New Sophisticated “Exaggerated Lion” BEC Check Scam Uses Mules to Cash Out

You may wonder exactly how BEC scammers see a payday. New insight from security vendor Agari documents how a secondary check scam dupes unsuspecting victims to help.

From April to October of 2019, the African-based cybercriminal group known as “Exaggerated Lion” ran a set of business email compromise (BEC) attacks tricking mostly Accounts Payable employees at over 2,100 companies into fraudulently sending money to alternate bank accounts.

What makes this set of attacks so interesting is the bank accounts aren’t controlled by Exaggerated Lion. Instead, this same group has been grooming a network of trusted mules – people who are duped into helping with moving money without question – since 2017. The monies resulting from BEC attacks are placed into a mule’s bank account and the mule then cashes the cybercriminal group out. The mules are individuals that have fallen for romance scams (so they believe they are helping their long-distance love) or a fast money business scam (where the individual is paid a fee for processing the check and passing along the majority of the funds back to what they believe is a legitimate business).

This attack is a perfect example of the extent to which cybercriminals will go to achieve their goal of stealing money. But, in both the case of the BEC scam and the mule scam, social engineering is used. And in the case of the BEC scam, spearphishing is the attack vector.

It important to remember, the mules only exist because the 2,100 companies fell for a BEC scam. Organizations utilizing Security Awareness Training are less susceptible to these kinds of scams, as their employees are aware of them in the first place, and are taught how to spot a scam a mile away.

While Agari has taken steps with the authorities to identify and close out mule-owned bank accounts, Exaggerated Lion continues their BEC efforts.