Massive email fraud bust snares 281 suspects

Operation reWired – a globe-spanning, four-month-long crackdown on email fraud involving law enforcement agencies in 10 countries – has resulted in the arrest of 281 people suspected of running BEC (business email compromise) scams.

The US Department of Justice (DOJ) on Tuesday announced that the operation, which kicked off in May 2019, led to the seizure of nearly $3.7 million in assets and repatriations.

Out of the 281 arrests, 167 were in Nigeria, 74 in the US, 18 in Turkey, and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia, and the UK.

Chief Don Fort, with the US Internal Revenue Service’s (IRS’s) Criminal Investigation unit, said in the DOJ’s release that the criminal network was complex, and it had a lot more going on besides talking businesses into making bogus wire transfers. Investigators discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in tax refunds, he said.

The collection of law enforcement agencies who coordinated their efforts in Operation reWired is a who’s who list: besides the DOJ, it included the US Department of Homeland Security (DHS), the US Department of the Treasury, the US Postal Inspection Service, the US Secret Service, and the US Department of State. Deputy Attorney General Jeffrey Rosen also gave a shout-out to the FBI, as well as to more than two dozen US Attorneys’ Offices, the Internal Revenue Service’s (IRS’s) Criminal Investigation unit, state and local law enforcement partners in the US, and law enforcement partners in Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya, Malaysia, and the UK.

All together, their work resulted in more than 214 domestic actions: besides the arrests, that included warning letters sent to money mules. There were a number of alleged money mules arrested for allegedly helping to rip off people and businesses, as well.

These are just a few of the suspects who were arrested, who their alleged targets were, and how much money the Feds managed to freeze:

• Brittney Stokes, 27, of Country Club Hills, Illinois, and Kenneth Ninalowo, 40, of Chicago, Illinois, were charged with laundering over $1.5 million in BEC scam money. According to the indictment, a community college and an energy company were defrauded into sending about $5 million to bank accounts controlled by the scammers. Banks were able to freeze around 3.6 million of the $5 million defrauded in the two schemes. Police seized a 2019 Range Rover Velar S from Stokes and approximately $175,909 from Stokes and Ninalowo.
• Opeyemi Adeoso, 44, of Dallas, Texas, and Benjamin Ifebajo, 45, of Richardson, Texas, were arrested and charged with bank fraud, wire fraud, money laundering, and conspiracy. Adeoso and Ifebajo are alleged to have received and laundered at least $3.4 million and to have assumed 12 bogus identities to defraud 37 victims from across the US.
• Yamel Guevara Tamayo, 36, of Miami, Florida, and Yumeydi Govantes, 39, also of Miami, were charged with laundering more than $950,000 in BEC scam money. They’re also allegedly responsible for recruiting about 18 other people to work as money mules, who in turn allegedly laundered proceeds of BEC scams for an international money laundering network. They allegedly went after title companies, corporations, and individuals.
• Two individuals were charged in the Northern District of Georgia for their alleged involvement in a Nigeria-based BEC scheme that began with a $3.5 million transfer of funds fraudulently misdirected from a Georgia-based healthcare provider to accounts across the US. Two Nigerians – Emmanuel Igomu, 35, of Atlanta, Georgia, and Jude Balogun, 29, of San Francisco – were arrested on charges of aiding and abetting wire fraud for their alleged part in receiving and transmitting BEC money.
• Cyril Ashu, 34, of Austell, Georgia; Ifeanyi Eke, 32, of Sandy Springs, Georgia; Joshua Ikejimba, 24, of Houston, Texas; and Chinedu Ironuah, 32, of Houston, Texas, were charged in the Southern District of New York with one count of conspiracy to commit wire fraud and one count of wire fraud for their alleged part in a Nigeria-based BEC scheme that affected hundreds of victims in the US, with losses in excess of $10 million.

What’s a BEC scam?

These scams typically involve legitimate business email accounts that have been hijacked, be it through social engineering or hacking, to initiate unauthorized transfers. The scammers often target employees who hold the pursestrings and businesses that work with foreign suppliers and/or businesses that are in the habit of executing wire transfer payments.

As the DOJ explained in its announcement, the criminal networks that run BEC scams also go after individuals, be it through people buying real estate, the elderly, and others, by convincing them to make wire transfers to bank accounts that the crooks control. We saw an example of a real estate scam earlier this year when we learned about a woman getting swindled out of $150,000 from the overseas sale of her house in Australia.

Sometimes the fraudsters will impersonate a key employee or business partner after they’ve seized control of that person’s email account. Sometimes, they’ll find their victims through romance and lottery scams.

And sometimes, they’ll use dating sites to recruit money mules to help them launder the ill-gotten booty. Last month, the FBI said that this recruitment of money mules on dating sites is on the rise.

BEC scammers aren’t fussy: Besides fraudulent wire transfers, they’ll sometimes go after fraudulent requests for checks… or sensitive personally identifiable information (PII)… or employee tax records… or any/all of the above.

(Watch directly on YouTube if the video won’t play here.)

These scams are getting increasingly sophisticated, and they’re raking in ever more loot. From the FBI’s 2018 Internet Crime Report:

In 2013, BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.

The report also said that the FBI had received 20,373 BEC/email account compromise (EAC) complaints, reflecting losses of over $1.2 billion, last year: more than double the amount lost as a result of such scams during the previous year.

Also on Tuesday, the FBI put out an updated set of figures that show that between October 2013 and July 2019, $26.2 billion has been lost to BEC scammers. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses, the FBI said – an increase due in part to greater awareness of the scam. which has in turn encouraged more reporting.

They’re coming for payroll

The FBI said that the crooks are increasingly going after payroll funds. It’s seen a spike in spoofed emails sent to companies’ human resources or payroll departments. The emails look like they’re coming from employees requesting a change to their direct deposit account – a tweak to a related scheme, in which a crook gains access to an employee’s direct deposit account and alters the routing to another account.

Typically, the crooks are directing the funds toward pre-paid card accounts.

The FBI had these tips, specifically aimed at helping employees to avoid these payroll scams:

• Use secondary channels or two-factor authentication (2FA) to verify requests for changes in account information.
• Ensure the URL in emails is associated with the business it claims to be from.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Refrain from supplying login credentials or PII in response to any emails.
• Monitor personal financial accounts on a regular basis for irregularities, such as missing deposits.
• Keep all software patches on and all systems updated.
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it’s purportedly coming from.
• Ensure the settings on employees’ computers are enabled to allow full email extensions to be viewed.

What else to do

Report it!

Like the FBI says, the skyrocketing statistics related to BEC fraud incidents and losses are due at least in part to increased awareness and reporting.

Of course, law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.

In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read our Sophos News article Would you fall for a BEC attack?