Maryland Man Sentenced for Leading $4.2 Million BEC SchemeNkeng Amin Will Serve Substantial Prison Term
A 31-year-old Maryland man has been sentenced to more than seven years in federal prison for his leadership role in a business email compromise scheme that netted $4.2 million from 13 victims over a two-year period, according to the U.S. Justice Department and the Secret Service.
See Also: 2021: A Cybersecurity Odyssey
Nkeng Amin of Beltsville, Maryland, was sentenced Tuesday to 87 months in federal prison after entering a guilty plea. Amin, who is also known as "Rapone" and "Arnold," also must pay just over $1 million in restitution, according to the Justice Department.
During this week's court hearing, U.S. District Judge Paul W. Grimm also sentenced three of the co-conspirators in the case to federal prison terms ranging from 57 months to 90 days. Two others being held in custody are awaiting sentencing, according to the Secret Service.
While the six fraudsters managed to steal over $4 million from the victims between February 2016 and July 2017, the group actually attempted to take as much as $11 million during this time, according to federal authorities.
The complex business email compromise scheme involved multiple accounts at different banks.
Business email compromises, also known as CEO fraud, are social-engineering schemes. After stealing the email credentials of a top executive through phishing and other methods, the attackers impersonate that executive, sending urgent messages to lower-level employees to transfer or wire money to various bank accounts. In other cases, the attackers spoof a company's business partner.
In 2018, the FBI's Internet Crime Complaint Center reported that BEC attacks caused about $2.9 billion in losses within the U.S. The agency's numbers were based on fraud reports from over 41,000 victims submitted from October 2013 to May 2018.
A more recent study by Beazley Breach Response Services, a unit of global insurance company Beazley, found that BEC schemes are becoming more targeted and that attackers have become better at accessing legitimate email accounts and increasing the number of messages sent to victims to increase the likelihood that someone will fall for the scheme.
In recent years, business email compromise schemes have only made up about 6 percent of all social-engineering attacks spotted by Barracuda Networks, but with losses now totaling in the billions, BEC is now a major concern to all enterprises, says Lior Gavish, a senior vice president of engineering at the security firm. Since February, Barracuda has recorded a 24 percent uptick in these schemes, Gavish adds.
"We are seeing an increasing trend in BEC attacks where hackers take over legitimate accounts, learn about organizational details and any deals in process," Gavish says. "They then launch a well-timed BEC attack from compromised accounts, asking for wire transfers or introducing last minute-changes to account details to defraud organizations. Because these attacks originate from legitimate accounts and often target internal employees, many email security solutions will struggle to detect and block the attacks."
The Amin Case
The case involving Amin worked much like many other BEC schemes.
Over the course of two years, Amin and the others posed as an entity with which a victim was associated, and then started corresponding through spoofed email accounts. Eventually, wire transfer instructions were sent and victims sent substantial sums of money to drop accounts created with fictitious business names, according to the Secret Service.
These various drop accounts, which were opened at several banks, including Capital One, TD Bank, Bank of America, the Navy Federal Credit Union and Sun Trust, were actually controlled by Amin and the five others, according to the 2018 indictment.
"Amin and others then disbursed the money in the drop accounts that were received from the victims by, among other things: electronically transferring money to other accounts; transferring funds to other accounts at the same bank; withdrawing cash; obtaining cashier's checks; and writing checks to other individuals or entities," according to the Secret Service statement.
The group appears to have used some of that money to purchase luxury cars, with federal agents seizing a 2010 Mercedes, a 2011 Porsche, and a 2014 Land Rover, according to the indictment.
While most of the BEC schemes took place in Maryland, other victims were located in Massachusetts, Colorado and California, according to the Justice Department.