A gang of three men has been charged with laundering the proceeds of a Business Email Compromise (BEC) scam and identity theft by the US District Court for the Eastern District of Virginia.
BEC is nothing new. Scammers access the email systems of employees (via techniques including social engineering, phishing, and malware), and can spend months learning about a company's relationship with vendors and clients before tricking firms into making payments into bogus accounts.
It's one of the most serious threats facing organizations today, with the FBI estimating it caused over $1.8 billion worth of losses to businesses last year.
But the additional element in this particular case is that one of the men alleged to have been involved in the BEC scam was themselves employed at Bank of America and TD Bank employee between 2015 and 2018.
30-year-old Mouaaz Elkhebri, of Alexandria, Virginia, is alleged to have exploited his position at the banks to help scam five businesses out of more than $1.1 million.
According to prosecutors, Elkhebri's alleged role in the plot was to open multiple bank accounts that pretended to belong to legitimate companies, as well as accounts for other members of the gang.
One of those alleged co-conspirators, 21-year-old Onyewuchi Ibeh, of Bowie, Maryland, is accused of tricking firms into transferring funds into the bogus bank accounts. This is said to have included the employment of lookalike domains to make email communications to targeted companies from supposed suppliers appear more authentic.
A third alleged member of the gang, Jason Joyner, 42, of Washington, DC, is said to have been responsible for the withdrawal of proceeds of the fraud in cash, for distribution amongst the group.
Prosecutors claim that the group targeted companies in the United States and around the world, sometimes defrauding their victims out of hundreds of thousands of dollars.
One of those victims, according to the authorities, was a Boston-based company that says it was defrauded of $356,954 in December 2018.
In the course of the police investigation, logs from the banks were analyzed to determine the IP addresses of computers logging into bank accounts, and CCTV footage was analyzed in an attempt to identify individuals who had accessed bank ATMs to withdraw money.
If convicted, Ibeh and Joyner could each face up to 20 years in prison. If convicted of all the charges against him, Elkhebri is facing a maximum possible penalty of 52 years in prison.
However, it is common for the actual sentences for federal crimes to be less than the maximum penalties.
Cases like this can act as a timely reminder for organizations to train their staff about the risks of BEC, and put processes and technology in place to reduce the chances of falling victim.
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.View all posts
May 16, 2023
March 10, 2023