Nigerian Man Admits to $1.3M Business Email Compromise ScamScammers Used Malware and Spoofed Domain Name to Trick UK Financial Services Firm
A Nigerian national pleaded guilty to participating in a business email compromise scheme that stole $1.25 million from a Boston investment firm.
Onwuchekwa Nnanna Kalu pleaded guilty Friday to one count of wire fraud, which carries a maximum sentence of 20 years' imprisonment and a $250,000 fine.
Authorities arrested Kalu in Nigeria in 2022 at the FBI's request. After he was extradited to the United States on April 6, U.S. District Judge Randolph D. Moss of the U.S. District Court for the District of Columbia ordered that he be indefinitely detained, saying he posed a flight risk.
A grand jury returned a sealed indictment against Kalu on July 20, 2021, charging him with conspiracy, wire fraud and money laundering. The indictment was unsealed on April 7.
Court documents showed how Kalu and unnamed co-conspirators targeted a Boston investment firm - referred to as "Company A" in the indictment. The company has invested over the past 12 years in over 40 companies in North American, Europe and Israel that aim to address cardiovascular disease and strokes.
Law enforcement officials say BEC scams remain one of the most lucrative types of online-enabled crime and that criminals regularly refine their already sophisticated tactics to maximize their illicit profits. The Internet Crime Report produced by the FBI's Internet Crime Complaint Center, aka IC3, says that in 2022, reported losses due to BEC scams totaled $2.7 billion. That made BEC theft second in total losses only to investment scams at $3.3 billion.
Total reported BEC losses have continued to increase from $2.4 billion in 2021 and $1.9 billion in 2020.
Records show that by July 2019, Kalu and unnamed co-conspirators had:
- Used malware to infect the system of a Company A employee, which forwarded emails containing any of six keywords - "capital," "invoice," "fund," "pay," "payment" and "wire" - to an attacker-controlled Gmail account, George.firstname.lastname@example.org;
- Created a domain name identical to Company A's domain name, except for one letter being different;
- Created fictitious accounts for two Company A directors using the spoofed domain name;
- Communicated with a financial services firm in London, referred to as "Company B," and directed an employee there to transfer Company A's money from a BNY Mellon account to attacker-controlled accounts located outside of the U.S., leading to two illicit transfers of $625,000;
- Transferred some of those funds to bank accounts they controlled at Bank of Africa in Nigeria.
Moss scheduled Kalu's sentencing hearing for Nov. 29.
U.S. Attorney for the District of Columbia Matthew M. Graves used the occasion of Kalu's guilty plea to urge all organizations to safeguard themselves against BEC scams. "Business email compromise schemes wreak havoc on companies, governments and other institutions," he said.
"The best way to thwart a BEC scheme is due diligence. Check and double-check the email address before responding with any information that could put you or your employer at risk," Graves added. "Once a breach is identified, we will do everything in our power to identify, arrest and prosecute the perpetrators no matter where they hide."
The FBI can sometimes recover funds stolen via a BEC attack, provided a victim quickly notifies both the originating financial services firm as well as the bureau's Internet Crime Complaint Center.
In 2022, the FBI's Rapid Action Team said it had successfully initiated a financial fraud kill chain for 2,838 BEC complaints involving domestic-to-domestic transfers totaling $590 million, allowing it to recover about $433 million in stolen funds.