Bad maths – when 401 = 40

Unfortunately, it is rare that online fraudsters are caught, let alone prosecuted which is why the news that one such criminal was arrested and brought to justice is something to note. The case in question didn’t rely on technology or high levels of complex deception, but it underline that often the simplest attempts at scams often yield the biggest results.

In April 2021 in the case heard in front of the Southern District of New York court, the Department of Justice won their case against a Nigerian man, living in Atlanta for conspiracy to commit wire fraud. The guilty party was fined $2.7m and imprisoned for 40 months for his scheme based on Business Email Compromise (BEC), a particular form of 401 scams that target firms to send money to genuine looking third parties.

The defendant worked with a number of other individuals, all of whom targeted large organisations, both in the US and overseas, trying to trick them to pay bogus invoices. The court proceedings outlined the nature of the fraud as follows:

“The group perpetrated a fraudulent BEC scheme through which they deceived dozens of victims, both foreign and domestic, into wiring millions of dollars to bank accounts controlled by the syndicate. The fraud was perpetrated by sending victims “spoofed” emails, which purported to be from counterparties whom the victims knew and trusted, and which contained wiring instructions fraudulently directing the victims to send funds to accounts that were in fact controlled by the defendants and others involved in the scheme.”

In order words, the group gained knowledge of who some of the suppliers of services were to their victims, set up bank accounts in those organisations names and then sent fake invoices to the companies being targeted. Once of the companies defrauded was an intergovernmental organisation headquartered in New York who lost nearly $200,000.

Over the course of a two year period, 35 known organisations were defrauded out of almost $2.7m using a relatively rudimentary approach before they were caught by the FBI.

We are beginning to be accustomed to fraud and cyber attacks at an every growing level of sophistication, which is great. Staff are being educated to see the signs of BEC attacks, social engineering and malware attempts, but sometimes, as this case proves, we also need to ensure that basic procedures on the sign off of invoices and payments are checked and checked again. Many organisations will use specialised payment systems that will ensure any authorised invoices to be paid will only go to the bank details held on file rather than on the invoice, but that shouldn’t stop any organisation just erring on the side of caution if something doesn’t look right.