“Gucci Master” business email scammer Hushpuppi gets 11 years
Credit to Author: Naked Security writer| Date: Mon, 14 Nov 2022 16:24:19 +0000
He was sentenced under his real-life name of Ramon, but in back in his boastful days of pretending to be a seriously successful real estate agent based in Dubai, you may have seen and heard of him as Ray, or, to give him his full nickname, Ray Hushpuppi.
To be clear, Ramon Olorunwa Abbas wasn’t pretending to have lots of money, but he was pretending to have acquired his money by legitimate means.
His now-shuttered Instagram account was awash with show-off photos promenading the extent of his wealth, including fancy cars (see featured image at top of article), luxury travel by private jet, and high-ticket shopping trips:
Unfortunately for Abbas, who allegedly referred to himself on Snapchat as The Billionaire Gucci Master!!!, and fortunately for the numerous victims of his criminality, the photos above were featured in a US Department of Justice charge sheet signed in June 2020 by FBI Special Agent Andrew Innocenti and approved by US Magistrate Judge Rozella Oliver:
Grabbed and nabbed
Abbas was charged with the crime of Conspiracy to Engage in Money Laundering, quickly arrested by the Dubai police, and extradited to the US where he has been behind bars ever since.
As we wrote back in 2020:
Maximum prison sentences are rarely handed out. But if Abbas gets convicted of conspiracy to engage in money laundering, and if he happens to be the unlucky exception to this general rule, he’ll be looking at a maximum sentence of 20 years in federal prison.
Well, more than two years later, Hushpuppi has pleaded guilty to the charge and been sentenced, and although he didn’t get the maximum prison term, United States District Judge Otis Wright gave him 135 months, which is just over 11 years. (We assume this will include the time already that Puppi has already spent in custody.)
He’s also required to pay back more than $1.7m in restitution to two specific victims whom Abbas admitted to defrauding as part of his plea agreement: $922,857 to a law firm in New York, and $809,983 to a businessperson in Qatar.
The original charge sheet setting out that Abbas indeed had a case to answer, and should therefore be arrested and brought to the US, makes fascinating reading.
It includes extracts from Hushpuppi’s correspondence with various co-consipirators, including a money launderer from Canada called Ghaleb Alaumary, who was sentenced to 140 months (11 years 8 months) in a US prison last year, and ordered to repay a whopping $30m.
Crooks versus the banks
The conversations recorded by the investigating officer give an intriguing insight into how so-called Business Email Compromise (BEC) criminals try to sneak past the fraud prevention measures that the banks have put in place.
Here, you can see them talking to each other about transfer problems, and offering advice on those banks or countries that should be avoided because the transfers will trigger warnings:
I sent 1.1m pound to acc they said open ben in uk money landed and now they asking questions
An open ben, or “open beneficiary”, is explained by the investigator as “an account where a different business account name can be substituted to help in deceiving the victim into sending funds.”
Bro I can’t keep collecting houses n not give them a feed back n keep asking for more. This things cost a lot of money now to open.
A house in this context is BEC slang for “a bank account used to receive proceeds of a fraudulent scheme”, because it provides a temporary home for funds.
Presumably, the money launderer’s contacts – other cogs in the cybercrime gearbox who send out so-called money mules to open accounts that are later used for fraud – were pushing back against the “cost” of going through face-to-face KYC (know your customer) checks to open accounts that ended up getting linked to criminality right away.
Brother I can’t send from uk to Mexico they keep finding out, but uk 2 uk these guy keep paying
Here, the money launderer is suggesting that fraudulent transfers kept inside the UK are likely to go through, whereas trying to get money out of the country is likely to provoke more detailed checks and trigger a block.
BEC explained
As you probably know, BEC is an umbrella term used to describe email-driven cybercrime where electronic messages (which often look perfectly genuine because they’re sent from a compromised account inside your own company) are used to persuade someone in the finance department to change the recipient’s account details just before a major payment is due.
BEC criminals can target the compromised company directly, by tricking someone in your own Accounts Payable department into thinking that a supplier just swapped banks and is requesting their forthcoming payments to be made to a new account.
Worse still, BEC crooks can target your customers, by tricking their Accounts Payable staff, under cover of fraudulent emails that really do originate from your company, that your company has switched banks and requires future debtor payments to go to a new account.
As you can imagine, customers defrauded in this way might not realise that their “successful” payments have been going astray (assuming that the transfers to the fraudulent “house” don’t get spotted by the bank)…
…until your own accounts department notices they’re apparently behind on payments and sets the debt collection team onto them.
That sort of confrontation is almost certain to lead to a doubly-angry customer, and the resulting data breach publicity really is something you could do without, alongside the likely need to make good your customer’s loss if the bank can’t claw back the funds.
What to do?
We know that banks are able to head off significant amounts of BEC-style fraud, but that plenty of the stolen money nevertheless ends up in the hands of scammers, because the DOJ remarks that:
“By his own admission, during just an 18-month period defendant conspired to launder over $300 million,” prosecutors wrote in a sentencing memorandum. “While much of this intended loss did not ultimately materialize, [Abbas’s] willingness and ability to participate in large-scale money laundering highlights the seriousness of his criminal conduct.”
Here are some tips you can follow to reduce the risk of getting scammed by the Hushpuppis of the world:
- Turn on two-factor authentication (2FA) so that a password alone is not enough to access your accounts, especially email. Remember that your email account is probably the key to resetting passwords on many of your other accounts, including ones you use at work and at home.
- Look for features in your service providers’ products that can warn you when anomalies occur. XDR (extended detection and response) tools help you to search for logins that come from unusual places, or to track down network and file activity that doesn’t fit your usual pattern. This can help you flush out crooks who have wriggled into your network or your email account. Talk to your bank about how they can add another layer of scam detection, too.
- Enforce a two-step (or more) process for making significant changes to accounts or services, especially changes in details for outgoing payments. Don’t just rely on simple “manager approval” click-throughs – implement independent checks by different teams, working in separate departments, looking for different indicators of scamminess.
- If you see anything that doesn’t look right in an email demanding your attention, assume you are being scammed. Crooks who try to impersonate your CEO or CFO might not make any mistakes, but often they do. Don’t let the crooks get away with slip-ups such as spelling mistakes or unlikely errors that ought to give them away – one Naked Security commenter reported catching a scammer red-handed simply because the crook used an emoji where they felt certain that the true owner of the email account would have spelled out the meaning in full. As carpenters like to say, “Measure twice, cut once.”
- If you want to check details with another company based on an email, never rely on contact data provided in the email, especially when money is involved. Find your own way to get hold of the other party using a different form of communication, for example using a phone number on printed documents that you already have.
- Consider using internal training tools to teach your staff about scams. Tools such as Sophos Phish Threat can test staff behaviour safely so that they can make their mistakes when it doesn’t actually matter, rather than when the crooks come calling.