Skip to content
Naked Security Naked Security

BEC fraudster and romance scammer sent to prison for 25 years

Two years of scamming + $10 million leeched = 25 years in prison. Just in time for #Cybermonth.

Elvis, you might say, has left the building, but only to be transported from court to federal prison.

In this case, we’re referring to Elvis Eghosa Ogiekpolor, jailed for 25 years in Atlanta, Georgia for running a cybercrime group that scammed close to $10,000,000 in under two years from individuals and business caught up in so-called romance and BEC scams.

Five other co-conspirators who seem to have “worked for” Ogiekpolor have already pleaded guilty in this case; as far as we know, they haven’t been sentenced yet.

BEC is short for business email compromise, an umbrella term for a form of online scam in which the attackers acquire login access to email accounts inside a company, so that the fraudulent emails they send don’t just seem to come from the company they’re attacking, but actually do come from there.

This sort of scam is also commonly, if somewhat confusingly, known as CEO fraud or CFO fraud, because BEC criminals aim to get access to the email of the most influential employees they can.

Those names don’t denote that the CEO or CFO is carrying out the fraud, but rather that their names and email accounts have been taken over to issue fake payment instructions to staff, suppliers and customers, thus diverting incoming and outgoing payments to rogue bank accounts.

As you can imagine, crooks with access to an employee’s real mailbox can pull off all sorts of low-tech but effective scamming tricks, including:

  • Learning when large payments are due, and which suppliers or customers are involved.
  • Replying positively to emails from worried colleagues asking, “Is this for real?”
  • Telling colleagues who are suspicious not to contact IT or SecOps.
  • Deleting fake emails from the Sent folder so the genuine user never sees them.
  • Matching the style of the genuine user by copying-and-pasting common phrases.
  • Persuading the other party to treat the request as commercially confidential.
  • Defrauding customers of the company, not merely the company itself.

Businesses can end up defrauded of millions of dollars by BEC criminals who have the social engineering “skills” to misdirect well-meaning employees:

https://nakedsecurity.sophos.com/2019/08/01/north-carolina-county-falls-for-bec-scam-to-the-tune-of-1728083/

In Ogiekpolor’s case, the US Department of Justice (DOJ) reported:

At trial, the jury heard from several businesses – representing just a small sample of the total number of companies defrauded – who had been victimized by spoof emails. In each case, the victim-business believed it was making a payment, often several hundreds of thousands of dollars, to a long-standing vendor only to subsequently learn that they had been tricked into sending the money to an account controlled by Ogiekpolor and thereby defrauded.

Crimes against the person

Romance scams, sadly, are targeted against individuals, rather than companies, but they can be very lucrative for the criminals, and destructively life-changing for their victims.

These scams often play out on legitimate dating sites, where the scammers typically take the profile details and photo of someone they think the victim might actually quite like…

…after which the scammers court the victim, often over an extended period of time, by pretending to be their perfect match.

The victim and their new “romantic partner” will never meet in real life, so the scammer can make claims about themselves, their appearance and their background that will never directly be put to the test:

https://nakedsecurity.sophos.com/2021/02/16/romance-scams-at-all-time-high-heres-what-you-need-to-know/

Only when the victim has fallen for the scammer, and thinks that they can be trusted, will the scammer introduce money into the equation.

The amounts may start small, but vulnerable victims may ultimately be conned out of their life savings, as the DOJ reports:

[O]ne romance fraud victim was convinced to wire $32,000 to one of the accounts Ogiekpolor controlled because her “boyfriend” (one of the men online) claimed a part of his oil rig needed to be replaced but that his bank account was frozen. This victim borrowed against her retirement and savings to provide the funds, which ultimately required her to refinance her home to pay back the loan. Another victim testified that she was convinced to send nearly $70,000 because the man she met on eHarmony claimed to need money to promptly make payment on several invoices due to a frozen bank account.

What to do?

TO PROTECT YOUR BUSINESS FROM BEC

  • Create a central email account for staff to report suspicious emails. Get your SecOps team (or your MDR team if you have partnered with a third-party service) to examine suspected scam emails, because they know what to look for. Even if an unusual email comes from the internal account of a colleague, not from an outsider, replying to the sender to ask if it’s genuine or not will give you a false sense of security. If the email account was not hacked, you will get a legitimate answer saying, “Yes, it’s genuine.” But if the account was hacked, you will get exactly the same response, claiming to “confirm” the truthfulness of the original message, but the “confirmation” will be a lie.
  • If in doubt, check with the sender of the email directly. Don’t use email if you suspect that their email may be compromised. Call them up (if you know their voice), pop into their office (if you can), or use a separate way of communicating with them if your goal is to raise suspicions that their email has been hacked. As explained above, BEC scammers typically trim both the Inbox and the Sent folders of victim’s accounts so that even if they review their recent email correspondence carefully, fake messages sent in their name will not show up.
  • Require secondary authorisation for changes in account payment details. Don’t make it easy for crooks to trick your business into paying funds into the wrong account by leaving it to a single person to amend the relevant database entry. Get a second pair of eyes on the request (and see point 2 above about how to confirm that the original request was genuine) before allowing it to go through and you could save yourself hundreds of thousands of dollars.

TO PROTECT YOURSELF, FRIENDS AND FAMILY FROM ROMANCE SCAMS

  • Slow down when dating talk turns from friendship, love or romance to money. It’s Cybersecurity Awareness Month right now, and one of the catch phrases of #cybermonth is: Stop. Think. Connect. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you. That needn’t be down to serendipity or because you have found a genuine match. The other person could simply have read your various online profiles carefully in advance.
  • Listen openly to your friends and family if they try to warn you. Criminals who use romance or dating as a lure think nothing of deliberately setting you against your family as part of their scams. They may even “counsel” you not to let your friends and family in on your new “relationship”, pitching their romantic interest as something that your conservative, hidebound friends and family will simply never understand. Don’t let the scammers drive a wedge between you and your family as well as between you and your money.
  • Watch the video below for encouragement and advice . You can also read a full transcript of the video if you prefer written articles to the spoken word. Click on the cog below to speed up playback or turn on captions:


2 Comments

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?