Amil Hassan Raage has taken a guilty plea to charges of fraud in a business email compromise (aka CEO fraud) case that netted him and his criminal co-conspirators almost three-quarters of a million dollars in twenty-eight payments. According to the story in Infosecurity Magazine, Raage induced a university to divert payments to an account he controlled over the course of slightly more than a month, from August 8th to September 12th of 2018.
On July 23rd, 2018, the University of California San Diego (UCSD) received a spear phishing email that spoofed a Dell account, instructing the University to send its payments for Dell equipment and services to a Wells Fargo account in Minnesota that Raage controlled. The email itself had been sent by one of Raage’s criminal associates in Kenya. UCSD complied, for awhile, making twenty-eight wire transfers totaling $749,158.37 to the account Raage’s colleagues had given them. Immediately after the deposits were made, Raage either withdrew the money or transferred it to another account.
When UCSD realized they were the victim of fraud, they stopped payment. Wells Fargo froze Raage’s account, at which point he fled the United States for Kenya. Unfortunately for Raage, that didn’t place him beyond the reach of the law. The Kenyan National Police arrested him on May 7th of this year. He was extradited to the United States on May 23rd.
The US Attorney’s Office for the Southern District of California, which handled the prosecution, said that this was not Raage’s first time running a business email scam. On one earlier occasion he and his colleagues impersonated Dell to extract six wire transfers amounting to $123, 643.77 from an unnamed university in Pennsylvania.
The Justice Department and the FBI found the cooperation they received from the Kenyan National Police gratifying, and that indeed is the good news to emerge from this story. FBI Special Agent-In-Charge Scott Brunner said, “As exemplified by this outstanding result, criminals who operate in cyberspace falsely believe themselves to be beyond the reach of law enforcement, but they are sorely mistaken. Our agents will relentlessly pursue justice, aided by our foreign partners. Thank you to the Kenyan National Police and the Office of International Affairs for their invaluable assistance in bringing Mr. Raage before the bar of justice.”
Less encouraging is the way in which two university business offices complied with a request to change the destination of payments due for purchases of computers and services. Such purchases are no novelty, and there are many sound business reasons to handle these matters online. Efficiency, however, can sometimes compete with security. The US Justice Department says that business email compromise directed against universities is rising. It’s important that the people handling transactions in any organisation learn to recognize fraud and follow sound practices to avoid falling victim to scams. New-school security awareness training has an important place in any organisation’s preparations to withstand social engineering in all its forms.
Infosecurity Magazine has the story: https://www.infosecurity-magazine.com/news/bec-scammers-cost-us-universities/
Find out how affordable cyber security awareness training is for your organisation. Get a quote now.