A 64-year-old business email compromise (BEC) guru has plead guilty in Houston to bilking appliance giant Electrolux and one other company out of a combined half a million dollars — in addition to other fraud schemes.
Kenenty Hwan Kim (a.k.a. Myung Kim) admitted in federal court (the Southern District of Texas) that he had carried out the elaborate schemes, which involved spoofed emails that purported to be internal communications from executives at the target companies.
Court documents describe two victims – one is a Huntsville, Texas-based construction company called Solid Bridge, and the other is Electrolux, which is the parent company of several major appliance brands.
In the former case, Kim used a fake email account that had a similar name to a legitimate company email address to convince Solid Bridge to wire more than $200,000 to an account that Kim controlled.
“He then took that money and moved it through several different bank accounts before placing it in an offshore account,” according to the U.S. Attorney’s office.
Kim pretended to be the owner of a legitimate subcontracting company in Pinehurst, Texas called Chance Contracting, according to a plea agreement obtained by the Register. In 2018, Solid Bridge received emails that appeared to come from “Brett Chance” – the owner – using an email address with a very similar domain name to the real Chance’s address and which raised no red flags.
The fake email said that Chance was having issues receiving check payments from Solid Bridge, and then asked Solid Bridge to mail a check to another mailing address instead. Kim provided a mailing address, and Solid Bridge dutifully wrote out a check and mailed it – the address of course turned out to be bogus. The money was later wired in chunks to an address in South Africa.
In the second incident, Kim used a similar tactic to convince the North American division of Electrolux to wire more than $300,000 to what it thought was a known and legitimate vendor. It sent the money to a KeyBank account.
“The account was actually set up for a different shell company Kim created with a similar name,” according to officials. “Again, Kim took that money and eventually placed it in an offshore account.”
The plea document describes Kim and an unindicted co-conspirator using a combination of cashier’s checks and cash withdrawals from the KeyBank account, some of which was then put into a Wells Fargo bank account opened using the alias of Myung H. Kim. Money from there was also wired to the South African offshore account. He also set up a shell account, “Kugu Palpal Invest Develop LLC” in Washington State under the name Myung Kim, with an associated, different KeyBank account that Kim also placed money into; after that, money was transferred again, from KeyBank to a Bank of America account also associated with Kugu Palpal Invest Develop LLC. That money too was then wired to South Africa.
In addition to the BEC hijinks, Kim also engaged in credit-card fraud, racking up another $200,000 in ill-gotten gains.
“In those, Kim created a system to process credit card payments,” according to the Attorney’s office. “He would then obtain a victim’s personal identifying information and charge over $10,000 on their credit cards. Kim also had 36 different credit cards in a variety of names, four different Social Security numbers, two dates of birth, 11 different overlapping addresses and a prior real estate license suspension for engaging in fraud.”
Kim cut a plea deal, and has copped only to the money-laundering aspect of the crimes. Sentencing is set for Aug. 19. The Washington State native could face up to 20 years in a federal penitentiary and a $500,000 fine for money laundering.
BEC attacks continue to grow – and continue to be successful. The newly issued 2020 Verizon Data Breach Investigation Report underscores that credential theft and social attacks such as phishing and business email compromises continue to drive the majority of breaches (over 67 percent). And, the FBI has issued recent alerts on this type of attack, noting that BEC is escalating amid working from home and the COVID-19 pandemic, because it’s harder for employees to verify transactions. Security experts recommend always verifying changes in information flow and monetary transaction protocols via a second channel – such as making a phone call – before complying with email requests.
“The human element forms a critical layer in [defense],” said Javvad Malik, security awareness advocate with KnowBe4, via email. “It’s important to provide security awareness and training to all employees so that they can identify any suspicious phishing emails, in particular BEC or CEO fraud emails. Having well-trained employees can be the difference between remaining secure, or suffering a great loss.”