A gang of three men has been charged with money laundering of a Business Email Compromise (BEC) scam and identity theft by the U.S. District Court for the Eastern District of Virginia.
BEC is nothing new. Scammers gain access to employees’ email systems (via techniques including social engineering, phishing and malware) and can spend months learning about a company’s relationship with suppliers and customers before tricking companies into making payments to fake accounts .
It is one of the most serious threats organizations face today, and the FBI estimates that it caused losses of over $ 1.8 billion to businesses last year.
But the added element of this particular case is that one of the men alleged to have been involved in the BEC scam was himself an employee of the Bank of America and TD Bank employee between 2015 and 2018.
30-year-old Mouaaz Elkhebri, from Alexandria, Virginia, is alleged to have exploited his position in the banks to help defraud five companies out of more than $ 1.1 million.
According to the prosecution, Elkhebris’ alleged role in the act was to open several bank accounts pretending to belong to legitimate companies, as well as accounts for other members of the gang.
One of the alleged accomplices, 21-year-old Onyewuchi Ibeh, from Bowie, Maryland, is accused of tricking companies into transferring money to the fake bank accounts. This is said to have included hiring similar domains to make email communications to targeted companies from reputable vendors appear more authentic.
A third alleged member of the gang, Jason Joyner, 42, from Washington, DC, is said to have been responsible for withdrawing the proceeds from the fraud in cash for distribution between the group.
Prosecutors claim that the group targeted companies in the United States and around the world, sometimes deceiving their victims out of hundreds of thousands of dollars.
One of those victims, according to authorities, was a Boston company that says it was defrauded of $ 356,954 in December 2018.
During the police investigation, logs from the banks were analyzed to determine the IP addresses of computers logging in to bank accounts, and footage from CCTV was analyzed in an attempt to identify persons who had had access to ATMs to withdraw money.
If convicted, Ibeh and Joyner could face up to 20 years in prison each. If Elkhebri is convicted of all the charges against him, he risks a maximum sentence of 52 years in prison.
However, it is common for the actual penalties for federal crimes to be less than the maximum penalties.
Cases like this can serve as a timely reminder to organizations to educate their staff about the risks at BEC and put processes and technology in place to reduce the chances of falling victim.