A Nigerian national, Olusegun Samson Adejorin, was apprehended in Ghana and is currently facing charges associated with orchestrating business email compromise (BEC) attacks that resulted in a charitable organization in the United States losing over $7.5 million.
A federal grand jury indictment in the U.S., consisting of eight counts, outlines Adejorin’s arrest on December 29 for defrauding two charitable organizations based in Maryland and New York. The charges include wire fraud, aggravated identity theft, and unauthorized access to a protected computer, all stemming from cyberattacks on the Maryland-based charitable organizations, ultimately leading to the embezzlement of $7.5 million.
Adejorin’s fraudulent activities unfolded between June and August 2020, involving unauthorized access to email accounts and the impersonation of employees. Operating as an employee of one charity (Victim 2), Adejorin cunningly requested substantial fund withdrawals from the other charity (Victim 1), which offered investment services to Victim 2.
To execute withdrawals exceeding $10,000, Adejorin utilized stolen credentials to send emails from employees’ accounts who were required to approve the transactions. The U.S. Department of Justice revealed that Adejorin also acquired a credential harvesting tool, registered spoofed domain names, and concealed fraudulent emails within Employee 1’s mailbox to avoid detection.
Through these deceptive tactics, Adejorin successfully persuaded Victim 1 to transfer $7.5 million to bank accounts controlled by the attacker, while Victim 1 believed the amounts were being deposited into legitimate Victim 2 accounts.
If convicted, Adejorin faces a maximum penalty of 20 years for wire fraud, five years for unauthorized access to a protected computer, and a mandatory two-year sentence for aggravated identity theft. The U.S. DoJ announcement further mentions that the sentence could be extended by seven years for the malicious registration and use of a domain name.
Business email compromise attacks, also known as CEO fraud, can result in substantial financial losses. To enhance cybersecurity measures, the implementation of multi-factor authentication, email filtering for phishing detection, and the establishment of a robust verification procedure for wire transfer requests involving a secondary communication channel are recommended. Additionally, when faced with suspicious requests, confirming actions through a pre-determined phone number can serve as a crucial safeguard against potential financial fraud.
