After allegedly executing a Business Email Compromise (BEC) scam, the United States District Court for the Eastern District of Virginia has accused three individuals of money laundering and substantial identity theft.
BEC schemes employ several techniques (including social engineering, phishing, hacking, and malware) to corrupt or mimic corporate email accounts to transfer pending or future payments to bank accounts controlled by the threat actor.
Onyewuchi Ibeh, 21, from Bowie, Maryland, Jason Joyner, 42, from Washington, D.C., and Mouaaz Elkhebri, 30, from Alexandria, Virginia, have been charged. Between January 2018-March 2020, they penetrated the corporate networks of big and small organizations in the U.S. and worldwide.
The attackers were able to access email servers and accounts by phishing employee credentials and planting malware. Then they spent months intercepting conversations and learning about billing systems, communication styles, vendors, clients, transaction managers, and so on.
The fraudsters then reportedly sent phony emails to an employee at the appropriate timing, presenting a request for money that resembled a genuine transaction due for payment at the time.
The actors were able to reroute the cash to their bank accounts by obtaining all of the specifics of the actual transaction, such as complete invoice information. The BEC operation has been linked to at least five victims and total theft of $1.1 million, according to the investigators.
Between 2015 and 2018, Elkhebri worked for Bank of America and TD Bank, where he opened bank accounts in the names of his co-conspirators and their victims, as well as falsifying bank book entries.
Joyner was using ATMs to withdraw stolen money and sending cash to others.
According to the affidavit, Bank of America provided Elkhebri’s employment records in response to legal action. Elkhebri worked as a personal banker and relationship manager at the bank from 2015-2017.
Elkhebri established numerous conspirator accounts during his tenure at Bank of America, including one that Ibeh used to further the plan.
TD Bank also released personnel data for Elkhebri, who worked there from 2017-2018, responding to legal proceedings. Elkhebri established several conspirator accounts during his tenure at TD Bank, including one that Ayeah employed to continue the scam.
Elkhebri faces up to 52 years in jail if convicted, while the other two might face a maximum of 20 years in prison due to the severity of their crimes. These are the maximum penalties; actual sentences are likely to be less severe.