"I am a Special Agent with the Federal Bureau of Investigation
(“FBI”), and have been so employed since approximately March 2015...I primarily investigate cyber-enabled fraud and business email compromise (“BEC”) schemes," that's how the FBI's criminal complaint against Ray "Hushpuppi" Abbas begins. Abbas is the Nigerian man accused of participating in a massive email scam operation targeting US businesses.
To "Hushpuppi's" 2.4 million Instagram followers, he wasn't known as a criminal, but as a successful real estate developer living the high-life of private jets, designer watches & clothes, and fast cars.
One of Abbas' social media posts from a little over a month ago said, "Before you say I’m extra and “too much”, ask yourself... Are you even “enough”?"
However, what Abbas presented himself as was very far from the real truth. Abbas' day job was posing as a trusted employee or customer of an unsuspecting American business, Using spoofed emails sent to a targeted employee of the victim company, Abbas would trick the business into sending large sums of money to a bank account his transnational network of criminal associates controlled.
The Law Firm That Lost $900,000 to Abbas.
In October of 2019, Abbas and his conspirators targeted a New York law firm that handles the refinance of real estate. A client of the firm was refinancing their property through Citizens Bank. During the closing, a paralegal sent a verification email to a Citizens Bank email address to request wire instructions. There was a serious problem, the email address provided was NOT in fact from Citizens Bank, but a spoofed email made to look exactly like the real thing and set up by Abbas' criminal ring when they had gained access to the law firm's emails.
Shortly after sending the verification email, the paralegal received a fax (per the law firm's instructions) with the wire details, which requested the funds be wired to a Chase Bank account instead.
Following policy, the paralegal called the number on the fax to confirm the wire instructions. Unfortunately, the number was also controlled by the scammers.
Having done her due diligence, the paralegal wired $922,857.76 to the Chase account.
Unbeknownst to anyone at the law firm, that money would soon make its way into the hands of Abbas and his associates.
As soon as the funds landed in the Chase account controlled by the criminals, it triggered a second wire transfer of $396,050 of those funds to a bank in Canada. Abbas took a picture of that transfer and sent confirmation via his Snapchat account to his accomplices. Another easy pay day from a successful scam.
The remainder of the funds were also quickly transferred to other accounts.
The law firm didn't realize the funds had been sent to the wrong account until later that month when their client who should have received the funds checked their account and discovered the money for the refinance had never been deposited.
Catching "The Billionaire Gucci Master."
@hushpuppi Abbas' personal Instagram account flaunted his luxury lifestyle.
Abbas' display name on Snapchat described him as "The Billionaire Gucci Master!!!" but it may have been his frequent posting of his lavish lifestyle on Instagram that got him busted by the FBI.
The FBI report mentions being able to learn Abbas' personal email, phone number, recent travels, and the IP address from where he was living in Dubai all from his Instagram account. They also analyzed the pictures he posted to generate a list of items that were most likely purchased using stolen and laundered funds.
Here's how Abbas was able to successfully steal millions from so many US companies.
- He would acquire a bank account that would accept millions of dollars without asking too many questions or raising any red flags. (At the time of his arrest, Abbas had access to wire information for accounts in Romania, Bulgaria, Dubai, and Mexico among others.)
- His hacker conspirators would gain access to the emails inside of an organization and spoof them, learning what correspondence the victim expected to receive looked like.
- Abbas would hold onto his access and wait for the perfect time to insert his fraudulent wire instructions into a routine business operation. In almost all of the schemes he and his conspirators ran, they tricked a victim into sending a payment to one of their accounts by switching bank account information on payment instructions provided to the victim.
What Lessons Can US Businesses and Organizations Take From This?
First, while it's great that Abbas is in government custody, he is only one of thousands of criminals who work for organized crime rings that target small businesses. In fact, some of his co-conspirators are still on the loose!
Second, it may seem discouraging when you think that emails, links, faxes, and even phone numbers can't always be trusted in financial transactions.
If you're in a position to send a payment on behalf of your company, always have at least one fail-proof point of contact involved in the transaction. That may mean always speaking with someone you know and trust before wiring money or authorizing a payment to anywhere. If you're willing to go back far enough, there will always be a point of contact that you can verify as being legit. Certainly don't believe everything you read in an email or even that a stranger tells you over the phone.
Third, it has become essential to educate every employee in email phishing practices and to verify which emails in your organization may be compromised. To help small businesses with this, we created our Cloud Security to be a combination of internal email monitoring, dark web monitoring, and employee phishing education to give companies more opportunities to identify these criminal scams before they become costly mistakes.
Need cybersecurity or email advice? Contact Us today!