Arrest made in phishing scheme
Cyberattack targeted Groton among other school systems
A citizen of Nigeria was arrested in North Carolina on Thursday in connection with the “phishing” scheme that victimized school systems in Groton, Glastonbury and elsewhere.
Daniel Adekunle Ojo, 33, was charged with conspiracy to commit wire fraud, an offense that carries a maximum penalty of 20 years in prison, and aggravated identity theft, an offense that carries a mandatory consecutive term of two years, according to a U.S. Department of Justice news release.
Ojo appeared before a U.S. magistrate judge in Greensboro, N.C., after his arrest and was ordered held pending a transfer to Connecticut.
In March, the Groton Public Schools’ business office received an email from someone posing as the superintendent and asking for the W-2 information of about 1,300 employees. An employee sent the information, then realized the request didn’t come from the superintendent.
After the W-2 information was sent, approximately 66 suspicious 1040 forms were filed electronically with the IRS, using names of victims of the Groton phishing scheme, according to the arrest warrant affidavit. The tax returns sought refunds totaling $364,188 but the IRS didn’t process them, as they were flagged as part of an identity theft scheme, the affidavit said. No money was released in connection with those returns.
In Glastonbury’s case, money was released. In February, an employee of the school district received an email that appeared to be sent by an-
other employee, and the email also asked for all W-2 tax information. The employee sent copies of the W-2 information of about 1,600 Glastonbury Public Schools employees.
Afterward, approximately 122 suspicious 1040 forms were filed electronically with the IRS, using names of victims of that phishing scheme, the affidavit said. The tax returns together claimed $596,897 in refunds; about six were processed and $36,926 electronically was deposited into various bank accounts.
The complaint alleges that Ojo controlled or used an aol. com email account and a gmail. com email account for the phishing scheme. In the Groton scheme, the email was sent from superintendent.schools@aol.com and indicated it was from Superintendent Michael Graner. The email read: “I need W-2copy list of “all Employees wage and tax statement for 2016. Kindly prepare and attach the lists in PDF file type and email them to me for review as soon as possible. Thanks Michael”
Bloomington Independent School District in Bloomington, Minn., also was targeted by the scam.
“Cybercriminals are becoming increasingly cunning in exploiting technology to steal identifying information from unwitting victims,” U.S. Attorney Deirdre Daly said in the news release. “Fortunately, our cyber investigators are skilled at cracking these crimes and catching these fraudsters. To help avoid becoming a victim, always remember when you click on a link or send an email, check — and then double check — that the link you’re being asked to open, or the email address you are responding to, is authentic.”
“The individuals that conduct these phishing schemes have one goal: To steal personal information for financial gain,” FBI Special Agent in Charge Patricia M. Ferrick of the New Haven Division said in the news release. “This case is particularly disturbing due to the methods used and the targeted victims.”
Investigators obtained search warrants for several email accounts, then looked at records of associated or recovery emails, along with a short message service number to track the user, the affidavit said. A number associated with the email accounts also was listed on a U.S. non-immigrant visa application as a telephone number for Ojo, the affidavit said.
When tax returns are filed electronically, the IRS can capture the Internet Protocol address, commonly known as the IP address, for the computer that filed the return, the affidavit said. An IP address is typically unique to a device and can allow other devices to identify it on a network. This information was used by investigators to track the source of the scam.
Ojo entered the U.S. on a visitor’s visa on May 23, 2016, then did not leave on his scheduled departure date of June 8, 2016, the affidavit said.
Special agents from the FBI, the IRS and Criminal Investigation Division are continuing to investigate the case with help from the police department in Durham, N.C.