Nigerian National Sentenced to 7 Years for $6M Business Email Compromise Scheme Targeting U.S. Companies
What Happened — A 31‑year‑old Nigerian citizen, James Junior Aliyu, was sentenced in the United States to 90 months in prison for his role in an international business‑email‑compromise (BEC) operation that stole roughly $6 million from American businesses and individuals. The scheme, active since at least 2017, relied on hijacked corporate email accounts and spoofed payment instructions to divert legitimate wire transfers to fraud‑controlled bank accounts.
Why It Matters for TPRM
- BEC attacks exploit weak email security and can be launched from any geography, exposing third‑party risk to any vendor that processes payments on behalf of clients.
- The case highlights the financial impact of credential‑based fraud, underscoring the need for continuous monitoring of email authentication controls across the supply chain.
- Successful prosecution demonstrates that law‑enforcement collaboration can mitigate ongoing threats, but the underlying tactics remain prevalent.
Who Is Affected — Financial services firms, SaaS platforms handling invoicing, and any organization that relies on email‑based payment approvals.
Recommended Actions
- Verify that all third‑party vendors enforce DMARC, DKIM, and SPF for outbound email.
- Implement multi‑factor authentication (MFA) on email and financial systems.
- Conduct regular phishing simulations and train staff to recognize spoofed payment requests.
- Review transaction monitoring rules for anomalous wire‑transfer patterns.
Technical Notes — The attackers gained unauthorized access to corporate mailboxes (likely via credential theft or phishing) and sent spoofed messages that appeared to originate from legitimate executives. No specific CVE was cited; the attack vector was social engineering and compromised credentials. Source: The Record