Business Email Compromise: Conviction Reveals How the Crime Works

If you've wondered how business email scams work on the back end, and how cybercriminals move the money they make, then keep reading.

In September 2018, while thousands of Americans gathered in New York City to remember the victims of the 9-11 terrorist attacks, a man was being sentenced for cyber attacks against Americans in a Manhattan courtroom.

Prosecutors in the case say that a 30-year-old Nigerian man, Onyekachi Emmanuel Opara, made millions in just two years' time by duping U.S. businesses and love interests out of money.

And he used innocent people to move the money to accounts that were out of reach of U.S. authorities.

The court documents in this case pull back the curtain on how these business email compromise (BEC) scams actually operate.

The business victims: Nigerian-based business email compromise

Prosecutors say Opara has admitted specific details about how his BEC efforts worked while he launched attacks between 2014 and 2016.

• Opara did research on companies through the web.
• He used that information to socially engineer his attack.
• He sent bogus emails to employees of the victim companies, directing that funds be transferred to specified bank accounts.
• "The emails claimed to be from supervisors at those companies or from third party vendors with whom the companies did business."
• "The emails were either sent from email accounts with domain names very similar to those of the companies and vendors, or the metadata for the emails was modified to make it appear as if the emails had been sent from legitimate email addresses."
• Companies around the world fell for his BEC scams and transferred money to a legitimate account.
• Opara quickly transferred that money to accounts he and some partners controlled. The BEC scam was a success.

Love hurts: BEC money moved by criminal's online love interests

Pushing large amounts of money to one account raises red flags. So the Nigerian scammer turned to people looking for relationships online to help him with the dirty work. It was all in the name of love... and profits.

Prosecutors revealed:

• He created accounts on dating websites and entered into online romantic relationships with individuals in the United States by portraying himself as a young, attractive woman named “Barbara.”
• “Barbara” would then instruct these individuals in the U.S. to send their money overseas and/or to receive money from BEC scams and forward the proceeds to other scheme participants located overseas.
• "In all, he attempted to recruit at least 14 other individuals via dating websites to receive funds from BEC scams into their bank accounts and then transfer the proceeds to overseas bank accounts." 

And this next part is both hard to imagine and sad.

How naive are people, that they will do unusual things for someone who shows interest in them? In this case, someone they've never met in person.

Prosecutors say: "One victim with whom Opara struck up a romantic relationship sent over $600,000 of the victim’s own money to bank accounts controlled by scheme participants at Opara’s direction."

Really? Wow.

Now Opara will be locked up for five years, and the judge has ordered him to repay $2.5 million.

What do you think: Is this punishment enough?

[Side note: I'm writing this story on a flight coming back from SecureWorld Detroit, where I had the privilege of moderating an expert panel on phishing and social engineering. The room was full and a lot of best practices were shared. I'm so thankful that was the case. Because as this story illustrates, there is much more to be done to secure our organizations and friends and family from cyber attacks like these.]