Spoofing Email Sends Payment To Minneapolis, Shanghai, and Bremen

November 21, 2017

The BrokeAndBroker.com Blog has frequently covered stories involving spoofed emails that are sent to banks and brokerage firms. Sometimes the recipients of these fraudulent emails are victims. Sometimes, they're complicit. Sometimes, folks just go about their day and despite all sorts of memos and policies over the years warning them against accepting emails at face value, they disregard protocol and set off an avalanche of trouble and pain.  As demonstrated in a recent federal criminal case, we got lots of scamsters alive and well out there in cyberspace.

The Email Bill

Federal prosecutors alleged that on September 23, 2016, Sedgwick County, Kansas (the "County") received an e-mail from the Chief Executive Officer of Cornejo & Sons, LLC for services rendered on a County road project. The email directed the County to:
  • change the information it kept on file for the Cornejo & Sons LLC's financial institution and bank account; and
  • tender payment to a specified Wells Fargo Bank in the state of Georgia.
Payment

On October 7, 2016, the County sent approximately $566,088 to the specified Georgia branch of Wells Fargo Bank.

Say what?

To make a long story short, Cornejo & Sons asked the County when the hell it was going to get paid. Watcha talkin' about, the County asked, we sent you the money as instructed. 

Enter the Federal Bureau of Investigation.

 Which leads us to the doorstep of George S. James of Brookhaven, Georgia.

Criminal Charges

Federal prosecutors charged James with  one count of wire fraud and one count of aggravated identity theft. If convicted, James faced a penalty of up to 20 years in federal prison and a fine up to $250,000 on the wire fraud count and a mandatory two years (consecutive) on the identity theft charge.

Guilty Plea

On July 6, 2017, James pled guilty to one count of wire fraud.

Sentence

James was sentenced to 27 months in federal prison.

Bill Singer's Comment

I located United States of America, Plaintiff, v. George S. James, Defendant (Plea Agreement, United States District Court for the District of Kansas, 17-CR-10003 / July 6, 2017) http://brokeandbroker.com/PDF/JamesPlea.pdf. For those of you who are still intent on wingin' it when your company is on the receiving end of what looks, for all intents and purposes, like a bona fide email invoice with banking instructions, puhlease read the following portion of the Plea Agreement carefully . . . very, very carefully:

2. Factual Basis for the Guilty Plea. The parties agree the facts constituting the offense to which the defendant is pleading guilty are as follows:

Sedgwick County had contracted with Cornejo & Sons, LLC., (hereinafter referred to as Cornejo) for the Bond Tekk project, Project No. 2016. Upon completion of the project Cornejo requested payment. On September 23, 2016 the Sedgwick County Engineering Department certified that Cornejo had completed the project, that payment could be issued and a payment of $566,088.90 was authorized. The Certification of Completion was filed of record.

On a date before September 23, 2016, the exact date being unknown, A.H. contacted the defendant, George S. James, and asked Defendant James if he (A.H.) could use the defendant's bank account at Wells Fargo to deposit some money. Defendant James was aware that A.H. was involved in a scheme to defraud some person or entity out of money, but did not know A.H.'s intended victim. The defendant agreed to allow A.H. to deposit money into his bank account at Wells Fargo.

On or about September 23, 2016, A.H., or a person acting on behalf of A.H., sent an email bearing the email address of r.cornejo@cornejocorp.net to the Sedgwick County Accounts Payable department. This email falsely and fraudulently requested a change of Cornejo's bank to an account with Wells Fargo Bank, this account did not belong to Cornejo but to Defendant James. Attached to the email was a completed ACH form identifying the "new" account for Cornejo. The ACH form falsely and fraudulently represented that it was signed by R.C., the C.E.O. of Cornejo. The above email and the ACH form traveled in interstate commerce, i.e. from the State of Georgia to the State of Kansas.

On October 7, 2016, an ACH payment was sent by Sedgwick County to the defendant's bank account with Wells Fargo Bank, pursuant to the instructions provided in above reference email and ACH form of September 23, 2016.

The defendant, knowing that the funds which had been deposited into his bank account were obtained by the execution of A.H.' s fraud scheme, caused a portion of the funds to be wire transferred to a bank account in Shanghai, China, and into a bank account owned by the defendant with Deutsche Bank in Bremen, Germany. The defendant also spent some of the funds in the United States.

The defendant did not know that the victim of A.H.'s fraudulent scheme was Sedgwick County, Kansas.

Sedgwick County's payment traveled in interstate commerce, from its bank in Sedgwick County, Kansas, to the defendant's bank account at the Wells Fargo branch bank located in Minneapolis, Minnesota, as identified in the ACH form.

The United States claims that the loss in this matter is $566,088.90. The defendant denies the amount of loss.

Bill Singer's Comment

A few takeaways. When you get an invoice for services rendered and you are told to alter the standing instructions for transmitting payment, you might want to double-check with the sender. Now, just a bit of advice here, when you do that double-check with the sender, don't simply hit "reply" to the initiating email. First off, the "Sender" address displayed in that field of the email may not be the actual address -- you could pass a cursor over the address and see if something different comes up. Second, if you're going to send a half a million bucks to a new bank, maybe it would be worth your while to directly telephone the vendor at a known telephone number and confirm the instructions to change banks.

Now, to be clear, I'm not going to call you an idiot just because you may not follow my advice. No, I'm not going to call you any names. You're an adult and you should do whatever you think is right. That being said, should you willy-nilly send out wire payments for six figure sums and just revise a vendor's standing banking instructions on the say-so of a mere email, then be prepared to work with the FBI as you trace your sent-funds to such exotic places as Minneapolis, Shanghai, and Bremen.

Finally, and I'm just tossin' this out there for the hell of it, you might want to take a pause if you're approached by some guy going only by the initials of "A.H.," who asks to deposit money in your bank account. Just sayin' . . . but, if you ask me (go ahead, ask me), I would be very wary about any business associate who goes by the initials of B.S., M.F., W.T.F., or A.H. Oh wait, my initials are "B.S.," so forget about that first business associate.

Listen, lemme ask ya sumthin'. Can I deposit a couple of thousand in your bank account? I'll make it worth your while. Sure, it part of a fraud but if you play dumb, I ain't gonna say nuthin'. We got a deal?

SEE These DOJ Press Releases:




ALSO READ: