Operation Phish Phry, a multinational investigation conducted in the United States and Egypt that commenced in 2007, revealed how Egyptian-based hackers "phished" bank account numbers and related personal identification information from an unknown number of bank customers. The victims were usually contacted by what seemed to them an official email from banks or credit card vendors. The communication directed the recipients to fake financial institution websites, which looked like the real deal. Upon arriving at these phishing sites, customers unfortunately entered their account numbers, passwords and other personal identification information.
Operation Phish Phry resulted in 53 defendants being named in a 51-count federal indictment, and 47 suspects being charged in an Egyptian court.
In Egypt, conspirators collected victims' phished bank account information and used that data to hack into accounts at two banks. Once they accessed the accounts, the Egyptian crew communicated via text messages, telephone calls, and Internet chats with their US co-conspirators, coordinating the online transfer of funds from the compromised accounts to newly created fraudulent accounts.
Yankee Doodle Dandies
The United States part of the ring was managed by three people:
- Nichole Michelle Merzi, 25, of Oceanside, CA;
- Kenneth Joseph Lucas, 26, of Los Angeles, CA; and
- Jonathan Preston Clark, 26, of Los Angeles, CA
Merzi, Lucas (at the time Merzi's boyfried), and Clark directed associates to recruit runners to set up bank accounts where the stolen funds could be transferred and withdrawn. A portion of the illegally obtained funds withdrawn were then transferred via wire services to the Egyptian co-conspirators who had originally provided the phished bank account information.
From February 2008 through September 2008, Merzi opened numerous Bank of America accounts in her name at a variety of branches and transferred in the stolen funds. From October 2008 to early 2009, Merzi and Lucas also had their Egyptian conspirators make unlawful transfers from phished accounts to other fraudulent accounts opened in Southern California and elsewhere.
Crash And Burn
Lucas pled guilty to conspiracy, bank fraud and aggravated identity theft. Clark pled guilty to conspiracy and bank fraud.
On March 25, 2011, after a six-week trial, a federal jury in the Central District of California found five defendants guilty:
- Merzi: conspiracy, computer fraud, bank fraud, and aggravated identity theft;
- Tramond S. Davis, 21, of Las Vegas, NV: conspiracy;
- Shontovia D. Debose, 22, of Las Vegas, NV: conspiracy;
- Anthony Donnel Fuller, 22, of Corona, CA: conspiracy and two counts of bank fraud;
- Me Arlene Settle, 22, of Garden Grover, CA: conspiracy and two counts of bank fraud.
The conspiracy and bank fraud charges in this case carry statutory maximum sentences of 30 years in federal prison. The charge of aggravated identity theft carries a minimum sentence of two years that must be added to any of sentence imposed on the defendant.
As a result of Operation Phish Phry, 47 people have been convicted in federal court in Los Angeles. Prior to the trial, prosecutors had dismissed charges against two defendants - another had agreed to plead guilty; another defendant is a fugitive; and one defendant was found not guilty by the jury. The final two defendants charged in relation to Phish Phry are pending trial. In 2011, Defendant Lucas was sentenced in two federal cases-one stemming from the phishing scheme and one from a indoor marijuana grow operation that he constructed-to a total of 13 years in federal prison.
On May 14, 2012, Merzi who was in custody since the March 2011 guilty verdict was sentenced to five years in prison.
Bill Singer's Comment
You may think that the bigger the bank the safer your money - but that's wishful thinking these days. As a number of recent "Street Sweeper" columns have reported, phishing scams have targeted Citibank, Capital One, Bank of America, JPMorgan Chase & Co., Comerica Bank, Regions Bank, U.S. Bank, Wells Fargo & Co., to name only a few. And don't - not for a second - think that eBay or PayPal haven't attracted their share of scammers.
Vlad the Emailer : Feds Bust Romanian Phishing Ring ("Street Sweeper", December 23, 2011)
Feds Go Phish And A Whole Mess Of Defendants Are In Hot Water ("Street Sweeper", May 3, 2012)
Belarusia Phish Fry? Feds Break Online Tax-Refund Scam("Street Sweeper", June 23, 2011)