Known only as ‘Mike,’ the man faces charges of hacking, conspiracy and obtaining money under false pretences after he was arrested in Port Harcourt, southern Nigeria.
It’s believed the man, 40, was the “head of a network” of 40 criminals across Nigeria, Malaysia, and South Africa.
Interpol, which was involved in the arrest, said the “mastermind” was involved in providing malware, conducting online fraud and had connections to money launderers in China, Europe, and the US.
Two main scams involved: fraud where a CEO’s email account was targeted; and a second where suppliers’ accounts were hit. In one case Interpol believe Mike and accomplices tricked a business into paying out $15.4m (£11m).
Both scams work by tricking those working for companies that urgent payments need to be made to specific bank accounts – requests for payment are made to look like they have come from an official source.
For ‘CEO fraud’ the authorities say the email account of a “high-level executive” is compromised and a message requesting a money transfer is then sent to a staff member who handles accounts and payments. In the supplier-related fraud an email account is compromised and a fake request for immediate payment is made.
“The network compromised email accounts of small to medium businesses around the world including in Australia, Canada, India, Malaysia, Romania, South Africa, Thailand and the US, with the financial victims mainly other companies dealing with these compromised accounts,” Interpol said in a statement.
The fraud type is also not uncommon in the UK. In November WIRED spoke to a number of London-based startups who had been conned out of money through scammers sending fake emails to their accounts.
One major web-based company lost £16,000 after scammers registered almost identical domain names to the firm they were targeting. Using email addresses created with the fake URLs, messages were sent to CEOs, some of whom believed they were coming from their own staff members, and issued notices to make immediate payments.
At the time the City of London Police’s Action Fraud group said it was crucial to verify all changes to financial arrangements; carefully check bank statements; and if there are any phone calls asking for money to ask the caller for a switchboard number they can be accessed from.
In the UK, official figures show that one in ten adults are victims of some form of cybercrime. The figures, published for the first time in June, revealed a total of 5.7m online crimes were committed in 2015. Of these, there were 3.7m cases of fraud.
Noboru Nakatani, from Interpol Global Complex for Innovation, said businesses should be more aware of this kind of fraud. “Basic security protocols such as two-factor authentication and verification by other means before making a money transfer are essential to reduce the risk of falling victim to these scams,” he said.
Mike was picked-up in June by Interpol and the Nigerian Economic and Financial Crime Commission alongside a 38-year-old. Both are on administrative bail while the investigation continue.