On the hook! Phishing trip nets “Barbara” 5 years and whopping fine

A Nigerian man is facing the prospect of up to five years in the decidedly unprincely confines of a US jail after pleading guilty to operating an email phishing scam targeting businesses around the world. To add a little spice to the mix, the fraudster also set up romance scams as an attractive young woman named “Barbara.”

In Manhattan Federal Court on Tuesday, Onyekachi Emmanuel Opara, 30, originally from Lagos, Nigeria, was also ordered to pay $2.5m in restitution. In April, he pled guilty to charges of wire fraud and conspiracy to commit wire fraud amounting to $25m.

Opara was arrested in South Africa in 2016 and extradited to the US to face charges in January 2018. One of his co-conspirators, David Chukweneke Adindu, pleaded guilty to charges of conspiracy to commit wire fraud and conspiracy to commit identity theft. Adindu was sentenced to 41 months last year.

The Department of Justice (DOJ) said that between 2014 and 2016, the pair participated in multiple business email compromise (BEC) scams that targeted thousands of victims around the world, including in the US, the UK, Australia, Switzerland, Sweden, New Zealand and Singapore.

The spear-phishers would send bogus emails to employees, directing them to transfer funds to bank accounts that they controlled. The emails were made to look like they came from supervisors at the targeted companies or from third-party vendors that they did business with.

To make the emails that bit more convincing, the crooks set up domain names similar to those of the companies and vendors they were posing as: just one of the more nefarious purposes for which typosquatters set up domains that at a quick glance look like a legitimate business save for one, stray keystroke.

Besides screwing with the domain names, Opara and Adindu would sometimes spoof the email metadata to make it look like the messages came from legitimate email addresses.

This is a good example of why we should be cautious with email, even if it looks like it’s coming from a friend or colleague. Besides spoofed email addresses, there’s always the chance that somebody’s hijacked the account of your trusted correspondent, as happened to Sophos’s Peter Mackenzie: you can read Peter’s tale of his solicitor’s email account being taken over and the way the attacker set up a malicious file to grab account credentials here.

After the victims transferred money to the scammers’ bank account as directed in the bogus emails, the crooks quickly withdrew it or transferred it into other bank accounts they also controlled. They went after more than $25 million from victims around the world.

BEC scams are, indeed, worth big bucks: between 2013 and 2015, losses reported to the FBI’s Internet Crime Complaint Center (IC3) totaled $1.2 billion.

According to the indictment (PDF), one of the victimized companies was a New York investment firm. Posing as an investment adviser at another company, the duo instructed an employee at the New York firm to wire $25,200 into a fake account that they said was an “annuity fund.” They then asked for another $75,100 transfer, but by then the jig was up: the employee had already figured out that he’d been scammed.

They also went after a metal forgery in Illinois, sending an email pretending to be the CEO and instructing a staffer to wire over $85,250.50. The next day they requested another $325,500.50, but the business didn’t repeat its mistake.

When he wasn’t busy ripping off businesses with Adindu and other, unnamed gang members, Opara cooked up accounts on dating websites and struck up romance scams with US individuals. Posing as the young, hot “Barbara,” he’d instruct his marks to send money overseas and/or to receive money from BEC scams and forward the proceeds to his cronies, who were also located overseas.

One of his victims sent over $600,000 of their own money to bank accounts controlled by the crooks. Opara went after another 14 individuals, at least, on dating websites, setting them up to receive funds from his BEC scams into their bank accounts and to then transfer the proceeds to overseas bank accounts.

We have to sympathize with the lovelorn who fall for these cruddy come-ons. If you’ve got friends or family stuck in these spider-web fantasies, please do try to convince them that online, all too often, people aren’t who they claim to be.

If your company has been hit by BEC, the first thing on your mind might be your job, or your shareholders, or your employees. But after you get over the shock and triage the damage, please do make sure to report it to the authorities. An important part of battling these kind of scams is making sure that law enforcement knows about them.

To that end, in the US, you can report the scam by filing a complaint with the IC3. In the UK, such instances should be reported to Action Fraud.