At its core, the grift is not complicated.
Thieves set up an email account to impersonate a business, contractor, or property seller that's about to receive a large payment. The fraudsters, often based overseas, then send an impostor email to whoever is wiring the money and slip in payment instructions to a bank account that the fraudsters control.
In South Florida, email impersonation scammers typically make off with a few thousand to several hundred thousand dollars for each wire they steal. The bustling real estate market has been a frequent target, with the perpetrators posing as title agents or home sellers in hopes of intercepting buyers' purchase money.
Legal files uncovered by New Times detail an exponentially larger fraud, with a criminal enterprise pulling off one of the biggest impersonation scam paydays documented to date in the U.S.
These kinds of scams typically can be avoided with a quick phone conference or a brief face-to-face meeting before wiring money.
In the case of one Florida business deal, a 30-second phone call might've prevented a nearly $30 million loss.
The Big Score
At the height of the pandemic in February 2021, Tidal Basin Government Consulting, one of the nation's biggest disaster-relief companies, secured a contract to help Florida with its COVID-19 vaccination program. Tidal Basin's role included managing telephone scheduling for vaccine appointments and training local officials to run online appointments.
Tidal Basin in turn hired a company called MCI BPO, which set up a high-volume call center for the state in connection with the vaccination effort.
When MCI's $29 million bill came due, Tidal Basin began corresponding via email to set up payment.
Little did Tidal Basin's executives know, thieves had gained access to internal emails and were studying the details of the transaction, according to legal pleadings uncovered by New Times in New York and Florida.
To intercept key messages and control the flow of information, the fraudsters set up email accounts to impersonate executives from MCI and Tidal Basin's parent company Rising Phoenix Holding Corp.
In the final stage of the scam, on October 5, 2021, the criminal enterprise sent an email to Rising Phoenix impersonating MCI's chief executive officer while requesting payment of the invoice. A project finance chief at Rising Phoenix took the email at face value and moved forward with the $29.58 million wire transfer, according to court documents.
The money was wired from Rising Phoenix's NBT Bank account into the trust account of an intermediary, Fort Lauderdale lawyer Richard S. Ross, per the fraudsters' instructions, the court documents state.
The theft was consummated between October 12 and October 19, 2021, when roughly ten wire transfers, ranging from $364,000 to $5.8 million, were executed from Ross's trust account, according to the pleadings. The funds were sent to several banks in Mexico, including Banco Monex, HSBC Mexico Institucion, and Scotiabank Inverlat, as well as Santander Bank in Delaware and Cathay Bank in Los Angeles.
Ross has denied knowledge of the fraud, indicating he thought the funds were from a legitimate business transaction. He has not responded to New Times' request for comment at his phone number listed by the Florida Bar.
The Blame Game
Panic set in for Rising Phoenix's executives on October 26, 2021.
That's when MCI's CEO called to inquire about the payment status, and it was revealed that MCI never received the money. Any hope that the situation was some misunderstanding quickly faded: The parties realized that someone had just pulled off a historic con job.
The U.S. Secret Service launched an investigation into the fraud, which led to the seizure of $4.18 million from Ross's trust account and $722,000 from Regions Bank's general ledger. The seizure orders were entered in New York, near Rising Phoenix's Utica headquarters.
Rising Phoenix says that on January 12, 2022, it paid the full amount still owed to MCI. The company has since launched an aggressive effort to recoup its losses.
A lawsuit filed this week in Florida by Rising Phoenix claims Regions Bank should be held liable for overlooking obvious signs that massive fraud was brewing. Among other red flags, the lawsuit alleges, an individual who did a not-so-great job of pretending to be attorney Ross rang up Regions Bank shortly after the fraudulent wire instructions were sent.
The caller, who was asking about the status of the funds, "misstated the name on the account and was unable to immediately recall his purported birthdate when asked to verify," the lawsuit alleges.
Regions didn't tag the account for fraud or freeze the $29 million despite the suspicious call, the lawsuit claims.
While the money was being funneled out of Ross' trust account to the overseas banks in mid-October 2021, Regions received a notice from Scotiabank Inverlat that it was rejecting one of the transfers, an $8 million wire attempt from Ross' account, due to an "internal policy" issue.
Instead of questioning the transfers and exploring why Scotiabank rejected the wire, Regions continued to allow transfers to be executed from Ross' account, the lawsuit alleges.
Counts for negligence, conversion, breach of fiduciary duty, fraud, and aiding-and-abetting fraud are alleged against Ross, while counts for negligence and breach of the New York Uniform Commercial Code are being brought against Regions Bank.
While the Florida lawsuit is playing out, Regions Bank is seeking a declaratory judgment in New York to release it from liability for the loss.
Regions claims that Rising Phoenix's bank, NBT, was responsible for verifying the authenticity of the $29.58 million wire. Once NBT submitted the wire instructions, Regions followed them to a tittle, as was required by financial trade association rules, Regions argues.
Regions says it was not legally required to investigate discrepancies regarding the payment recipient on the wire transfer — and that its position is supported by laws in Alabama and New York, the home states of Regions and NBT Bank, respectively.
"Regardless of which state’s statute applies, both... provide that a bank is entitled to rely solely on the account number contained in an electronic funds transfer," Regions says.
As for Ross, he "stated under oath that he believed that the $29 million was being transferred to his [interest-on-trust-account] from the account of his client's business partner," according to the Florida complaint.
Rising Phoenix claims Ross failed to question the source of the funds when eight-figure sums started flowing into his trust account, an unusual occurrence for the Fort Lauderdale attorney.
Ghost in the Machine
Business email compromise scams were blamed for more than $2.4 billion in losses across the nation last year, marking the costliest category of internet crime, according to the Internet Crime Complaint Center (IC3). The figure has ballooned out of control since 2016, when IC3 documented $360 million in annual losses attributable to the scams.
Digital impersonation is one of the "fastest growing and most financially damaging" online rackets, according to a 2022 fiscal year fraud report from the FBI.
Cybersecurity expert Alex Hamerstone tells New Times it's "shocking how simple" some email impersonation scams work.
"It's cheap to do. It doesn't necessarily require advanced hacking skills," Hamerstone says.
Once the money is transferred, the thieves move it around various bank accounts or convert it to cryptocurrency to make recovery difficult if not impossible, Hamerstone says.
Picking up the phone or doing a video meeting to verify the the source of a large wire request can easily thwart fraud.
"Personally it shocks me that this is going on," says Hamerstone, an advisory solutions director at TrustedSec. "The phone is probably the best way to stop these things."
The FBI says the COVID-19 pandemic facilitated the growth of email impostor fraud, as businesses cut back on face-to-face meetings and increasingly relied on online communication.
"Following the emergence of COVID-19, [email scam] actors quickly took advantage of the uncertainty faced by many businesses, often impersonating vendors and requesting payment outside the normal course of business due to the pandemic," the FBI report reads.
As the FBI notes, email fraudsters prey on people's reliance on faceless, voiceless, interactions in business deals. But as face- and voice-mimicking software improves, impersonation scams may evolve in years-to-come to more frequently include so-called "deep fake" videos or audio elements to dupe victims, the bureau warns.
Deep fake fraud is already popping up across the globe. In early 2020, Forbes reported, a con artist used voice-mimicking software to impersonate a company director on a phone call, in order to dupe a Hong Kong bank manager into authorizing a $35 million transfer.
Cybersecurity author Joseph Steinberg tells New Times that cybercriminals are attracted to impersonation scams because of their relatively high success rate and potential for big payouts.
"The people running these scams know what they are doing," Steinberg says. "Anyone who has a low-to-mid level corporate position but has authority over transfers of large amounts of money has a high probability of being targeted."
"Humans are conditioned to trust who they are communicating with in the business world," Steinberg says. "I've seen some very smart people do some very stupid things."