WASHINGTON–An arrest in a business email compromise (BEC) scam that targeted and successfully duped one company’s CFO is an example of the kind of threats security experts have been warning credit unions and other financial institutions about.
A Nigerian businessman has been arrested for allegedly carrying out an $11-million BE scheme that targeted the U.K. affiliate of equipment manufacturer Caterpillar. As CUToday.info has reported, BEC fraud is increasingly a risk for credit unions, with one recent report suggesting financial institutions are growing targets. In this case, the CFO’s credentials were stolen using what appeared to be a legitimate web page.
BEC fraud, sometimes referred to as CEO fraud, targets senior-level executives with malicious emails that often include attachments that when clicked upon install malware or other compromising software on a computer.
The FBI arrested Obinwanne Okeke, a Nigerian entrepreneur who has been previously profiled in Forbes and BBC News Africa, and charged him with conspiracy to commit computer and wire fraud, according to an FBI affidavit and other court documents filed with the U.S. District Court for the Eastern District of Virginia.
Okeke, 31, remains in federal custody.
As part of the investigation, the FBI said its agents traced back to Okeke an email address used in phishing schemes as well as his social media accounts, the court documents show.
How Scheme Worked
The alleged fraud goes back as far as April of 2018, according to the FBI, which it said targeted Unatrac Holding Ltd., an export sales office in the U.K. that's associated with Caterpillar. The company did not discover what had happened and contact the FBI until more than $11 million had been transferred overseas; only a small amount has been recovered.
Investigators allege Okeke and other unnamed individuals targeted the email account of Unatrac's chief financial officer. The CFO received a phishing email that contained a link that supposedly would allow him to log into his Microsoft Office 365 account, according to the documents. But instead that link sent the CFO to a spoofed website that mimicked the Office 365 log-in page, where he entered his credentials into the page. All of that was captured by the attackers, according to the FBI.
Once inside the company, the scammers were able to access the CFO’s emails and other records more than 460 times over a four-week period, the FBI is alleging. Access to the CFO’s credentials also allowed the scammers to create fake wire transfers and invoices using the CFO's name, title, company logos and other information to what the FBI described as authentic-looking documents.
The fraud included altering the CFO's account to monitor email traffic, according to the FBI.
Intercepted Emails
"The [email redirect rules] intercepted legitimate emails to and from employees on the financial team, marked them as read, and moved them to another folder outside the inbox," the FBI said in its statement. "These rules appeared to have been created in an attempt to hide from the CFO any responses from the individuals to whom the intruder was sending fabricated emails."
The hackers were able to use the information to send invoices and money transfer requests to the company, with amounts ranging from $278,000 to over $1.95 million, according to the court documents.
As part of the alleged scheme against Unatrac, the attackers downloaded tax and other corporate documents from the CFO's files and, at one point, transferred some of that data to a Gmail address that has been associated with other similar scams, the FBI said.
According to the FBI statement, that Gmail address led to discussions among participants that included lists of more than 600 email account passwords.