The CEO of an unidentified Swiss company was scammed out of nearly $1 million by a multinational fraud ring, according to a criminal complaint unsealed last week in federal court. The executive, who is identified in the filing only as “S.K.,” was in the process of buying a piece of beachfront property in Belize.
S.K. had already communicated back and forth twice with the seller’s attorney, paying a portion of the $1,020,000 purchase price as a deposit. When S.K. got a third email from the lawyer with instructions for sending the remaining $918,000, S.K. wired it to what he thought was a bank account in Belize. In fact, it went to a Citizens Bank in Boston.
“The lengthy email which S.K. received included lawyerly verbiage that gave it the appearance it was from the attorney in Belize,” the complaint says. “The author included information about Belize-specific regulations on the purchase of property by a foreign company. The email included the standard confidentiality notice and legal disclaimers that are commonly part of emails from attorneys. Lastly, it included a professional signature block with the attorney’s name and contact information.”
It was only after the real lawyer said the money never arrived that S.K. realized he’d been scammed. What S.K. hadn’t noticed was an extra letter “s” hiding in the phony lawyer’s email address. The spoofed email was “deliberately created to deceive the recipient into believing he was communicating with the seller’s attorney,” explains an FBI affidavit attached to the complaint. That one easily overlooked detail wound up setting S.K. back six-figures.
Business email compromise, also known as “CEO fraud,” accounted for $26 billion in company losses between June 2016 and July 2019, touching all 50 US states and 177 countries, according to data from the FBI’s Internet Crime Complaint Center. The con typically involves phony email accounts with addresses that are confusingly similar to the real thing. Scammers generally begin by compromising a legitimate email account, either by hacking or social engineering, and typically target high-level executives, people with access to company finances, or both. They then study the purloined messages for information about accounts payable and receivable, and analyze tone and style to make their communications as believable as possible. The fraudsters then attempt to convince their unwitting victims to wire money to bank accounts that they actually control.
This sort of fraud is a new evolution of online crime that has been on law enforcement’s radar for about five years, FBI supervisory special agent Jim Abbott told Quartz.
There are always digital artifacts left behind in online scams—IP addresses used to illicitly access someone’s email, for instance—and this data is often used not only to track down individual suspects but also to make connections between schemes that may not otherwise appear to be linked, Abbott said.
In S.K.’s case, about half of the stolen money was quickly transferred from the Citizens Bank in Boston to corporate accounts at JPMorgan Chase and Bank of America in Atlanta. From there, nearly $200,000 was wired to bank accounts in China and Nigeria. Simultaneously, a man began visiting JPMorgan Chase branches throughout the area, withdrawing thousands of dollars in cash at a time.
The corporate accounts in Atlanta had been opened in the name of Prince Okoli. During this period, a check for $10,000 was deposited into a personal account in the same name. FBI agents compared surveillance photos of the man seen withdrawing money at the Atlanta banks with the driver’s license photo the Georgia Department of Motor Vehicles had on record for Okoli. According to investigators, they had a match. Andrew Wong, Okoli’s court-appointed lawyer, did not respond to a request for comment.
These kinds of scams affect businesses small and large. In 2015, Mattel CEO Christopher Sinclair emailed an employee in the finance department and asked her to wire $3 million to a new vendor in China. Company policy required all fund transfers to be approved by two upper-level managers, which she and Sinclair both were, and the staffer sent the money. A few hours later, she mentioned the payment to Sinclair, who had no idea what she was talking about. Mattel called its bank, the police, and the FBI immediately. The company was initially told the money was unrecoverable, but was eventually able to claw it back.
That same year, networking firm Ubiquiti was duped into transferring $46.7 million to what it thought was a company subsidiary, but was actually a scammer, the company disclosed in a quarterly earnings report.
In a recent case first reported by Quartz, a crew of international con artists allegedly convinced an unidentified US defense contractor to send them millions of dollars worth of sensitive military gear they weren’t even supposed to know existed, according to court filings. Some of the items shipped to the fraudsters were reportedly so top-secret that even a photo of the equipment was considered “controlled.” The “highly sensitive” equipment was valued at $3.2 million.
Consumers who fall prey to such scams have limited liability and losses are usually covered by the bank, said Sam Curry, chief security officer of cybersecurity consulting firm Cybereason. But businesses that mistakenly send large sums to the wrong recipient are not normally covered. When a Texas manufacturing company was bilked out of $480,000 in 2014 by a scam artist posing as the firm’s CEO, the firm’s insurer refused to pay the claim. Earlier this year, fashion brand Diesel USA filed for Chapter 11 protection, citing losses from cyber fraud as one of the reasons behind its bankruptcy.
Business email compromise is “effectively the next generation of cons,” Curry told Quartz. “If an attacker can insinuate themselves between two trusted parties, they benefit from that default to trust by both parties. And that’s the real danger.”
The FBI recommends all companies have strong verification protocols in place for large transactions—a phone call to confirm the payment request is legitimate, would be a good start—and use two-factor authentication to verify requests for any changes to account information. Be alert for slightly misspelled names and hyperlinks that redirect to misspelled URLs. Don’t provide sensitive information to new customers or suppliers without doing a “very solid amount of due diligence,” Abbott warned. And, he added, always check to make sure the routing and account numbers in wire transfer instructions resolve to the right bank in the proper location.
Effectively, business email compromise is “organized crime going cyber,” Curry said, describing it as a natural progression from the analog financial fraud of a generation ago. Passing counterfeit checks and trying to fool bank tellers is a dying art, he said, adding: “It’s much easier, cheaper, and less risky to do it at scale on the internet.”