What the King of Cyber Fraud Can Teach Us
At a recent conference I attended, I learned a little about the story of Tobechi Onwuhara. Tobe spent years near the top of the FBI’s most wanted list, and after his capture in March, he pleaded guilty to fraud and money laundering. In less than three years, he stole at least $44 million as the mastermind of a cybercriminal crew.
How He Did It
- Targeted married couples with million-dollar homes that easily would qualify for a bank equity line of credit.
- Through publicly available databases, he got personal identity information and digital copies of signatures.
- Used a background check service to get birth dates, names of relatives, employment histories, mother’s maiden names, prior addresses, etc.
- Used social media, credit monitoring, and other sites to get other personal information like mother’s maiden name and answers to typical security questions.
- Copied the victim’s caller ID onto a disposable phone, and tricked bank call center staff into opening a home equity line.
- Faxed wire transfer paperwork using “photoshopped” signatures.
- Duped the phone company into forwarding calls to a disposable phone – so that when the bank called to get a verbal confirmation of the wire transfer, they were actually calling Tobe and not the victim.
- Laundered the money after the wire was processed.
Basic Steps to Avoid Becoming a Cyber Fraud Victim
- Put a password on your home and mobile phone lines.
- Put a security freeze or credit monitoring on your account.
- Don’t email yourself bank login information and store it in a folder in your email account (apparently this is very common).
- Don’t ever use passwords like your spouse’s birthdate, mother’s maiden name, social security number, etc.
Additional Steps You Can Take
- Be careful what info you put on social media sites, and limit public access as much as you can.
- Use a unique and long password for each website (because this is tough to manage, consider password lockbox software like Lastpass, 1Password, or RoboForm).
- Consider adding two-factor authentication to your accounts (so two factors are required for access: something you know such as a password, and something you have such as a smartphone).