just talk about why you think just within the InfoSec community, we need to be more attentive to this particular type of attack.

RONNIE TOKAZOWSKI
Yeah. So I will say from my perspective as a technical junkie who liked doing technical things, who was like, emotions, what are those things? I don't have those. I'm not going to deal with any of those. And to be later hit with a baseball bat, years later, what a lot of it comes down to is we have a single track mind of thinking. We think and believe what we see, and it becomes dismissive. And for a lot of the victims who get hit with stuff, and again, for the technical people who are listening to this, I was the same person. I was one of those people who was like, why would people fall for this? They're dumb, they're stupid, they're idiots. No one would click that. It's obviously looking suspicious. But what happens is it's easier to emotionally dismiss that and kind of be like, okay, they're dumb, and move on. Then taking that break and be like, wait, people are falling for this. We have lost billions of dollars, hundreds of billions of dollars. We have people committing suicide here. Why is that? What emotional thing is happening for that victim to be susceptible to this and that's a lot of where it comes down to is for many of us in the field, we aren't... Many of us are not people persons. I was not a people person. And learning the concept that, hey, because somebody feels like they're in love because they have this emotional connection, it's not something you just disconnect. It's not something you just turn off. And for many of the people who are going into this and who get pulled into the scam emotionally, what happens is they were alone. They had nobody there. They may have had a love of their life that was their husband or their wife, and they're divorced or widowed. I've heard this story a thousand times over again that they went online. They went to go to this dating website just to look for love. And this one perfect person decided to come over who was also divorced, who was also widowed, and is able to emotionally connect with them. And because of that emotional connection, that person now starts to fall head over heels. They have that loving feeling again. They got a new outlook on life, and they become a lot happier. And what it eventually turns into is that love now becomes tainted, where they're like, hey, I need you to go and can you go buy me this $20 thing over here? And it starts small for a lot of these cases. And with a lot of the people who do it, they don't realize what's going on. They don't realize that there's somebody out there who wants to go and scam them. And it eventually becomes a point where when they've been in the scam for so long, they now have to mentally justify. Okay, so that entire relationship that I was in, where I had those positive feelings, where I was taking pictures of my food and send it back over to this person. They now have to come to the terms of okay. No, I actually was scammed. I am a victim. I've been living a lie this whole time. I now have the shame where I have to go and tell my friends and family that was victimized. Because of this, I may have spent hundreds of thousands of dollars, and it's hard. And as humans, I was actually researching this. And it was a TedTalk that kind of pointed me in this direction, but it was a concept called the name of the Ted Talk was Honest Liars. I forget her name, but what she was talking about was, as humans, consciously we will lie to ourselves to justify our behavior. And for times, where it becomes extremely difficult to accept something, we will come to the easier conclusion that, hey, all of these victims are dumb and use that just to kind of move forward because our brains are lazy in that regard. It takes work to process alternative perspectives. And again, in the concept of the Honest Liar, we will straight up lie to ourselves. So many of the victims will stay in the scam believing that they're in love, because what sounds less painful? And again, for those people who are not emotional or who feel like they have their emotions turned off like I was years ago, what sounds easier to accept the reality of, oh, hey, I actually am in love with this person? Or you got abused, you got taken advantage of, you lost hundreds of thousands of dollars, you're feeling suicidal, and you have no one else to turn to because you truly thought you were in a relationship.

PAUL ROBERTS
Who can you trust now, right? I mean, yeah. 

RONNIE TOKAZOWSKI
Exactly. And you have trust issues because of this. And the amount of abuse that happens with these victims is absolutely horrifying. There was a psychologist named Monica Witty out in Australia who she's done a lot of work and she interviewed, I think it was like, thousands of romance victims. And what her main thesis and what she was able to conclude was that when looking at the physiological symptoms that happened in the body for romance victims, again, this is going to be a heavy pill to swallow here. For the physiological symptoms in the human body for romance scam victims is virtually identical to the physiological symptoms of rape victims. And for the emotional abuse, for the emotional bags that many of these people go through, that's what happens. It's just happening on a psychological and emotional level, not a physical level. And like I said, that stuff scary and is heading.

PAUL ROBERTS
And I know I've heard, like, many of these will continue to sort of engage with the scammer even after it's been shown to them that this is a scam and that they are being lied to. They still can't let go of the relationship, and they'll continue to exchange tax and even send money to these people, even knowing being shown that they've been scammed.

RONNIE TOKAZOWSKI
Yes, I've worked with many of these victims. I know people who have worked with other victims too. And what happens is I've got one victim I was working with that he was in it for a while, and for four months, he knew he was in a scam. And he could not accept the reality that he was a victim, because every time that the scammer talked to him, he'd always say, like, bro, and try and play up that relationship. So he tried to have that emotional connection with them, but the reality was he had lost over $30,000, was struggling to admit it to himself, even though he knew he lost that money. And again, kind of go back to that concept of Honest Liars here. We don't want to feel like we were tricked. We don't want to feel like we were taken advantage of again, as human beings. It's just part of our physiology at that point.

PAUL ROBERTS
So you've said in your research, you often kind of engage with scammers and lure them in to learn more about them and their operations. A lot of these scams operate out of Nigeria. A great big percentage of them are based in Nigeria. And obviously these are scammers, so they're not people who are inclined to be transparent. So how do you go about learning the truth about these groups, how they're operating, or even who's behind them, just via your obviously remote interactions with them? What's in your toolkit, so to speak?

RONNIE TOKAZOWSKI
I spend a lot of time researching, and not just when I say researching, not just like, okay, researching BEC and just fraud. I'm digging into cultural history to understand why Nigeria and why it is the way it is.

PAUL ROBERTS
You anticipated my next question. Go ahead. Yes.

RONNIE TOKAZOWSKI
And it's one of those things where for me, it's a lot of just researching, talking with people on the ground. And I have a lot of colleagues out in Nigeria that I will bounce the stuff off of so that I can get a local's perspective on the stuff. And when we think of scammers here, we think that there are people that no one would know. You would never know that this scammer was a person. But on Nigeria, you can walk down the road and like, spot five Yahoo boys walking down the road, which is what the scammers are called there. And that's something...

PAUL ROBERTS
No relationship to Yahoo, the company we should note. 

RONNIE TOKAZOWSKI
Yeah, because I know Yahoo doesn't like that. Sorry, Yahoo. But in that same breath and stuff, a lot of scammers are known. Like, all the locals know who's doing it. It's more publicly acceptable. You've got a lot of darker stuff that, again, ties back to it. But the concept is, if I can play a trick on you and trick you out of money, then it's something where that's free game, that's something that I can do. And you have this whole concept where many people in Nigeria have that mindset, where if they can trick you out, you're good. You have songs and rap videos made about this. One of them is called Magazine Pay by a person named Kelly Hansom, where they have referred to people as fools or mugu as a part of this stuff. And again, you have an entire ecosystem of subculture of rappers who rap and praise the Yahoo boys for saying, oh, you did a great job. You went ahead and took advantage of the people.

PAUL ROBERTS
This is literally now a part of the culture in Nigeria, the industry of 419 scams and this kind of criminal behavior. And so I'm guessing that local law enforcement is aware of it, but is not taking action?

RONNIE TOKAZOWSKI
So the perspective of local law enforcement in Nigeria is a complex issue. And what I mean by that, if you go to so one of the primary people who does a lot of the arresting of scammers is the EFCC. And if you go to their Twitter page right now, you'll see arrest after arrest after arrest after arrest where they're arresting scammers, and they arrest them all day long. The problem is, at the scale at which this stuff is operating, there is no time to do forensics on the devices, identify more victims, pivot from there, pass it over to the service providers, and then identify more people on that. Because, like I said, you could go to their Twitter account right now, and within the last week, they will have arrested a hundred different people who's doing this stuff. And in addition to that, EFCC is extremely understaffed. So for the amount of work that they're doing, they're doing a good job. But like I said, the scale that we see this stuff is unfathomable because you literally have hundreds of thousands and millions of scammers who are doing this. In addition to that, with the EFCC, there's also some places where there's corruption within that organization and there's corruption within other police departments too out there, where some of the arresting officers will actually extort the people who are doing the scams and say, hey, give me $500,000, I'll let you free, type thing. Because life in Nigeria is hard. It's not all easy and happy go lucky. It's very difficult living in Nigeria. So when you have that corruption that the Yahoo boys are being extorted in order to go and do some of the scams, you don't know who to trust when it comes to working with law enforcement. And like I said, the EFCC is so understaffed, and it's hard to do a lot of this stuff because, like I said, the resources, the infrastructure just isn't there to go and do forensics on those 100 laptops that were pulled over the last hour, over the last week.

PAUL ROBERTS
Like the pre-reco law enforcement actions against the mafia. Which is? You can arrest a lot of low level criminals, street corner criminals, but you're never really getting at the overarching criminal syndicate.

RONNIE TOKAZOWSKI
Yeah, we know many of the syndicates who are doing it. We know folks like Ie, black axe, airlords, we know that they're involved. And for them, they're literally international criminal syndicates that run stuff in multiple countries other than just Nigeria and the disbursement where the scammers are. Like said, it's not just Nigeria. We've got folks in Kenya, Ghana, Algeria, Tunisia, Morocco. We've got folks in Dubai, South Africa. I could list off a dozen other countries where we know Yahoo boys are sitting, many of which sit right here in the United States. And that, again, is something where the global disbursement there. Again, it's not just a Nigeria problem on here.

PAUL ROBERTS
The Washington Post just profiled one of these criminals based from Nigeria, but he was arrested here in the United States who had scammed thousands of Americans out of COVID relief funds. Basically by applying, stealing with stolen identities, applying for those funds as well. I think you actually had a role in kind of working with that reporter as well.

RONNIE TOKAZOWSKI
Yeah. So the way that my relationship was with the COVID relief stuff, again, when we were back at Agari, we had a group Scatter Canary, that we had identified multiple instances where the scammers were applying for COVID relief funds. At the time, it was SBA fraud and unemployment funds. But what we did was, once we identified those specific campaigns, we pass it over to law enforcement, we pass it over Secret Service, we said, hey, here are these cases. Go and identify something with this. And that was one of the things where they knew this fraud was happening, but they didn't really know where. And we were kind of able to help point to some of those things. At one point, we knew of 14 states that were hit. But I think in total, I think it was like over 30 states that the scammers had hit. And for scale and scope of how much money had gotten lost, I think it was, it was and I may have been, if I had these order wrong, to switch the number, but I think it was $100 billion of unemployment funds that went out. And I think it was $72.5 billion of SBA money that went out. So that's almost $200 billion that could have been used to feed Americans who were struggling from COVID that was bought, that was used to buy nice cars and alcohol out in Nigeria. And in addition to that, on a similar topic, they actually found a group called APT 41 or WinNTI to the people who are going to yell at me for how I pronounce that, we'll keep that debate going. But they actually found a Chinese APT group who was doing COVID relief stuff, too, and they sold something like $20 million. So once the, once that system went live, everybody had a heyday with it. And like, you had Americans taking advantage of it. You had there were some Indian folks who were also taking advantage of it. So it was something where many countries actually were dabbling in that system. And like I said, when it came to the BEC side, we saw, I think it was like $100 billion that end up going out as a result of that.

PAUL ROBERTS
That just fuels more cybercrime, right? I mean, that's just money in the pockets of cyber criminals.

RONNIE TOKAZOWSKI
Yeah, in some cases, we actually had back end access to see some of the chatter that the Scammers were doing. So we actually knew what they were going after. We had the templates. We had the templates, we had many of the tutorials that they were using to go and hit these systems. And we knew that from day one. We're like, oh, crap, we know a lot of people are getting ready to go after this. So we were able to say, hey, go look at this state. Go look at this state, because there's probably a lot. 

PAUL ROBERTS
And who are you dealing with in law enforcement side?

RONNIE TOKAZOWSKI
Secret Service. So I do a lot of work with Secret Service. 

PAUL ROBERTS
And they were able to intervene and short circuit some of these, presumably.

RONNIE TOKAZOWSKI
Yeah. And our relationship was we were able to kind of pass information intelligence up to them and say, hey, here's some fraud that we know of. Here you go, you might want to go look at this. And with the directionality of that, by being able to pass that stuff up to them, it was able to speed the case up. And a lot of people who work with the FBI, who work with our governments and everything passing that, being able to have that collection of information and passing that up helps speeds everybody's process up to start stopping the fraud. That's what we really need to do.

PAUL ROBERTS
So you've been talking recently about a new sort of iteration on these attacks called Pig Butchering. Tell us about Pig Butchering? The name does not sound like it's a good thing. So what is this?

RONNIE TOKAZOWSKI
Yeah, and growing up in North Carolina, where we used to have a lot of hot gross and everything, I'm like, come on, you all could have picked a different name. But Pig Butchering is also known in Chinese as a shaju pan, is a type of romance scam that usually morphs into investment in crypto fraud. And the way it works is you might get a missed text message from somebody to say, "hey, how are you?" And from there, they'll be like, "oh, this must have been a wrong number." And as you start conversing with them, you build a relationship with that absolute random stranger. And the way that it works is it usually gets to a point where, like, hey, let's go and invest in this platform. And you'll go and invest $100,000 guaranteed of, like, 20% return on your investment. And these people will go and buy the cryptocurrency and upload that and push it up to these platforms. And many of the platforms are websites that are made to look real, but they're really not. And the unfortunate thing is that for the scammers who are doing this, they're not necessarily like a Nigerian scammer per se. They are people who are in Thailand by Amar or Laos, who are human trafficking victims. And those victims of human trafficking are held up in large apartment buildings. And one of the reports that we that we saw I think it was I forget it was Washington Post and New York Times, but they said there was upwards of, like, 100,000 victims who are doing this type of fraud, and they're literally in tall building apartment complexes scamming people. And it's these victims who are now abusing other victims to go and hit some of the stuff, too. I've heard stories, and the losses that we're seeing on the Pig Butchering side are way higher than what we're seeing on the romance scams, on the traditional Nigerian romance scam side. It is not uncommon for me to hear stories of a million dollars lost here, $1.5 million lost here. Was talking to a colleague yesterday, as a matter of fact, and he has one victim who was hit for $2.2 million. She's currently in the hospital with cancer. And that's some of their targets, is a lot of the elderly and stuff. We've had a lot of suicides tied back to this. And again, I hate kind of being that down on some of this stuff, but that's the reality of this is that's how far these scammers will go to do that. But also on the flip side, for the people who are being human trafficked, they're literally being beaten and tased to go and scam some of the victims and doing this stuff. So it literally becomes a case of hurt people, hurting people to go and continue stealing more money just so that this person over here doesn't get killed. It's a whole ecosystem of suck.

PAUL ROBERTS
Kind of almost slave labor being used to facilitate global internet scams. It's like another 10th of suck, as you said.

RONNIE TOKAZOWSKI
Yeah. And the way it works is you have people in different countries that will, where there will be a job offer to say, hey, go work in this remote country, we'll pay you double the salary. And students will be like, hey, this would be a great job. I get to go travel abroad and everything. And everyone wants to go travel outside the country, go see the world. And what happens is, once these people get to where they are, it's already too late. They're in another country, they don't know the language, and it becomes very difficult again for them to get out of it. Many of them are lured with the fact of, okay, you can go and you can make this money, but in order to get out, you have to pay $5,000. And for some of those cases, it's an amount that seems reasonable, that you can kind of work towards. But the problem is that when it goes to those amounts and everything, it's all virtually impossible for them to be able to go out of there. And again, with that area where much of this fraud is, it's actually part of, like I said, it's highly Myanmar and Laos. It's called the golden triangle. And you have a lot of criminal syndicate activity that happens out there where you have things like casinos, you have prostitution rings that are ran out there. Again, we believe it's similar actors who are all in that type of fraud and that type of crime with those...

PAUL ROBERTS
It's just a new line of business for them.

RONNIE TOKAZOWSKI
Exactly. New line of business to go and keep getting more money.

PAUL ROBERTS
When we talk about combating this, obviously you've pointed out one of the main drivers of this in countries like Nigeria is just poverty. The people, there's a terrible economy, really high levels of unemployment, lack of economic opportunity, and becoming a Yahoo boy is potentially a road to being middle class. So I guess one solution might be solve the problem with poverty in Africa here at the local level, on the receiving end of these attacks, both as response from the InfoSec community and also maybe from the policy and law enforcement communities. What do you think is the right way to go after this problem, given that it is so widespread and so kind of quiet and subtle in some ways.

RONNIE TOKAZOWSKI
The first thing is we need to rethink how we're doing this, we need to realize that this is a people problem. And especially when it comes down to working with a lot of the victims, they don't have the emotional support, many of them don't have the ability to go and see a therapist. And one of the things I like to recommend, it's going to sound like it's coming from way different angle here, but meditation, breath work and mindfulness is something that really helps people process a lot of those difficult emotions and helps them literally reconnect back with their body.

PAUL ROBERTS
Interesting.

RONNIE TOKAZOWSKI
One great example, the victim I told you where he was in the scam for four months, I've been researching a lot of these topics and I was able to do a small hypnotherapy session with him over the phone. And in essence, what I did was I took all of the muscles in his body, was able to force a relaxation across from them and he now has the power to do that. And in talking with him, it went from, oh, hey, I'm not going to go and I'm going to continue being in the scam, to oh hey, thanks for that, I now know what to do, I'm going to do my best to get out of it. The next time I call you is going to be good news. I haven't received a call yet from him. But to go from four months of being in a scam to being able to walk him through that, it was encouraging. And like I said, a lot of people don't know how their emotions work. They don't have that mindfulness and they don't have that mental health thing. And again, as somebody who really, really struggles with anxiety and depression, it's something where that's one of the biggest things that helped me through a lot of my stuff. And directly we're working a lot of this material. People don't realize how difficult this stuff is, but there's many days where it is hard, it's really hard working muscle stuff, but it's the right fight and I know deep down it's where it's supposed to be.

PAUL ROBERTS
Well, it is, yeah. And I thank you for the work that you're doing. One of the messages that you reiterate a lot in your YouTube videos and so on your other talks is just empathy that we need to have empathy. First of all, of course, for the victims of these attacks and you talk often about how victims are sort of shamed and why you should have known. You also talk about just having empathy for people who might have been caught up and used as money mules or even for the perpetrators themselves who might have found their way to this because they had difficult circumstances in their own lives. Talk about that.

RONNIE TOKAZOWSKI
Yeah, so I'll actually tag on having empathy for the scammers because like I said, that's one, that's where people are going to be like and they're probably like raging on the back of their phone as they're listening to this podcast. But when it comes to many of these scammers, the education that goes over in Nigeria, in a lot of cases of how you use a computer, like straight up, how you use a computer, we see using a computer as going to build something, watching something on YouTube, going to do something else, go create. But for many of the people who are educated in Nigeria, their concept of using a computer is you use a computer to scam people. And that's its sole function. And what I mean by it consciously in their brain.

PAUL ROBERTS
It's so crazy.

RONNIE TOKAZOWSKI
Again, I've had to dig into so many weird perspectives on this stuff to wrap my head around it. Or in addition to that, like I said, with the poverty, many of the scammers over there, it is not necessarily, hey, I want to go and get rich and be the next hush puppy or mumfa. Some of the people are, I will caveat that. But many of the people just want to live and survive. They got families, they got kids, they want to go do the best they can. And when you're in a place where there is no unemployment, where poverty, where unemployment is 50%, where you have no opportunities, your government is corrupt and everybody's taking advantage of their selves, of each other, many of the choices that these people have is you either scam or you die. Like, that's the reality for many of these people who are doing this and that's a hard pill to swallow, is because, again, you want to hate the scammers, you won't be so pissed at them for taking advantage of those romance victims. And I am mad at them too. But like I said, it's such a weird perspective here. Like I said, there's so much more going on here too. And to touch on the empathy for the romance victims, like the analogy I gave earlier where you have your mechanics not going to yell at you, it's one of those things where people need to realize that there's a whole lot more going on with the victims too. They don't realize that these type of scams aren't there. They may have heard something on some radio somewhere that actually talks about that. And they may have that gut reflex of, hey, maybe you shouldn't do this. But they don't know that they need to listen to that. They don't know that they need to realize that, hey, that gut feeling here that I'm feeling I should not go and spend that money. And many of the victims I've worked with, like that's another thing that I've noticed too, is many of them have that gut feeling that they ignore, that they said, "hey, maybe I wasn't supposed to do that." And because of that and because many people just don't understand how these scams work, that whole "stupid person," it's somebody who is going on a website to go and date somebody who's receiving pictures of the person that they believe they're in a relationship. They're getting messages in real time. They're receiving flowers to their house. They're receiving real time information and again, pictures back and forth. Every single thing that that person is seeing here, again, from that, from their consciousness and that perspective, they believe that they are actually in that relationship with that person. So again, everything that they are seeing, everything these victims are seeing to them is real. Everything that they're seeing is real. And there and again, that's the biggest problem is that when law enforcement goes and talk to many of these people, they'll go and beat them down. They'll berate them, they'll say horrible things to you and be like, "oh, you're stupid and can't give that impression, they're idiots." And I've talked with many like, I've talked to my local law enforcement here to ask them about some of the scams that they see and they're like, and that's the perspective many of them have. I know my father, he also did a lot of these things. And before working this stuff, that was kind of the mindset I had too. These people are idiots and they shouldn't have fallen for that. But now that digging into the psychology and understanding a lot of stuff like that. It's a way more complex issue than just dumb people doing... 

PAUL ROBERTS
Also people doing atomized and lonely people are in our societies, certainly in Western societies, that this notion of you might be living with your three generations or your family, and there's all this, and they're like, no, these people are really alienated, especially elderly people. They might not have much contact with other people, and this online relationship becomes a lifeline for them and one that they don't want to let go of because it's a lifeline.

RONNIE TOKAZOWSKI
Exactly.

PAUL ROBERTS
Ronnie, is there anything I didn't ask you that I should have or anything you want to say that I didn't give you a chance to say? It's been a really fascinating conversation.

RONNIE TOKAZOWSKI
Oh, yeah, it's definitely been fun chatting on it and trying to think I could seriously talk for like the next 4 hours on this stuff. So if you ever want me out again, I'm happy to kind of talk through some of this stuff. But like I said, the biggest thing here is for people who are tracking BEC, define your processes, know what your processes are. Your CEO more than likely won't ask you for a gift card. And if somebody sends you an email saying that from payroll, like, more than likely there's not. And again, be awesome to each other because it's like we're all we have here. And a lot of people who are doing the scamming, again, it's they're in poverty, they're trying to work too. And that's why I advocate so hard for people in Nigeria is because right now, some good news here is that you have a culture in Nigeria right now who is starting to turn against the scamming side. They want to go and be successful. So many of the youth out there are starting to learn the correct way of doing tech. You've got places like Future Labs that's kind of like a tech hacker hub, if you will, where they're doing development and things, and the information security helps fund that. So to those who are involved, thank you. And it's things like that that are going to make the difference. And at the end of the day, we can arrest every single scammer tomorrow. We could put cuffs on all of them tomorrow. It does not fix the underlying problems of the poverty of Nigeria. People not having that sense of togetherness, to be able to work together as one, to be like, hey, let's actually try and make a difference and be awesome to each other. So that would be my biggest takeaway there is. Just be kind to one another, because it's a crappy world right now, and there's a whole lot of stuff.

PAUL ROBERTS
Indeed. We'll leave on that note. That's a good I think that's a good note to leave on.

RONNIE TOKAZOWSKI
Sounds good!

PAUL ROBERTS
Ronnie Tokazowski of Cofence. Thank you so much for coming in and speaking to us on ConversingLabs. It's really been a pleasure having you on. And like you said, we will have you on again, I can guarantee you.

Paul Roberts

About Author: Paul Roberts

Content Lead at ReversingLabs. Paul is a reporter, editor and industry analyst with 20 years’ experience covering the cybersecurity space. He is the founder and editor in chief at The Security Ledger, a cybersecurity news website. His writing about cyber security has appeared in publications including Forbes, The Christian Science Monitor, MIT Technology Review, The Economist Intelligence Unit, CIO Magazine, ZDNet and Fortune Small Business. He has appeared on NPR’s Marketplace Tech Report, KPCC AirTalk, Fox News Tech Take, Al Jazeera and The Oprah Show.

Related episodes

Subscribe

Sign up now to receive the latest weekly
news from ReveringLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company.

REQUEST A DEMO