Scammer Arrested After Defrauding US Universities of Over $870K

Amil Hassan Raage was arrested for defrauding two U.S. Universities of more than $870,000 as part of a business email compromise (BEC) fraud scheme he ran during last year.

BEC (also known as Email Account Compromise - EAC) scams are fraud schemes where cybercriminals deceive an organization's employees into wiring money to entities they trust but whose bank accounts were swapped to ones controlled by the crooks before the initial contact.

Raage pleaded guilty of receiving multiple payments totaling $749,158.37 from the University of California San Diego (UCSD) and $123,643.77 from a Pennsylvania university.

Both universities were the victims of a spear-phishing attack which allowed the defendant to redirect some Dell equipment and services payments to his own Wells Fargo bank account in Minnesota.

Phishing emails sent by Kenyan co-conspirators

Assuming that the phishing emails received from Raage were from a legitimate Dell employee, both UCSD and the Pennsylvania university followed the instructions and redirected the payments.

"Modern criminals like Raage have ditched the ski mask and getaway vehicle and opted for a computer as their weapon of choice," said U.S. Attorney Robert Brewer. "As this defendant has learned, we are matching wits with new-age thieves and successfully tracking them down and putting an end to their high-tech deception."

UCSD ended up wiring 28 payments into Raage's account between August 8 and September 12, 2018, while the other university sent six payments during January 2018. The two universities only stopped the payments after being alerted of the ongoing fraud.

In both cases, the spear-phishing emails sent to the U.S. universities were actually sent by one of Raage’s Kenyan co-conspirators. After every payment that reached his bank account, Raage "would promptly withdraw the money or transfer it to another account."

"As exemplified by this outstanding result, criminals who operate in cyberspace falsely believe themselves to be beyond the reach of law enforcement, but they are sorely mistaken," added FBI Special Agent-In-Charge Scott Brunner.

"Our agents will relentlessly pursue justice, aided by our foreign partners. Thank you to the Kenyan National Police and the Office of International Affairs for their invaluable assistance in bringing Mr. Raage before the bar of justice."

"Raage’s sentencing is set for 8:30 a.m. on October 11, 2019, before U.S. District Judge Gonzalo P. Curiel," says the Department of Justice press release.

BEC scammers are on a roll

BEC scams were the cybercrime behind the highest reported total losses during last year, with victims losing over $1,2 billion throughout the year as detailed in the Internet Crime report published in April 2019 by FBI's Internet Crime Complaint Center (IC3).

"Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector," the IC3 explains.

BEC fraud schemes have also seen a striking 476% growth between Q4 2017 and Q4 2018, with the total number of email-based fraud attempts targeting businesses and organizations growing by 226% QoQ according to a Proofpoint report from January.

The Financial Crimes Enforcement Network (FinCEN) also released a report in July asserting that BEC SAR filings (suspicious activity reports) grew from an average of $110 million per month in 2016 to over $301 million dollars per month in 2018. 

To make sure that their employees are not going to get tricked by BEC scammers, organizations need to implement very strict vendor processes designed to check for and authenticate any changes through multiple processes, including direct phone calls and/or face-to-face meetings when making any payment changes.