Mon | May 2, 2022 | 3:34 PM PDT

Another day, another dollar, another phishing scam that'll make you holler.

The U.S. Department of Justice (DOJ) recently announced the conviction of a California man who stole more than $23 million from the Department of Defense (DOD) through a complex phishing scam.

Sercan Oyuntur, a 40-year-old man from Northridge, California, targeted a corporation that had a contract with the DOD to supply jet fuel to military personnel in Southeast Asia. That corporation employed an individual in New Jersey, who was responsible for communicating with the DOD through a government computer system.

Oyuntur, along with fellow criminal conspirators in Turkey, Germany, and New Jersey, targeted the individual and the corporation to steal the money the DOD planned to pay for the jet fuel.

The California cybercriminal was found guilty on six counts related to the theft of over $23 million, and faces a maximum sentence of up to 30 years in prison.

Phisher fools U.S. government for millions

According to court documents filed in the case, Oyuntur's conspirators created fake email accounts in other people's names and designed fraudulent webpages that looked like the General Services Administration (GSA) website.

The DOJ describes the phishing scheme:

"From June to September 2018, the conspirators caused phishing emails to be sent to various DoD vendors, including the individual from New Jersey who represented the corporation, to trick these vendors into visiting the phishing pages.

These emails appeared to be legitimate communications from the United States government, but were actually sent by the conspirators, and contained electronic links that automatically took individuals to the phishing pages.

There, they saw what appeared to be a GSA website and were prompted to enter their confidential login credentials, which were then used by the conspirators to make changes in the government systems and ultimately divert money to the conspirators."

Throughout this process, Oyuntur worked closely with a conspirator, Hurriyet Arslan. Arslan owned a car dealership in New Jersey, and he opened up a separate shell company to utilize in their phishing scam. He even hired someone else to pose as the shell company's owner.

On October 10, 2018, the DOD transferred $23.5 million into Arslan's car dealership bank account, which was intended for the victim corporation. Arslan then went to the bank to collect, but the bank wouldn't release all of the funds immediately.

The conspirator in Turkey sent Arslan an email that same day with a fraudulent government contract showing the car dealership had been awarded the $23 million contract. Oyuntur instructed Arslan to take the fake contract to the bank and collect the remaining funds, which was unsuccessful and where our latest phishing story ends.

Arslan pled guilty in January 2020 to conspiracy, bank fraud, and money laundering.

For more information on how a few cybercriminals used phishing to steal millions from the DOD, see the statement from the DOJ.