A Nigerian man pleaded guilty Wednesday for his role in one of the nation’s longest-running internet scams, admitting to stealing millions of dollars from businesses who fell victim.
Onyekachi Emmanuel Opara would contact companies posing as either one of their executives or a third-party vendor, then trick employees into sending money into bank accounts he controlled, prosecutors said.
He and co-conspirator David Chukwuneke Adindu would modify emails to mimic those of the company or its vendors. Once the unwitting employees transferred the funds, Opara and Adindu would withdraw the money from the account. The scams victimized thousands of people out of millions of dollars, said Geoffrey Berman, U.S. attorney for the Southern District of New York.
Gang Wang, a Virginia Tech computer science professor, said the scam was a version of the Nigerian prince hoax that became notorious online, involving someone claiming to be a government official or royalty and asking for money to help transfer his vast wealth, promising the target a share of those funds.
“The Nigerian prince scam has been evolving towards a more targeted and customized attack,” Mr. Wang said. “If you can impersonate someone the victim knows, their supervisor is a great choice because workers don’t want to offend their supervisor.”
Mr. Wang said it takes relatively little work for hackers to learn whom to impersonate at a company. Some businesses list their corporate structure on LinkedIn or other social media sites and hackers can write scripts, pull the data off the internet and pick their targets.
Hackers will also pose as human resources professionals, asking workers to verify information from the tax forms in order to steal their identities.
Since January 2015, identified worldwide losses from the attack, known formally as business email compromise (BEC) scams, have grown 1,300 percent to more than $3 billion, according to the FBI’s Internet Crime Complaint Center. The number of complaints has grown 50 percent since 2016, the FBI said.
Opara pleaded guilty to one count of wire fraud and one count of conspiracy to commit wire fraud before U.S. District Judge Paul A. Crotty in Manhattan. Each charges carries a maximum sentence of 20 years. Sentencing is scheduled for July 11.
Adindu, who was co-defendant in the case, pleaded guilty last year to one count of conspiracy to commit wire fraud and one count of conspiracy to commit identify theft. He was sentenced to 41 months in prison in December.
The arrest of Opara, whom South Africa extradited to the U.S. in January, is likely to have little impact on the millions of hackers worldwide because most of them operate from countries that do not have extradition treaties with the U.S., said Douglas Salane, director of the Center for Cybercrime Studies at John Jay College of Criminal Justice.
“The deterrence effect is probably limited,” he said. “One prosecution is not going to influence someone in a country where they are more or less protected from our legal system.”
• Jeff Mordock can be reached at jmordock@washingtontimes.com.
Please read our comment policy before commenting.