How Fraudsters Nearly Stole $17.5 Million via PPE Fraud4 Dutch and Nigerian Suspects Accused of Scamming German Health Authority
Stop me if you've heard this one before: Fraudsters managed to trick a company into wiring them millions of dollars via a business email compromise attack.
But in this case, suspects working across borders, after the COVID-19 crisis began, created a clone of a Dutch personal protective equipment provider's website that looked good enough to trick a German buyer and compromised legitimate email addresses to help make the ruse look more real, according to Interpol, the international police organization.
"Scammers within Nigeria and other parts of the world are beginning to find creative ways to take advantage of the fears and the needs generated by the pandemic."
The case is a reminder that sophisticated criminal operations - such as this one, involving "compromised emails, advance-payment fraud and money laundering," according to Interpol - continue to target organizations by using relatively simple lures, such as social engineering and phishing emails. Security experts say that defending against these types of attacks requires appropriate information security defenses and practices, but organizations must also review their business processes to make it more difficult for criminals to trick employees into sending them money (see: Business Email Compromise: Must-Have Defenses).
As the ongoing rise of ransomware in particular continues to demonstrate, attackers operating online face this imperative: If they want to keep turning a profit, and especially if they want to see their illicit revenue rise, they need to come up with innovative new ways to fleece victims. But gangs wielding crypto-locking malware aren't the only ones coming up with new types of schemes.
Consider the ongoing case that came to light last year, when Interpol announced that it had helped stop a Netherlands-based BEC campaign that managed to steal 2.4 million euros ($2.9 million) from a German health authority, which was an advance payment for an order that was to total 14.7 million euros ($18 million).
Officials in the German state of North Rhine-Westphalia, who were desperate at the start of the pandemic to find PPE suppliers who could deliver, believed they were buying 10 million face masks from ILBN Holdings BV, which is a legitimate Dutch supplier.
But when the promised gear failed to arrive, Freiherr Fredrick Von Hahn, the German state's representative, visited ILBN's office in the Netherlands, only to discover that "the company never did business with him and that the transaction was a scam," according to Nigerian police.
"Despite being experienced buyers, [German] representatives were hooked by fraudsters and led down a path of referrals, fake emails and websites, extra fees and ultimately, no masks," Interpol says.
After Von Hahn alerted a German bank involved in the payment, a full-scale investigation was launched, leading to Interpol and law enforcement officials in Germany, Ireland, the Netherlands and Nigeria moving quickly to block stolen funds and identify suspects.
Police first arrested two Dutch citizens in the Netherlands - Eduardus Boomstra and Geradius Maulder. Last August, two of their alleged accomplices were then arrested in Nigeria: Babatunde "Teddy" Adesanya, 50, who's lived in the Netherlands for 25 years, and Akinpelu Hassan, 41, a foreign exchange trader who's CEO of Lagos, Nigeria-based Musterpoint.
The Nigerian pair, who have also been accused of creating the cloned website, were sought by German officials via a mutual legal assistance treaty request to Nigeria, which described a German investigation into fraudulent payments tied to the attempted procurement of PPE.
Nigerian police have accused the four men of being part of a "sophisticated transnational criminal network" that specialized in "identity theft, cyber-stalking, cloning of corporate websites" and other fraudulent schemes.
In this case, "investigation by Interpol Nigeria … revealed that Babatunde Adesanya received 498,000 euros from Boomstra and Maulder through his Citibank London account and transferred the same to an account number domiciled with a Lagos branch of a leading commercial bank," Nigerian police said.
'Wire Wire' Job
Based on the allegations, what happened is known as a "wire wire" job, says Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham. The funds received from the German health authority "were first moved to a Citibank account in London and then quickly bounced to the Musterpoint account in Lagos," he says. Thankfully, however, "a second bank transfer to Ireland was blocked before the funds reached their ultimate destination." Musterpoint also froze the funds moved to Hassan's account, and they have been returned to the Netherlands.
Last September, investigators reported that they were continuing to pursue leads in the case gleaned from digital forensic analysis of devices seized from suspects and they expected to identify and arrest additional suspects.
Interpol officials didn't immediately respond to a request for comment about the status of the investigation. Nigerian police have said that the case against Adesanya and Hassan would proceed only once the wider investigation had concluded.
Details of the Alleged Scam
Authorities have emphasized that despite the PPE angle to the gang's alleged scam, none of the suspects had any real ties to the healthcare sector. "Those arrested in this case had no connections to the medical equipment industry. They were simply experienced fraudsters who saw an opportunity with the outbreak of COVID-19," said Jürgen Stock, Interpol's secretary general (see: Insights From Interpol on Using Threat Intelligence). "They adapted their sales pitches to take advantage of strained supply chains and generate huge profits."
Many of the gang's alleged tactics mirror classic scammer moves, including bringing psychological pressure to bear at a key moment to try to steal more funds.
Interpol says the scammers promised an initial delivery of 1.5 million masks for an upfront payment of 1.5 million euros ($1.8 million), after which "the buyers initiated a bank transfer to Ireland and prepared for delivery, which involved 52 lorries and a police escort to transport the masks from a warehouse in the Netherlands to the final destination in Germany."
But just before the masks were set to arrive, Interpol says the gang reported that the funds hadn't been received and that it required an immediate transfer of 800,000 euros to the Dutch supplier if the order was to be saved.
'Criminals Will Always Take Advantage'
Nigeria Police Commissioner Frank Mbu, in a media interview last September, said that his police force issued a public warning at the beginning of the pandemic, saying it was sure to be seized on by scammers in Nigeria and around the world.
"We made it very clear that scammers within Nigeria and other parts of the world are beginning to find creative ways to take advantage of the fears and the needs generated by the pandemic and that is also not surprising because everywhere in the world, criminals will always take advantage of the situation," Mbu said (see: Interpol Busts Massive Nigerian BEC Gang).
"They'll take advantage of a war situation; they will take advantage of a pandemic; they will take advantage of a natural disaster; they will even take advantage of big-time celebrations like the Olympics and World Cup and find very creative ways to actually fleece innocent citizens of their hard-earned income," he said. "And that's exactly what happened here."