Fraudsters employing an increasingly common scheme known as business email compromise victimized a United States company for more than $98 million, according to a suit filed by the U.S. Attorney’s office in Manhattan Thursday.
The civil forfeiture lawsuit is an attempt to recover $25 million in funds held in a variety of overseas accounts, money that the federal government says was stolen from an unnamed U.S. company. The scam, run over the course of several months last year, followed what has become a familiar pattern of late.
Posing as the representatives of a vendor used by the target company, the fraudsters set up fake email addresses that mimicked the vendor’s, and began communicating with a third party that handles vendor payments. Over the course of several months, the criminals were able to fool the third party company into transferring nearly $100 million to an account at Eurobank Cyprus. The money then was split up and transferred into accounts in banks around the world, including in Latvia, Hungary, Hong Kong and elsewhere.
Officials at Eurobank Cyprus realized quickly that something had gone wrong, and worked with law enforcement agencies in the U.S. and Cyprus to find and recover about $74 million of the stolen money. It’s the other $25 million that the U.S. Attorney is now trying to recover.
“Criminals can be resourceful and unrelenting in their efforts to scam innocent victims out of money. Here, the alleged perpetrators – through a fake email address and by impersonating a legitimate vendor – almost got away with $100 million. Thanks to the timely actions of law enforcement here and abroad, as well as by Eurobank in Cyprus, where the stolen funds were first sent, $74 million has already been returned to the victim company. With this civil forfeiture action, we seek to return the rest,” Manhattan U.S. Attorney Preet Bharara said in a statement.
This fraud would represent one of the larger known cases of business email compromise, a term that’s used to describe a broad range of schemes. The scams typically involve fraudsters using a spoofed email to target employees of a given company who have authority over finances. They often will impersonate a high-ranking executive and order the employee to transfer money to an outside account right away. The Manhattan case is somewhat unusual in that the attackers went after a third party vendor used by the actual victim company.
“Using this fake email address, the perpetrators then communicated with an email account maintained for the purpose of allowing vendors to communicate with the Professional Services Company on behalf of the Victim Company. Through those email communications, the perpetrators of the scheme convinced the Professional Services Company to change the designated bank account to which the Victim Company would make recurring payments to the Vendor for services rendered,” the U.S. Attorney’s office said.
“As a result, payments from the Victim Company meant for the Vendor were transferred to an account under the control of the perpetrators of this scheme rather than an account actually affiliated with the Vendor.”
The scheme involved 16 separate payments to the attackers’ account, totaling $98,879,545.80. The U.S. Attorney’s office did not identify the victim company, but said it’s an American firm that does business all over the world. The stolen funds are being held in at least 20 accounts right now.