Nigerian man pleads guilty to attempted $6 million BEC email heist

Kosi Goodness Simon-Ebo, a 29-year-old Nigerian national extradited from Canada to the United States last April, pleaded guilty to wire fraud and money laundering through business email compromise (BEC).

Simon-Ebo admitted that in 2017, while he resided in South Africa, he conspired with others in the U.S. to compromise business and employee email accounts.

The scammers then used these accounts to contact businesses with spoofed sender addresses to make it appear that the emails came from trustworthy partners.

The emails contained payment requests and wiring instructions that resulted in the victims sending money to bank accounts controlled by Simo-Ebo and his co-conspirators.

From there, the scammers would move the amounts to other accounts to obscure the money trace before they eventually withdraw cash.

Additionally, the money launderers also used cashier's checks to write checks to various individuals and business entities, again obscuring the real source of the funds.

According to the plea agreement, the scammers had a high success ratio of roughly 1 to 7, making one million out of the almost seven million they attempted to steal.

"The intended loss for transactions in which Simon-Ebo was directly involved—which were some, but not all of the transactions involving Simon-Ebo and his co-conspirators—was approximately $6,988,249, and the actual loss resulting from these transactions was at least $1,072,306," explains the U.S. DoJ.

Simo-Ebo now faces a maximum imprisonment sentence of 20 years, which is scheduled to be decided on November 29, 2023, in the U.S. District Court of Maryland.

The BEC scammer will also have to pay restitution of $1,072,306, equating to the total amount of losses suffered by the victims.

The BEC scourge

Business email compromise is a high-impact, multi-billion-dollar problem that threatens companies and organizations worldwide.

In 2021, the losses associated with BEC schemes reached almost $2.4 billion in the U.S. based on 20,000 complaints received by the FBI that year.

Verizon reported in June 2023 that BEC attacks have almost doubled this year, and they typically start with an email from a legitimate, compromised address.

In March 2023, the FBI warned that BEC fraudsters had diversified their tactics, and now, instead of targeting money directly, they attempt to redirect valuable hardware, construction, and solar energy products.

Also in March, a report from Microsoft warned about the speed of BEC attacks, explaining that the entire process between compromising email credentials, registering typo-squatting domains, and hijacking existing email threats only takes a couple of hours.