Banking Insider Accused of Role in $1m BEC Scheme
Three men including one former bank employee have been indicted by a federal grand jury for their alleged role in a business email compromise (BEC) conspiracy.
Onyewuchi Ibeh, 21, of Bowie, Maryland, Jason Joyner, 42, of Washington, DC and Mouaaz Elkhebri, 30, of Alexandria, Virginia, were charged with money laundering and aggravated identity theft, according to a superseding indictment late last week.
According to the court documents, they’re said to have targeted firms of all sizes across the globe between January 2018 and March 2020.
After phishing their way into employee accounts, they would allegedly conduct months-long reconnaissance before stepping in at the crucial moment when a supplier invoice was expected by the victim company — substituting their own highly convincing request for payment.
Faked domains mimicking those of the supplier were employed to add legitimacy to their communications with the victim organization.
At least five businesses lost over $1.1m in total over the period, with the co-conspirators laundering the funds through dozens of bank accounts, according to the Department of Justice (DoJ).
Each man is said to have played a particular role in the scheme.
Ibeh apparently managed the money laundering process, directing the others to open accounts which he used to wire money around the world. Joyner allegedly withdrew criminal proceeds in cash and delivered it to the other two. Elkhebri is said to have opened accounts in the name of both co-conspirators and victims, using his position as a bank employee to do so.
Elkhebri worked for Bank of America and TD Bank during the period.
Ibeh and Joyner are charged with conspiracy to commit money laundering and money laundering — and each faces a maximum penalty of 20 years in prison. Elkhebri is charged with conspiracy to commit money laundering, money laundering, false entries in a bank’s books, and aggravated identity theft — charges which carry a maximum of 52 years.
According to Accenture, the cost of cyber-attacks carried out by malicious insiders jumped 15% in 2019 to reach $1.6 million per organization, on average.