23 Charged in European Email Fraud SchemeEuropol: Scammers Waged Operation Related to COVID-19
The EU law enforcement agency Europol says it used a sting operation to derail an organized crime group that waged an email fraud campaign that stole about 1 million euros ($1.1 million).
See Also: Email Reporting and Remediation
Twenty-three suspects were charged after raids in 34 locations in Romania, the Netherlands and Ireland, Europol says. It's unclear how many arrests were made. Europol did not immediately respond to a request for comment.
An organized crime group comprising African nationals residing in European countries waged the fraud campaign by impersonating retailers and suppliers selling protective equipment following the outbreak of COVID-19. Prior to the pandemic, Europol says, the group offered other "fictitious products" for sale online.
The EU law enforcement agency says the group created fake email addresses and webpages that impersonated wholesale companies, tricking businesses in Europe and Asia into placing orders that were never fulfilled.
The fraudsters allegedly obtained payment information, used it to steal funds and then laundered proceeds through Romanian bank accounts it controlled, later withdrawing money from ATMs, Europol says.
A Persistent Threat
Reacting to the crackdown, Rick Holland, a former intelligence analyst for the U.S. Army and current CISO for the security firm Digital Shadows, says: "Though these sorts of law enforcement actions are encouraging, there will always be other cybercriminals waiting in the wings."
Jack Poller, a senior analyst at the IT intelligence firm Enterprise Strategy Group, says email fraud is a persistent threat.
"Most organizations consider email to be one of their top five threat vectors," Poller says. "Victims and their organizations are often embarrassed and reluctant to come forward. And victims perceive that the effort of recovering losses has a low probability of success."
Kathleen Moriarty, CTO of the nonprofit Center for Internet Security, adds that email fraud schemes will remain prevalent "as long as people are triggered by basic behavioral responses. They will become more difficult and costly for attackers as the industry moves to adopt built-in security. But this will take time; until then, these attacks will remain a concern."
Sounil Yu, a visiting fellow at the National Security Institute at George Mason University, says email fraud schemes "will remain viable for as long as the support structure that enables it remains intact. … There are thousands of actors who are driving these activities, so the arrests of a few dozen will not make a substantial difference."
Yu, who is the CISO at security firm JupiterOne, calls for broader awareness and stricter penalties against "money mules" who move stolen funds.
Risk Mitigation Advice
On Wednesday, Europol's EC3 pointed to its list of warning signs for similar cyber scams, advising users to regularly monitor for suspicious activity, use secure websites - those with a padlock and "https" designation - and report suspected fraud to both financial institutions and police.
The EU law enforcement agency also warns users to limit the amount of personal information they load to social network sites because fraudsters can use the information, pictures and business connections to create fake identities, better understand corporate structures and protocols, and target individuals or enterprise networks with fraudulent activity.
Microsoft offers email scam risk mitigation advice, including:
- Use phishing and account compromise detection tools;
- Implement multifactor authentication to avoid account takeover and disable legacy authentication;
- Implement data loss prevention policies and move high-risk transactions to more authenticated systems.