Wire fraud that emanates from the combination of identity theft and email compromise has skyrocketed to an escalated threat level in the class of evolving cybercrimes which exploit both financial institutions and their customers.
To help shine a spotlight on this growing fraud formula, I thought it would be beneficial to share the details of a recent real-life case which involves stolen identities of multiple executives at one victim company; multiple victim companies; and multiple financial institutions exploited by the perpetrator in the execution of the fraud scheme.
Case Overview: Stolen Identities – Bogus Emails – Wire Fraud – Multiple Financial Institutions Exploited
In August 2016, a resident of Florida pleaded guilty to 14 counts of wire fraud and 5 counts of aggravated identity theft. The perpetrator stole the identities of and posed as at least five different executives of a number of companies. He generated false and fraudulent emails and other documents in the names of those companies, to defraud financial institutions (FIs) and caused those FIs to wire and transfer the perpetrator funds to which he was not entitled.
The criminal used money he obtained from banks by posing online as the executives to purchase real estate and for other personal enrichment.
A schedule depicting the detailed financial transactions for this case is included below (Figure 1) as well as key highlights outlining the anatomy of the scheme.
Anatomy and Highlights of The Scheme
The following synopsis outlines key activities undertaken by the perpetrator in the execution of this fraud scheme.
- Stole the identities of and posed as executives of companies and corporations
- Created email addresses using the identities of executives of those companies and corporations for his own use
- Fabricated stories of business projects that would cause financial institutions to provide financing to the companies and corporations that the perpetrator claimed to represent
- Posing as various executives, initiated and engaged in email and telephone communications with representatives of financial institutions
- Created false and fraudulent documents, including purchase orders, invoices, insurance records, and emails purportedly exchanged by representatives of the businesses whose identities he had stolen, designed to create the illusion that the fabricated stories of business projects were real
- Using stolen identities, transmitted via email and otherwise, the false and fraudulent documents he had created to representatives of financial institutions in support of requests for financing
- Created a business entity and opened a bank account in the name of that entity
- Using stolen identities, provided payment instructions via email to representatives of FIs, which in turn caused FIs to electronically transmit funds intended to finance the business projects in the fabricated stories to accounts controlled by the perpetrator
- Used the funds wired by the FIs to purchase a personal residence and otherwise for his own personal enrichment
Stolen Identities: The Four Victim Companies
The brief descriptions for the four (4) victim companies noted below illustrate the wide range of business activities in which these companies are engaged.
Company A: publicly-traded diversified industrial corporation that produces engineered products for global niche markets
Company B: limited liability company engaged in the business of providing custom information technology solutions
Company C: corporation involved in business information management
Company D: national transport corporation
Aggravated Identity Theft: Multiple Business Executives and Multiple Companies
The job titles listed below denote the positions of the business executives who were targets of the five (5) counts of aggravated identity theft in this case.
Company A: Vice President, General Counsel and Secretary
Company A: Vice President of Information Technology
Company A: Chief Financial Officer
Company C: Director of Business Development
Company D: Company Officer
Companies Set Up by the Perpetrator Used to Receive the Fraudulent Funds Transfers
The superseding indictment for this case references two (2) businesses which were set up by the perpetrator and used to gain access to the fraudulent funds.
Company X: domestic for profit corporation created by the perpetrator as its president that was purportedly engaged in the business of producing customized t-shirts
The perpetrator used Company X to open a bank account at Financial Institution #5 to receive funds from Financial Institution #3 (see Figure 1).
Company Y: company set up by the perpetrator in which he held the position of officer
Financial Institution #1 and Financial Institution #2 transferred funds payable to an account held by Company Y at Financial Institution #4 (see Figure 1).
Multiple Financial Institutions Utilized as Senders and Receivers of the Fraudulent Funds Transfers
Totals dollar amounts for each of the FIs used by the perpetrator in association with the fraudulent funds transfers are listed in aggregate below. Figure 1 in the following section itemizes the individual transactions for each of the fourteen (14) counts of wire fraud.
Financial Institution #1:
Transferred $421,512.25 to an account in the name Company X at Financial Institution #4
Financial Institution #2:
Transferred $748,504.01 to an account in the name Company X at Financial Institution #4
Financial Institution #3:
Transferred $1,064,664.74 to an account in the name Company Y at Financial Institution #5
Financial Execution of the $2.2 Million Fraud Scheme
Figure 1 outlines the detailed transactions for each of the fourteen (14) counts of wire fraud with which the perpetrator was charged.
The Burgeoning Crime of Business Email Compromise
Supervisory Special Agent Mitchell Thompson, head of the financial cyber crimes task force in the FBI’s New York office, was quoted in The Financial Times earlier this year on the growing cyber-enabled crime of Business Email Compromise (BEC). Here’s some of what he had to say:
“It has gotten quite out of hand”. The criminals are “becoming more brash”, by introducing third parties, such as law firms and consultants, to carry out the fraud. They have also become more sophisticated about how they troll potential victims.
“They’re using social media a lot against us. They might send a spam email intentionally to see that the executive is out of the office, [making] it prime time to target. They might look on Facebook and see that [the chief executive is] travelling to Europe or Australia so they know you’re in the air for a certain amount of time” and have a window to strike.
A few examples of the numerous U.S. businesses which have incurred losses from BEC attacks include:
Xoom (international money transfer company that was acquired by PayPal) – $30.8M loss
Scoular (commodities trader and one of the top privately held U.S. companies) – $17.2M loss
Ubiquiti Networks (networking technology company) – $46.7M loss.
Whereas some BEC schemes have been as large as $90M, Special Agent Thompson commented that “the ones you don’t hear about are the smaller corporations that send $50,000. They’re saying, ‘I’m not going to make payroll, we’re going to close our doors’ as a result of the fraud.”
FinCEN “Advisory to Financial Institutions on E-Mail Compromise Fraud Schemes” (FIN-2016-A003)
I strongly recommend that all financial institutions read the comprehensive advisory on email compromise fraud schemes which was published by FinCEN last month. This advisory explains both Business E-mail Compromise (BEC), which targets commercial accounts, and E-mail Account Compromise (EAC), which targets personal accounts. It outlines various scenarios and provides a detailed list of Red Flags which were developed in consultation with the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS). The advisory is available here on FinCEN’s website.