The US has dragged a fancy-pants, Instagram-star, high-fashion-flaunting, alleged Nigerian scammer out of the United Arab Emirates (UAE) and into Chicago to face charges that he helped launder beaucoup bucks gouged out of businesses in email compromise (BEC) scams.
His name is Ramon Olorunwa Abbas, aged 37, also known as “Ray Hushpuppi” and “Hush.” Abbas, a Nigerian national, arrived in Chicago Thursday evening after being extradited from the UAE. He made an initial court appearance in Chicago on Friday, but his case is expected to be transferred to Los Angeles in coming weeks.
As of Monday, you could still check out his public, uber-blingy Instagram account, where Abbas has 2.4 million followers. It lists him as a real estate developer. The photos show him slouching on pricey couches in luxury hotels, riding in charter jets, wearing fancy sneakers and designer clothes, sporting expensive watches, posing in or with Richie Rich cars – think Bentleys, Ferraris, Mercedes and Rolls Royces – and lavishing pictorial love on Dior this and Gucci that.
So much Gucci. In fact, Abbas’s Instagram account listed his Snapchat contact name as “The Billionaire Gucci Master!!!”
Here are the photos the DOJ featured in its criminal complaint:
Where did all that moolah come from?
The FBI doesn’t think Abbas the real estate agent was selling solid-gold chateaus to fund this Gucci-rama. The DOJ is charging Abbas with allegedly conspiring to launder hundreds of millions of dollars in BEC and other scams that targeted a US law firm’s client, a foreign bank and an English Premier League soccer club, among others.
As the criminal complaint explains, BEC frauds often involve hackers gaining unauthorized access to a business’s email account, blocking or redirecting communications to and/or from that email account, and then using the compromised email account, or a spoofed email account, to communicate with targeted employees. They’ll try to wheedle a targeted company’s employees into placing unauthorized wire transfers to accounts they control – often, with help from money mules. After that, the crooks often launder the money by wiring or transferring it through numerous bank accounts, or by quickly withdrawing it.
FBI Special Agent Andrew John Innocenti writes in the complaint that Abbas and his alleged conspirators allegedly ripped off an unnamed client of a New York law firm for a whole lot of shopping-spree cash: around USD $922,858. Abbas and co-conspirators allegedly tricked one of the law firm’s paralegals into wiring money intended for the client’s real estate refinancing, redirecting the money to a bank account under their control.
That’s what BEC scammers do: they spoof emails to convince a target that they’re supplying product X in order to receive payment Y, so please make sure to send payment to bank account number “kiss it goodbye.”
Another USD $14.7 million came from a foreign financial institution. Plans were in the works to launder tens, and at times hundreds, of millions of dollars and UK pounds sterling from other schemes and computer break-ins, including one that entailed stealing money from an English Premier League football club.
The Department of Justice (DOJ) said on Friday that Abbas was arrested last month in Dubai before being handed over to the FBI.
Dubai, Paris, UK, US: like most BEC scams, the money flowed through a tangle of countries and banks, making it tough to investigate and making the con artists tough to bust, US Attorney Nick Hanna said in the DOJ’s release.
BEC schemes are one of the most difficult cybercrimes we encounter as they typically involve a coordinated group of con artists scattered around the world who have experience with computer hacking and exploiting the international financial system.
This case targets a key player in a large, transnational conspiracy who was living an opulent lifestyle in another country while allegedly providing safe havens for stolen money around the world.
Paul Delacourt, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, noted that in 2019 alone, the FBI recorded $1.7 billion in losses by victimized companies and individuals who were targeted in BEC scams. If Abbas is found guilty, it will mean that one major BEC player will have been knocked offline, but there are plenty more out there, ready to pounce on those who don’t know how to protect themselves:
BEC scams represent the most financially costly type of scheme reported to the FBI. I urge anyone who transfers funds personally or on behalf of a company to educate themselves about BEC so they can identify this insidious scheme before losing sizable amounts of money.
Maximum prison sentences are rarely handed out. But if Abbas gets convicted of conspiracy to engage in money laundering, and if he happens to be the unlucky exception to this general rule, he’ll be looking at a maximum sentence of 20 years in federal prison.
How to keep from being fleeced
There are safeguards that businesses can take to protect against BEC, and then there are those that are good for both businesses and individuals.
As we noted when the FBI busted 74 people in a global BEC takedown in June 2018, defending against this type of fraud is complicated. It involves bolstering defenses for email servers and accounts and improved processes, such as stricter protocols for businesses to check payments.
North Carolina’s Cabarrus County, which fell for a BEC scam to the tune of $1,728,083 that it paid to a scammer posing as a building contractor in August 2019, has said that it’s doing just that: it hired an accounts payable (AP) consultant and tasked her with redesigning its vendor processes, has held training for staff, and has implemented external checks to validate data received by the county.
Don’t rely on email alone
As the FBI notes, no matter how sophisticated the fraud, there’s an easy way to thwart it: namely, don’t rely on email alone. Rather, authenticate requests to send money with face-to-face or voice-to-voice communications.
FBI Special Agent Martin Licciardo:
The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone.
Here are more tips for both individuals and businesses:
Watch out for typos
As we saw in the case of crooks who nabbed the proceeds from a $150K home sale, the fraudster did what fraudsters often do: they made an (albeit tiny) punctuation/English usage mistake. Namely, they omitted a possessive apostrophe.
As Naked Security’s Paul Ducklin noted in the comments section of that article, grammatical perfection on its own isn’t enough to give a message a clean bill of cybersecurity health, but any slip-ups in spelling or usage, or any unusual requests, are a good reason to look askance at an email.
Watch out for weird requests.
In that case, the swindlers insisted that an electronically signed PDF, with their victim’s bank details, specifically be emailed instead of snail-mailed. As Paul noted, that makes sense … for crooks. They wouldn’t be able to intercept a document sent via a country’s postal service, after all.
Law enforcement can’t fight what it doesn’t know about. To that end, please do make sure to report it if you’ve been targeted in one of these scams.
In the US, victims can file a complaint with the IC3. In the UK, BEC complaints should go to Action Fraud. If you’d like to know how Sophos can help protect you against BEC, read our Sophos News article Would you fall for a BEC attack?