Phishing for Payroll: Nigerian National Convicted for Attempted Stealing of $6M+ via Phishing

After using phishing scams in an attempt to steal over $6 million dollars from employees of several targeted US colleges and universities, a Nigerian national was convicted on charges of conspiracy to commit wire fraud, computer fraud, as well as aggravated identity theft, according to the US Department of Justice.

The accused was convicted after a three-day trial in Atlanta, Georgia and will be sentenced on October 22, 2018. His accomplice was sentenced for three years and three months in prison back in January.

From their location in Kuala Lumpur, Malaysia, the duo started their scheme by sending phishing emails to university employees. After gaining access to the employees’ university account credentials, they changed the payroll direct deposit information to different bank accounts they got through romance scams. From there, they would funnel the stolen money out of the country. Aside from stealing payroll, they also filed phony tax returns that they stole from the university employees’ W-2 forms — information that were accessible via their university accounts.

The Power of Phishing

Phishing remains to be a solid cybercriminal go-to technique. Recently, Trend Micro detected a phishing scam that sent over 13,000 phishing emails to its intended victims. The spam campaign involves an HTML file attachment that mostly targeted California-based clients of the Royal Bank of Canada.

Phishing is also a major component of business email compromise (BEC) scams, which according to the FBI, is a $12 billion scam that victimizes organizations of all sizes and individuals.  Last June, the leaders of a major BEC ring in Israel that managed to steal EU 18 million from companies were foiled after a two-year investigation.

Defense against Phishing and BEC Scams

Identifying phishing scams through awareness and proper training can help individuals and organizations from falling prey to these attacks. Employing the right security solutions — a mix of traditional defenses as well as advanced technologies such as artificial intelligence (AI) and machine learning (ML) can help tighten defenses against a broad range of cyber threats.

The use of artificial intelligence (AI) and machine learning in Trend Micro™ email security products enhances overall cyberdefense against BEC, EAC, phishing, and other advanced threats. Trend Micro’s anti-BEC technology combines the knowledge of a security expert with a self-learning mathematical model to identify fake emails by looking at both behavioral factors and the intention of an email.

The new Writing Style DNA can detect email impersonation by using AI to recognize the DNA of a user’s writing style based on past written emails and comparing it to suspected forgeries. This feature works best against BEC schemes that involve compromised legitimate email accounts. When an email is suspected of spoofing a user, the writing style is compared to this trained AI model and a warning is sent to the implied sender, the recipient, and the IT department. The new technology has been used by Trend Micro™ Cloud App Security™ for Microsoft® Office 365™ and ScanMail™ Suite for Microsoft® Exchange™ products starting June 2018.

Trend Micro has also introduced FraudBuster, which analyzes the contents of an email, SMS, or chat message to determine the likelihood of it being a scam. Users are encouraged to check any message using the free tool, if they have even the slightest doubt about its contents.  Fraudbuster also provides advice on how to proceed after receiving a fraudulent message. It is intended to protect end users against scams such as romance and tax scams.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.