With $1.2 million hanging in balance, OCSD cyber crimes investigator dives into case
Just two years ago, it was a $25-million underground industry: an illicit world of criminals with computers and Internet connections who hack into business emails and pretend to be someone else in the hopes of stealing money.
Just a year later, in 2016, the type of cyber fraud known as BEC, for Business Email Compromise, exploded into a $3.1 billion racket, according to Orange County Sheriff’s Department Investigator Adam Sandler, who is part of a two-person cyber crime unit that is the only full-time, dedicated unit of its kind in O.C. law enforcement.
And BEC, which in many cases destroys lives by bleeding victims of their life savings, only is getting worse, Sandler said.
Recently, the 12-year OCSD veteran and former computer industry employee was assigned to what was, by far, the biggest case ever for the cyber unit: nearly $1.2 million swindled from an O.C. woman who wired that amount to an account she thought belonged to her escrow company.
With the clock ticking, it was up to Sandler to catch the cyber crook and try to get some or most of the woman’s money back — no easy feat in such a case where time is of the essence.
Typically, within 48 hours, such ill-gotten gains end up in bank accounts in countries like Nigeria or the Republic of Cameroon, never to be seen again, said Sandler.
He recalls a recent similar case in which an Orange County family pooled together $105,000 to buy a home.
The husband ponied up $50,000, his wife kicked in $30,000, and her parents came up with $25,000 — money they all wired into a bogus escrow account.
Authorities only were able to recover $1,000.
“They’re out of their life savings,” Sandler said. “Their money is gone.”
In the case involving the nearly $1.2 million wired into the sham escrow account, a woman Behind the Badge is identifying only as Denise W. feared the same would happen to her.
Denise W. runs an international logistics business.
She found a dream property in North Tustin to rehab and move into: a 7,000-square-foot home she agreed to purchase for $1.193 million.
On Oct. 13, she sent an email to her escrow company asking for instructions on how to wire them the money.
Unknown to her, a bad guy had hacked into her real estate agent’s emails. Since the agent was CCd on all emails between Denise W. and the escrow company, the bad guy saw that the electronic transaction was about to happen, and he got to work.
He created similar looking but fake emails and worked both sides, pretending to be Denise W. as well as the escrow company.
Over the next few days, he sent the escrow company an email requesting the necessary documents. When he got them, he altered the bank account information on the documents and then fired an email off to Denise W., pretending to be her escrow company.
He asked her to wire the money to close escrow.
On Oct. 17, Denise went to her bank and wired the $1.193 million to an account she thought belonged to her escrow company.
The next day, Oct. 18, she called her escrow company when she noticed something amiss on the escrow documents: the date she wanted to close wasn’t the one she had requested. A superstitious woman, she wanted escrow to close on a specific date.
The escrow company didn’t know what she was talking about; they told her they never requested or received the $1.193 million.
Denise W. and the escrow company compared documents, and quickly realized the bogus emails and different bank account information.
She dashed to her bank to stop the transfer.
Too late, they told her. The money was sitting in a bank account in Maryland.
Denise W. called authorities.
An OCSD patrol deputy rolled to her home in unincorporated Orange County.
Since Sheriff Sandra Hutchens established the cyber crime unit in 2015, Sandler and his partner, Investigator Alain Sirgy, have educated rank-and-file deputies about the unit.
The deputy who went to Denise W.’s home to take the report realized the magnitude of the apparent fraud, and Sandler was contacted.
He then got to work.
THE HUNT IS ON
Sandler tapped his network of contacts at the International Association of Financial Crimes Investigators (IAFCI) and found an investigator who worked at the bank where Denise W.’s money ended up.
The investigator was able to find the money in an account that had been opened in July but that had remained inactive until the $1.193 million was wired into it on Oct. 17.
That seemed odd, the investigator in Maryland thought.
The bank investigator was able to put an administrative hold on the transaction, but such a hold would expire in 30 days unless Sandler could get a judge to approve a warrant to put a legally binding hold on the account.
Meanwhile, Sandler wrote search warrants for the two email service providers the bad guy used to create the sham emails. He was seeking IP addresses, the digital fingerprints he needed to trace to the suspect or suspects. Getting such information usually takes 15 to 20 days.
Sandler got a judge to approve a warrant and legally freeze the account. The bank account containing the $1.193 belonged to a Maryland resident who is in the car exporting business.
Sandler and other authorities soon determined he was an innocent player in the cyber fraud — what authorities call a “mule.”
The car exporter (who happens to be a famous ex-pro soccer player) is in business with who he thinks is a legitimate partner in the Republic of Cameroon, who wires him money every now and then and then tells him to buy and ship him a car, and to keep a certain percentage of the money for his trouble.
In reality, the Cameroon partner is using the Maryland car exporter’s bank account to park dirty money, including the $1.193 million he stole from Denise W.
The Maryland businessman told authorities he would cooperate with them.
Soon, the IP addresses came back from the email service providers.
Not surprisingly, Sandler said, the IP addresses were linked to Nigeria. Nigerian ISPs do not honor U.S. search warrants so there is no way to tie the IP addresses to a specific suspect or suspects. So the question of who ripped off Denise W. — or tried to — remains unknown.
However, because he acted so quickly, Sandler was able to get the bank in Maryland to wire back Denise W.’s $1.193 million — or most of it. The bad guy in Nigeria made a couple of withdrawals. Along with bank transaction fees, Denise W. ended up being out a total of only $1,500 — nothing compared to what could have been.
The day before Thanksgiving, Denise W. saw there was a pending incoming wire for the return of most of her money.
The day after Thanksgiving, she got her money back.
In early December, she closed escrow on her house.
Such outcomes, Sandler said, don’t happen every day.
“It’s more rare than we like,” he said. “We always want to catch the bad guys, but in this case, at least we got the money back for the victim.”
Sandler has some tips to avoid being a victim of a cyber scam.
“People are so used to doing business by email,” he said. “No one talks anymore.”
Always follow up emails of importance with a phone call for confirmation, such as verifying the bank account number before wiring $1.2 million into it, he said.
And be wary of emails that give a deadline for doing something or that seem urgent.
And be suspicious of ones that come on Friday, he said. Crooks can get a huge head start if money is wired on a Friday. By Monday or beyond, Sandler said, the loot could be gone.
In a commendation letter to the sheriff, Denise W. praised Sandler’s diligence.
“He was always professional and pleasant to speak to and took the time to reiterate the process,” she wrote. “It made a tough journey a little easier to walk knowing that he had my back …. I can’t thank your department and Investigator Sandler enough for making this a miracle holiday for me and my family.”
In an interview, Denise W. told Behind the Badge losing nearly $1.2 million would have been devastating.
“He went above and beyond,” she said of Sandler.