A Nigerian national was arrested in Ghana and is facing charges related to business email compromise $($BEC$)$ attacks that caused a charitable organization in the United States to lose more than $$7\mathrm{.}5$ million.

Olusegun Samson Adejorin was arrested on December $29$ for defrauding two charitable organizations in Maryland and New York, according to an eight$-$count federal grand jury indictment in the U$.$S$.$

Specifically, Adejorin faces charges for wire fraud, aggravated identity theft, and unauthorized access to a protected computer linked to attacks aimed at two Maryland$-$based charitable organizations, culminating in the embezzlement of $$7\mathrm{.}5$ million.

Stealing millions

In an annoucement this week, the U$.$S$.$ Department of Justice $($DoJ$)$ says that Adejorin$$s fraud scheme occurred between June and August $2020$ and involved unauthorized access to email accounts as well as impersonating employees..

Posing as an employee of one charity $($Victim $2),$ Adejorin requested large withdrawals of funds from the other charity $($Victim $1),$ which provided investment services to Victim $2.$

To successfully process withdrawals over $$10,000,$ Adejorin used stolen credentials to send emails from accounts of employees that needed to approve the transactions.

$$As part of the scheme, Adejorin also allegedly purchased a credential harvesting tool designed to steal email login credentials, registered spoofed domain names, and concealed the fraudulent emails from a legitimate employee by causing the fraudulent emails to be moved to an inconspicuous location within Employee $1$s mailbox.$-$ U$.$S$.$ Department of Justice

Following these actions, Adejorin successfully tricked Victim $1$ into transferring $$7\mathrm{.}5$ million to bank accounts the attacker controlled, while the organization believed they were depositing the amounts into legitimate Victim $2$ bank accounts.

Adejorin faces a maximum penalty of $20$ years for wire fraud, five years for unauthorized access to a protected computer, and a mandatory sentence of two years for aggravated identity theft.

The U$.$S$.$ DoJ announcement also notes that the sentence may be extended by seven years for malicious registration and use of a domain name.

BEC attacks, also known as CEO fraud, can result in significant financial damage. Last summer, a report from the FBI noted that business email compromise had caused billions of U$.$S$.$ Dollars in losses.

Some reasonable defense measures to consider include implementing multi$-$factor authentication to reduce the likelihood of unauthorized account access, using email filtering to detect and block phishing attempts, and establishing a verification procedure that underpins wire transfer requests and involves using a secondary communication channel.

When met with suspicious requests such as changing bank account details, simply calling the partner on a pre$-$determined number to confirm the action can help save millions.