CybserSecurity News

Tag: Business Email Compromise

  • Fraudsters Target Pepco in Major Phishing Attack

    The European retail chain Pepco was deceitfully coerced into transferring a substantial amount of funds to fraudsters through an intricate phishing attack, as disclosed in its official press release.

    The Hungarian division of Pepco Group, which owns brands such as Poundland in the United Kingdom, Dealz in Ireland and Spain, as well as Pepco in various European countries, fell victim to cybercriminals, incurring a financial loss estimated at around 15 million euros.

    CVE-2021-28550
    Login into account in email envelope and fishing hook. Phishing scam, hacker attack and web security concept. online scam and steal. vector illustration in flat design

    It remains uncertain whether the funds will be recoverable, though the company is actively collaborating with law enforcement agencies and banks to locate and freeze the stolen assets. Pepco emphasized that the cyberattack did not compromise the personal data of customers, suppliers, or staff.

    Furthermore, the company reassured its clients and business partners of its financial stability, highlighting its access to over 400 million euros in liquidity from cash and credit resources.

    The press release also mentions the undertaking of a comprehensive audit of all systems and processes to enhance business security in the future.

    While the company has not divulged the technical specifics of the attack, it is plausible that Pepco was targeted by a Business Email Compromise (BEC) attack, involving fraudulent activities using business email.

  • Nigerian Fraudster Arrested: Mastermind Behind $7.5M BEC Scam

    A Nigerian citizen was apprehended in Ghana for orchestrating a sophisticated fraud scheme involving Business Email Compromise (BEC), which led to a U.S. charity organization incurring losses exceeding $7.5 million.

    Olusegun Samson Adejorin was detained on December 29, facing allegations of defrauding two charitable organizations based in Maryland and New York. He is accused of perpetrating email fraud, identity theft, and unauthorized access to a protected computer.

    According to the U.S. Department of Justice, Adejorin’s elaborate scheme spanned from June to August 2020 and entailed unauthorized access to email accounts and impersonation of organization employees.

    Masquerading as an employee of one of the charities (Victim 2), Adejorin solicited large sums from another organization (Victim 1), which provided investment services to Victim 2. For transactions exceeding $10,000, Adejorin utilized stolen credentials to send emails in the guise of employees responsible for confirming these transactions.

    As part of his fraudulent operation, Adejorin also acquired a tool for pilfering email credentials, registered counterfeit domain names, and cunningly concealed his deceptive emails from legitimate employees by rerouting them to inconspicuous sections of their mailboxes. Consequently, he successfully duped Victim 1 into transferring $7.5 million into his bank accounts, while the organization believed the funds were being sent to a legitimate charity.

    Adejorin faces a maximum penalty of 20 years for email fraud, 5 years for unauthorized access to a protected computer, and 2 years for identity theft. The U.S. Department of Justice also notes that the sentence may be extended by 7 years for registering and using a domain name with fraudulent intent.