Many of us would like to believe we could spot a scam from afar, especially an email scam. There are only so many people that the Prince of Nigeria can give money to!
However a multinational fraud ring were able to swindle nearly $1 million out of the CEO of an unidentified Swiss company.
“S.K.” was purchasing some beachfront property in Belize when the fraud was committed, according to a criminal complaint that was unsealed recently.
The seller had been in discussions with S.K. with the buyer already paying a deposit on the $1,020,000 property. So when S.K. received a further email from the seller’s lawyers requesting the remaining $918,000 he wired the money across to the bank account he thought was also in Belize. However the money was sent to a Citizens Bank in Boston.
The complaint states, “The lengthy email which S.K. received included lawyerly verbiage that gave it the appearance it was from the attorney in Belize. The author included information about Belize-specific regulations on the purchase of property by a foreign company. The email included the standard confidentiality notice and legal disclaimers that are commonly part of emails from attorneys. Lastly, it included a professional signature block with the attorney’s name and contact information.”
It was when the real lawyer got in contact with S.K. to query why the money had not been sent across to them that the scam was discovered.
An investigation revealed that the email from the “lawyer” had an extra “s” in the address, meaning the fake email was “deliberately created to deceive the recipient into believing he was communicating with the seller’s attorney.”
Recent data from the FBI’s Internet Crime Complaint Center shows that “CEO fraud” – or business email compromise – was responsible for a loss of over $26 billion for businesses during June 2016 and July 2019, and affected all 50 US states as well as nearly 180 countries.
In 2015 Christopher Sinclair – Mattel’s CEO – emailed an employee requesting $3 million be transferred to a new Chinese vendor. As their company policy demanded any transfers of money required approval by two upper-level managers the employee complied. However when mentioning the payment to Mr. Sinclair later he was unaware of the incident. And while the bank, police and FBI were promptly called it took a long time for the company to have their money returned.
Similarly, an unidentified US defense contractor was conned into sending sensitive military equipment worth millions of dollars to a gang of international con artists. Court filings show that some of the equipment was so top secret nobody was supposed to be aware it existed with the “highly sensitive” equipment was valued at $3.2 million.
Scammers usually create false email accounts with similar addresses to the legitimate accounts that they have hacked into and generally target employees who have access to the business’s accounts, high-level executives and sometimes celebrities.
Once the information has been removed from the hacked email accounts the scammers not only steal names, account details and information about the financial transaction, they also analyze the style and tone of the messages to ensure their fake email is plausible.
They then email the buyer requesting the next payment be wired to a bank account they look after, with the money disappearing immediately.
Online crime has been around for many years however these scams have only been noticed in the last five years. An FBI supervisory special agent was quoted as saying, “There are always digital artifacts left behind in online scams – IP addresses used to illicitly access someone’s email, for instance – and this data is often used not only to track down individual suspects but also to make connections between schemes that may not otherwise appear to be linked.”
The stolen money from S.K. was transferred almost immediately to corporate accounts at JPMorgan Chase as well as Bank of America in Atlanta. A further $200,000 was then sent to banks in Nigeria and China while a suspect was spotted withdrawing thousands of dollars in cash at several JPMorgan Chase branches.
Investigators discovered the accounts in Atlanta had been opened by “Prince Okoli” who had also paid $10,000 into his own personal account. Surveillance photos at the Atlanta banks were compared to Okoli’s driving license and they realised they had a match. When pushed for a comment Andrew Wong, Okoli’s court-appointed lawyer – would not respond.
Although scammed consumers have limited liability with losses often covered by the financial companies involved, corporations sending money to incorrect recipients are not normally covered. When filing for Chapter 11 protection earlier this year, fashion brand Diesel USA cited cyber fraud losses as one of their reasons for bankruptcy.
There are recommendations from the FBI for companies to have protocols in place so that requests for large sums of money require strict verification, such as two-factor authentication.
They also recommend you always inspect your emails for incorrect or misspelled URLs, misspelled names or information that does not quite look right. Never give out information that could be used against you to new contacts without vetting them independently first.