Phisher Jailed After Tricking Pentagon Out of $24 MillionCalifornia Resident Found Guilty on Total of 6 Criminal Counts
Sercan Oyuntur, a 40-year-old California resident, has been found guilty of stealing payment of over $23 million from the U.S. Department of Defense, according to the U.S. Department of Justice. The stolen payment was meant for DOD jet fuel suppliers.
Oyuntur was convicted on Thursday, and the jury found him guilty on a total of six criminal counts, including one count of conspiracy to commit wire, mail and bank fraud; two counts of bank fraud; one count of using an unauthorized access device to commit fraud; one count of aggravated identity theft; and one count of making false statements to federal law enforcement officers, the DOJ says.
"The conspiracy and bank fraud counts of which Oyuntur was convicted each carry a maximum potential penalty of 30 years in prison. The count of using an unauthorized access device to commit fraud carries a maximum potential penalty of 10 years in prison," the DOJ says.
For the false statement count, Oyuntur faces a maximum potential penalty of five years in prison and a statutory mandatory consecutive term of two years for aggravated identity theft.
"The conspiracy and bank fraud counts each carry a maximum fine of equal to the greatest of $1 million or twice the gross profits or loss resulting from the offense, whichever is greatest; the remaining counts carry a $250,000 fine, or twice the gain or loss from the offense, whichever is greatest. Oyuntur will be sentenced on a date to be determined," according to the DOJ.
An unnamed corporation that had a contract with the DOD to supply jet fuel to troops operating in Southeast Asia had employed an individual in New Jersey who communicated with the federal government on behalf of the corporation through a government computer system.
But the DOJ alleges that Oyuntur and other criminal conspirators based in Germany, Turkey, and New Jersey used a complicated phishing scheme to target the corporation and the employed individual to steal money that DOD had intended to pay to the corporation for providing jet fuel.
"Oyuntur's conspirators created fake email accounts in other people's names and designed fake webpages that resembled the General Services Administration's (GSA) public-facing website. From June to September 2018, the conspirators caused phishing emails to be sent to various DOD vendors, including the individual from New Jersey who represented the corporation, to trick these vendors into visiting the phishing pages," the DOJ says.
The Justice Department says the phishing emails looked like legitimate communications from the U.S. government but had been sent by the conspirators and contained links that took victims to the phishing pages, which appeared to be a GSA website. Then, the users were prompted to enter their confidential login credentials, after which those accused manipulated government systems, ultimately diverting money to themselves.
During their operation, Hurriyet Arslan, a conspirator who worked closely with Oyuntur, opened a shell company based in New Jersey for the criminal scheme.
Arslan originally owned a used car dealership named Deal Automotive Sales in Florence, New Jersey. He obtained a cell phone number for the shell company and hired another individual to pose as the shell company's owner.
Arslan also opened a bank account in the name of the shell company, the DOJ says.
"On Oct. 10, 2018, based on the fraudulent activities of Oyuntur and his conspirators, DOD transferred $23.5 million that had been earned by the victim corporation into Arslan’s Deal Automotive bank account. Arslan went to the bank and was able to access some of this money, but the bank would not release all of the funds to Arslan," the DOJ says.
The agency also says that another conspirator in Turkey sent an altered government contract via email to Arslan that said his automotive firm had acquired a DOD contract valued at approximately $23 million. The DOJ says, "Oyuntur instructed Arslan to take this fake contract into the bank to explain why he had received the money so that Arslan could convince the bank to release the remaining funds."
Arslan pleaded guilty in January 2020 to conspiracy, bank fraud and money laundering and is scheduled to be sentenced on June 21.
Protecting Against Phishing Attacks
Sean McNee, CTO of DomainTools, says monitoring communications with its supply chain is part of an organization's healthy security practice. If you receive an unsolicited email from someone appearing to be a partner, McNee says to do the following:
- Make contact via an established channel that can be verified in order to establish the legitimacy of the email.
- Avoid clicking on unsolicited links.
- Do not provide any financial information until the communication has been verified.
"Many organizations have turned to their own version of multifactor authorization for doing large wire transfers ," McNee says, that require a confirmation "via email as well as through another established channel such as a phone call."