Illustration: Aïda Amer/Axios

Email scammers are just like any other small business: They need leads, and commercial lead-generation services — the same kind many salespeople use — are providing them.

The big picture: Email scams targeting businesses, usually referred to as business email compromise scams, can seem unsophisticated. They typically take the form of fake invoices or emails from executives asking for money transfers. But like any other kind of enterprise, they care a lot about finding new clients — or, in their case, victims.

Background: In the past, we've covered how criminal groups operate like corporations, from their help wanted ads to their customer support hotlines. This is just the latest example.

  • Email fraudsters became known as "Nigerian scammers" in the early days of the web, when people around the world started to receive messages from bogus Nigerian princes seeking cash assistance. But the name is apt — the major groups actually do operate out of West Africa, and particularly Nigeria.

Details: "Of the West African groups we've profiled, nearly all of them use lead-generation sites," said Crane Hassold, senior director of threat research at Agari, a firm that tracks how email scam groups operate.

  • The criminal groups Agari has observed all used different lead-generation firms.
  • The sites offer users customizable searches for targets. For example, you could look up chief financial officers for tech companies of a certain size and revenue in California.
  • The groups Agari has tracked would sign up for free trials under a series of email accounts using the "Gmail dot" trick, though one group, nicknamed London Blue, outright purchased a $1,500 yearly subscription to a service last year. London Blue went on to download 50,000 leads in 6 months.

The groups could craft and refine a single spear-phishing email that would work against a wide variety of similar executives just by substituting different company names and small details.

  • It's more efficient than the older method of target acquisition — scraping lists of names from websites — but it still takes time to work. It took 18 days after a scammer downloaded the name of an Agari executive, said Hassold, before a phishing email arrived.
  • Targeting Agari isn't a particularly bright move, all things considered, but once the scammers get a name from a lead-generation service, they don't do further research. If they cast a wide enough net to find someone who takes the bait, they don't need to.

What they're saying: Axios reached out to six lead-generation firms that criminal groups used in the past, as identified by a security source that asked to remain anonymous to protect its information-gathering operation. None of the firms responded.

  • A quick look around the industry shows these services don't use upfront screening policies that would thwart scammers. And even a firm that did have screening policies in place appeared unaware of the scammer problem and was screening mostly to prevent spam.

The bottom line: Business email compromises reported to the FBI cost firms more than $1.2 billion in the United States alone in 2018, double the proceeds of 2017.

Go deeper: A look inside a Nigerian email scam group active since 2008

Go deeper

Updated 8 mins ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 3 a.m. ET: 31,032,045 — Total deaths: 960,729— Total recoveries: 21,255,717Map.
  2. U.S.: Total confirmed cases as of 3 a.m. ET: 6,805,342 — Total deaths: 199,511 — Total recoveries: 2,590,671 — Total tests: 95,108,559Map.
  3. Politics: Testing czar on Trump's CDC contradictions: "Everybody is right" Ex-FDA chief: Career scientists won't be "easily cowed" by political vaccine pressure.
  4. Education: What we overlooked in the switch to remote learning.
  5. Health: The dwindling chances of eliminating COVID-19 — 7 states set single-day coronavirus case records last week.
  6. World: England sets £10,000 fine for breaking self-isolation rules — The countries painting their pandemic recoveries green.
Updated 27 mins ago - Politics & Policy

Biden raises $141 million more than Trump

Combination images of President Trump and his 2020 presidential rival Joe Biden. Photo: Sarah Silbiger/Getty Images/Alex Wong/Getty Images

Joe Biden's campaign, the Democratic National Committee and joint fundraising committees raised $466 million cash on hand, the presidential candidate's team announced late Sunday.

Why it matters: President Trump's campaign raised $325 million cash on hand, his campaign communications director Tim Murtaugh announced Friday. In the spring, Biden was $187 million behind Trump and the Republican National Committee.

Virtual Emmys address chaotic year for American TV and society

Emmy Host Jimmy Kimmel during rehearsals Friday for the 72nd Annual Emmy Awards at the Staples Center in Los Angeles. Photo: Al Seib/ Los Angeles Times via Getty Images

The Emmy Awards Sunday night addressed the major U.S. issues this year — including the protests on systemic racism and police brutality, the wildfires engulfing parts of the West Coast, the census, the pandemic, essential works and the election.

Why it matters: Award shows have always addressed wider cultural issues, but this year — amid unprecedented stress and uncertainty — that trend has accelerated.