A Nigerian resident has been ordered to pay back $2.5 million in damages and serve five years in prison for running business email compromise (BEC) scams which sought to defraud victims out of $25 million.
Onyekachi Emmanual Opara was sentenced on Tuesday in a Manhattan, New York federal court for his crimes, according to the US Department of Justice (DoJ).
Between 2014 and 2016, Opara and co-defendant David Chukwuneke Adindu operated a number of BEC scams. While operating from Lagos, Nigeria, the scams targeted victims worldwide, including in the US, UK, Australia, New Zealand, and Singapore.
Phishing emails were sent to the employees of target companies, often representing that the messages were from supervisors or third-party vendors that held business relationships with the victims.
In order to appear genuine, the messages were sent from email accounts based on domains that were similar to the true domains of respectable companies. This is a technique common to BEC scams, which generally involve social engineering and research in order to craft messages which are more likely to be accepted as legitimate.
Researchers in February, for example, discovered a BEC campaign originating from Nigeria which created fraudulent DocuSign login pages on over 100 compromised websites in order to dupe victims into entering their business credentials. It is believed that the sophisticated scheme has resulted in millions of dollars being stolen to date.
TechRepublic: Awful military and government LinkedIn passwords highlight need for 2FA, new policies
Opara's operation also focused on funding requests. When phishing emails were successful, money was transferred into accounts controlled by the scammers.
Law enforcement says that the scheme attempted to scam $25 million from victims across the world.
However, Opara went further. In addition to the BEC scams, he also entered into romantic relationships through dating websites. Posing as an attractive woman called "Barbara," the man asked US individuals to send him money.
In one case, an individual duped through the romance scam sent the scammer $600,000. The 30-year-old was arrested in Johannesburg, South Africa in December 2016 and was extradited to the United States to stand trial.
See also: LuckyMouse uses malicious NDISProxy Windows driver to target gov't entities
Opara pled guilty to conspiracy to commit wire fraud and wire fraud and will serve 60 months in prison, pay back $2.5 million in restitution, and was also given two years of supervised release.
"From halfway around the world, Onyekachi Emmanuel Opara ran a global email scam business that victimized thousands of people out of millions of dollars," US Attorney Geoffrey Berman said. "The global reach of our Office and the FBI ensured that Opara will serve time in the United States for his crimes."
Co-conspirator Adindu pled guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit identity theft in 2017. Adindu was sentenced to 41 months in prison and was ordered to pay back $1.4 million.
CNET: How to avoid tech support scams
On Wednesday, a Russian man was jailed in the US for operating the Kelihos botnet. Branded one of the world's "most notorious criminal spammers," the individual used the botnet to send out phishing emails designed to steal account credentials and financial information.
How to discover and destroy spyware on your smartphone (in pictures)
Previous and related coverage