OMAHA, Neb. (WOWT) — Six Nigerian nationals have been federally indicted in Nebraska, wanted in connection with elaborate schemes targeting business executives out of millions of dollars. The FBI announced the indictments Tuesday in Omaha. The six individuals, believed to be in Nigeria, are accused of conducting business email compromise, romance fraud, and other types of fraud, according to Special Agent Jake Foiles of the Omaha division’s Cyber Squad.
Three other co-conspirators have already been arrested: two were apprehended after traveling to the US, and another arrested and extradited from Poland, Foiles said. Business email compromise, or BEC, involves “tricking companies into sending fraudulent payments, either through wire transfers or ACH transfers,” Foiles said
These perpetrators focused on victimizing a larger number of people rather than going after larger payments, he said, collecting as many “smaller” wire transfers — from $50,000 to $100,000 — as they could before being detected. Companies in Nebraska and Iowa have lost millions of dollars due to a single incident like this, he said. The U.S. Department of Treasury said Americans lost over $6 million because of these schemes. In this case, however, two unnamed Nebraska companies lost more than $530,000 before realizing it was a scam. According to the unsealed indictments, these schemes happened between 2015 and 2016. The companies were among more than 70 identified during the investigation.
The Treasury Department announced sanctions on the six men, which Foiles called a “unique” deterrent, as it shows a full-government approach to fighting cyberfraud. Federal investigators say the suspects would spoof email addresses posing as real CEOs or other business executives, directing employees to make wire transfers from business accounts.
As more people work from home during the pandemic, it makes companies more vulnerable to these sorts of scams, Foiles said. “We’re not seeing… people at our company as often in person,” he said, noting that workplace conversations and personal interactions might have uncovered the fraud much faster. Prosecutors say the six manipulated their victims in order to gain access to usernames, passwords, and bank accounts. They used social media and email to carry out the scams.
They also used romance schemes to scam money out of three Omaha residents. These six men face charges ranging from wire fraud and conspiracy, to identity theft, and access device fraud. Several more fraudsters are involved, Foiles said, but the FBI was able to positively ID and obtain evidence to charge six, with three others were included in the indictments. If convicted, they could face up to 20 years in federal prison and $250,000 in fines.
Such investigations start with companies coming forward to say they have encountered fraud, Foiles said. “A lot of companies keep this kind of thing secret,” he said. Investigators typically collect electronic communications and work backwards from spoofed emails to the accounts perpetrators were using to collect identifying information, he said.
While the U.S. does have an extradition treaty with Nigeria, the FBI has been working with Nigerian counterparts to prosecute offenders in that country, Foiles said. “We would work on our investigations and submit information to the Nigerian Economic and Financial Crimes Commission, and then they would pursue their own investigations and prosecute individuals there,” he said.
Prevention & detection
As technology has become more sophisticated, so have criminals, Foiles said. While more data and information is often available to collect, other aspects make it harder, like encryptions. “As our subjects continue to move to platforms that are encryption-enabled, it makes my job harder as I can’t get some of that key evidence even with a search warrant signed by a judge,” he said.
For such criminals, this sort of fraud is essentially their full-time jobs, he said. Some will even adopt U.S. business hours so that they can conduct transactions while Americans are at work. Businesses and companies using the two most common email platforms — Office 365 or Google’s G-Suite — are most-targeted, Foiles said.
Companies can prevent BECs by making a phone call to a coworker to verify any kind of payment or significant financial transaction. “(A coworker’s voice is) much more difficult to impersonate,” he said. Another way is to enable multi-factor authentication. If all organizations and companies were to enable that feature, it would greatly reduce business email compromise,” Foiles said.
But the most nefarious attacks delay detection, like hacking into email accounts and setting up auto-forwarding, Foiles said. Someone who notices there might be unauthorized access into their account would change their password, but may not notice their account has been set up to forward to an illegitimate account.
“So every email sent to that account could still get forwarded to the fraudster,” he said. The best way companies can guard against this tactic is to prohibit forwarding outside their organization, he said.
