A US judge has sentenced a Nigerian man to three years and five months in a federal prison after he pleaded guilty to taking part in a business email compromise (BEC) scam that targeted organisations around the world.
Well, it wasn’t quite as simple as that. But not far off.
You see, in a BEC scam the criminal sends an email to employees of targeted companies asking that funds be put into bank accounts. A key component for the scam to succeed is for the emails to pretend to come from senior executives within the company, or outside firms that do business with the company.
To make the emails more convincing their email headers can be forged, or they can be sent from domain names that look very similar to the targeted company’s real domain name.
The most sophisticated BEC scammers will actually break into corporate email accounts, discover details of the third-party suppliers who are doing work for the business, and send bogus invoices in their name for the work that has been done – albeit requesting that the funds be put into a bank account under the control of the scammer.
In this way, some companies have been stung for millions and millions of dollars.
Prosecutors told the court that Adindu’s targets included a New York investment firm. In June 2015 an employee at the unnamed firm received an email claiming to come from an investment adviser at another firm, requesting a US $25,200 wire transfer.
Only after the funds had been transferred did the employee learn that the email was fraudulent, and not from the adviser at all. As a result, they did not comply with a request for a subsequent transfer of US $75,100.
Author Graham Cluley, We Live Security