Convicted BEC scammer could face over 100 years in prison

A US court has found a Nigerian national guilty of charges related to a US $1.5 million business email compromise (BEC) scam and could face the rest of his life in prison as a consequence.

35-year-old Ebuka Raphael Umeti was convicted last week by a federal jury in Alexandria, Virginia, for operating a scheme that preyed upon victims in the United States and elsewhere.

According to evidence presented in court, Umeti and two co-conspirators tricked their way into companies' email accounts and accessed sensitive information. This information was then used to dupe victim businesses into wiring large amounts of money.

By posing as trusted senders, such as a bank or vendor, Umeti and his co-conspirators are alleged to have targeted and hacked numerous organisations in the United States for substantial amounts.  This allegedly included siphoning US $571,000 from a New York wholesaler and US $400,000 from a Texan metal supplier.

Umeti and his alleged accomplices, Franklin Ifeanyichukwu Okwonna from Nigeria and Mohammed Naji Mohammedali Butaish from Saudi Arabia, used a mixture of phishing attacks and malware to gain unauthorised remote access to compromised computers inside targeted companies.

Umeti and Okwonna were arrested in Nairobi in June 2023 after US authorities requested their extradition from Kenya, after being fugitives for nearly a year.

Umeti is scheduled to be sentenced on August 27, 2024, and faces a maximum penalty of up to 102 years in prison for charges which include wire fraud conspiracy, intentional damage to a protected computer, and multiple wire fraud counts. However, he is unlikely to receive such a long sentence.

34-year-old Franklin Ifeanyichukwu Okwonna pleaded guilty on May 20 to his role in the scheme and is scheduled to be sentenced in September.

Butaish, who has not yet been tried, is based in Saudi Arabia and is alleged to have first got involved in the scheme in 2020 when he is said to have assisted in the creation of malware.

Saudi Arabia, unlike Kenya, does not have an extradition agreement with the United States of America, meaning that it's quite possible US investigators will not be able to test their case against Butaish.

Business email compromise is one of the biggest security threats facing organisations. Earlier this year, the FBI's latest annual report on the state of cybercrime described how BEC overshadowed the often headline-grabbing losses caused by ransomware, accounting for an astonishing US $2.7 billion of losses in 2022.

All organisations should put in place training for employees to help them be on their guard against techniques used by cybercriminals, including Business Email Compromise attacks.

In addition, firms would be wise to introduce processes so additional approval is required from executives before large payments to suppliers and contractors are made.