This large payout, however, was not the result of lucky numbers. According to a search warrant application filed in federal court by a Secret Service agent, a public school district in Michigan was duped into wiring its monthly health insurance payment to the bank account of a California nail salon owned by the Abourcheds.
According to police, the district — and taxpayers — were victims of an online scam known as Business Email Compromise, or BEC for short. The couple has been cleared of any wrongdoing and has not been charged with any crimes.
BEC scams are a type of crime in which criminals hack into email accounts, pose as someone they are not, and trick victims into sending money where it does not belong. These crimes receive far less attention than the massive ransomware attacks that have prompted a strong government response, but according to the FBI, BEC scams have been by far the most expensive type of cybercrime in the United States for years, siphoning untold billions from the economy as authorities struggle to keep up.
The large payoffs and low risks associated with BEC scams have attracted criminals from all over the world. Some brag about their ill-gotten gains on social media, posing in photos with Ferraris, Bentleys, and stacks of cash.
"The scammers are extremely well organized, while law enforcement is not," said Sherry Williams, director of a San Francisco nonprofit that was recently victimized by a BEC scam.
According to a new FBI report, losses in the United States from BEC scams will total nearly $2.4 billion in 2021. This represents a 33% increase over 2020 and a more than tenfold increase over just seven years ago.
Experts also claim that many victims never come forward, and the FBI's figures only represent a small portion of the total amount of money stolen.
"It's one of the most profitable things out there," said Shalabh Mohan, Area 1 Security's chief product officer.
According to police, $2.8 million was stolen in the Grand Rapids nail salon case. According to court records, banks were able to recall roughly half of that amount after the scam was discovered.
In an affidavit submitted as part of a search warrant application, a Secret Service agent stated that someone hacked into the email account of one of the school district's human resource employees and sent emails convincing a colleague in the finance department to change the bank account to which the health insurance payments were sent.
The emails were succinct and always polite. According to the affidavit, one of them said, "Please kindly update" the records — words that the real HR employee later told police she never uses.
According to the affidavit, police tracked the money to the Abourcheds' salon's bank account. According to the affidavit, after the theft was discovered, Moe Abourched contacted a Grand Rapids police detective and claimed he'd been duped into accepting the funds and forwarding them to other accounts by a European woman named "Dora."
According to the Secret Service agent, Abourched's claims were false, and he'd used a similar ruse with police after receiving money from a BEC scam involving a Florida storage company.
According to court records, police placed the couple under surveillance and searched their apartment, offices, and BMW in October. Earlier this year, police stated that they needed more time to examine the data on the couple's phones and computers.
Kevin Gres, the Abourcheds' lawyer, stated that his clients did nothing wrong and that no charges should be filed.
"My clients were unwitting participants in this scheme," he explained.
BEC scammers employ a variety of techniques to hack into legitimate business email accounts and trick employees into sending wire transfers or making purchases they should not have made. Targeted phishing emails are a common type of attack, but experts say scammers have been quick to adopt new technologies, such as "deep fake" audio generated by artificial intelligence to impersonate company executives and trick subordinates into sending money.
In the case of Williams, the San Francisco nonprofit director, thieves hacked the organization's bookkeeper's email account, then inserted themselves into a long email thread, sent messages requesting that the wire payment instructions for a grant recipient be changed, and stole $650,000.
Williams claimed that after she discovered what had occurred, her calls to law enforcement went unanswered.
The FBI informed her that the local U.S. Attorney's office would not accept her case. She flew to Odessa, Texas, the location of the bank that initially received the stolen funds. The money had long since vanished, and the local detective was powerless to assist. Williams sought assistance from her U.S. senators and later learned that the Secret Service was investigating, but she claims she hasn't received any updates.
Crane Hassold, a BEC expert and former FBI cyber analyst, has heard of federal prosecutors refusing to take BEC cases unless several million dollars were stolen, a bare minimum that demonstrates how out of control the problem is.
"There are so many of them that they can't possibly work them all," Hassold, now director of threat intelligence at Abnormal Security, explained.
BEC scams can affect almost any business, from Fortune 500 corporations to small towns. According to court documents, even the State Department was duped into sending BEC scammers more than $200,000 in grant money intended to help Tunisian farmers.
In recent years, the Justice Department has launched months-long operations that have resulted in hundreds of arrests around the world.
"Our message to criminals involved in these types of BEC schemes will remain clear: The FBI's memory and reach is long and broad, and we will relentlessly pursue you no matter where you may be," said Brian Turner, executive assistant director of the FBI's Criminal, Cyber, Response, and Services Branch.
However, security experts say the wave of arrests has had little impact, and the FBI's own statistics show that BEC scams are growing at a rapid pace.
"You can arrest 100 of the guys and there will be no ripple effect," Hassold explained.
Many of those arrested in the United States are lower-level "money mules," who move stolen money through the banking system until it is out of reach of authorities.
"Mules" are people who don't need to know how to hack and come from a variety of backgrounds. Alfredo Veloso, of South Florida, pleaded guilty in 2019 after prosecutors claimed he recruited women he met through his business making "kink pornography" videos to be money mules for BEC and other cyber scams.
Sophisticated BEC scams aimed at businesses and other organizations began to proliferate in the mid-2010s. Around the same time, ransomware attacks, in which hackers break into networks and encrypt data, began to increase in frequency and severity.
For many years, both BEC scams and ransomware attacks were primarily treated as a law enforcement issue. That is still true for BEC attacks, but ransomware has emerged as a major national security concern following a series of disruptive attacks on critical infrastructure, such as the one last year against the largest fuels pipeline in the United States, which resulted in gas shortages along the East Coast.
Hackers from the National Security Agency have taken action to disrupt the networks of ransomware operators. To better organize the law enforcement response, the Justice Department formed a ransomware task force. And US Vice President Joe Biden has raised the issue directly with Russian President Vladimir Putin, where many ransomware operators are based.
Despite the massive financial losses, nothing remotely resembling those efforts has been directed toward BEC fraud.
"It's a bunch of tiny little silos, and they still haven't figured out how to have just one source that goes after these things," said John Wilson, a threat researcher at cybersecurity firm Agari.
If the United States launched an all-government response to BEC fraud, it would almost certainly focus heavily on Nigeria.
Nowhere is BEC fraud more prevalent than in Africa's most populous country, where scammers have been able to operate almost unabated for decades. The tired Nigerian Prince scam is now a global joke, but a new generation is making a fortune through sophisticated BEC fraud.
Nigerian BEC scammers are glorified in pop songs and flaunt their wealth on Instagram and Facebook, posing with expensive cars or piles of cash.
Ramon Abbas, a well-known Nigerian social media influencer known as Ray Hushpuppi, had over 2 million Instagram followers before being arrested in Dubai. Abbas' social media posts depicted a life of total luxury, complete with private jets, ultra-expensive cars, and high-end clothing and watches.
"I hope that someday I will be inspiring more young people to join me on this path," Abbas wrote on Instagram last year after pleading guilty in the United States to international money laundering related to BEC and other cybercrimes. His sentencing is scheduled for July.
Around 2014, according to Pete Renals, a threat researcher at Palo Alto's Unit 42, tech-savvy Nigerian criminals began learning how to use available malware to steal victims' credentials. As the software evolved, so did the scammers. According to him, in 2018, researchers began to notice Nigerian malware being developed in-country by BEC scammers themselves.
"It doesn't appear that there's much slowing them down," he said. They believe there is "no reason to stop."
When Obinwanne Okeke was a featured panelist at an event hosted by the prestigious London School of Economics, he was one of Nigeria's most well-known young entrepreneurs.
"You cannot do it if it is not born in you to take on challenges," Okeke said at the 2018 event when discussing his entrepreneurial drive.
But, according to the FBI, Okeke had been busy sending fake invoices and defrauding the British sales office of heavy equipment manufacturer Caterpillar out of $11 million through a BEC scam just days before he made those comments. He was arrested in 2019 at Dulles International Airport outside of Washington, pleaded guilty to wire fraud a year later, and is now serving a 10-year prison sentence.
According to experts, BEC scammers arrested by police in Nigeria often have better luck and regain their freedom by paying fines or bribes. According to Adedeji Oyenuga, a sociology professor at Lagos State University who has studied cybercrime culture, BEC scammers have little fear of being punished if caught.
"The person will walk around freely knowing that no one will say anything about what he or she is doing," Oyenuga explained.
Prosecutors in the Hushpuppi case have also charged Abba Kyari, a top Nigerian law enforcement official who prosecutors claim falsely imprisoned one of Abbas' criminal rivals. Kyari is still in Nigeria, where he has been arrested on separate drug-smuggling charges, according to media reports.
According to Doug Witschi, an assistant director at the global police organization Interpol, tech companies that aid in the facilitation of BEC crimes need to be more proactive in combating such behavior.
"We can't arrest our way out of this," he explained.
In contrast to ransomware operators, who try to keep their communications private, BEC scammers frequently openly exchange services, share tips, and flaunt their wealth on social media platforms such as Facebook and Telegram.
A Facebook group called Wire Wire.com, which was open to anyone with a Facebook account until recently, served as a message board for people to offer BEC-related services and other cybercrimes.
The page, which featured a profile picture of a duffle bag full of cash, was founded in 2015 and had over 1,400 members. It was removed shortly after The Associated Press inquired about it on Facebook last month. The company refused to comment.
In the case of the stolen Grand Rapids funds, social media aided law enforcement in obtaining a search warrant from a federal judge.
A vacation Instagram post by Kateryna Abourched was included in the application, which linked the timing of her trip with a $3,503 payment to a luxury resort in Mexico made from the bank account that had received the stolen Grand Rapids money.
"Vacations are always inspiring," she wrote on Instagram.