The United States government accidentally gave $50 million to a group of criminals this year.
Hackers successfully filed thousands of fraudulent tax returns to the Internal Revenue Service (IRS), which issued refunds for at least 15,000 of those returns to about 5,000 bank accounts.
We know the hackers used a large set of personal data, stolen from elsewhere, to log into the IRS website and download previously filed returns. We know they used those tax transcripts to create and file new returns that would generate refunds.
But one crucial part of the scam remained a mystery: How did the crooks manage to open 5,000 bank accounts in the US? And once the refunds were issued to those accounts, how did they get the money out?
It turns out there is a well-established criminal network in the US that specializes in maintaining multitudes of bank accounts, developing money mules, and funneling funds out of the country: Nigerian romance scammers.
The work of a romance scammer is not all that complicated. They spam as many people as possible over email or social media. The scammer tells the recipient that he happened upon her name or profile picture by chance. He says, I used to know someone with your name. He says, I saw your face and was instantly mesmerized. Later on, he starts asking for money. The response rate doesn’t have to be very high; one lonely, vulnerable mark can lead to thousands of dollars.
And just like that, a victim becomes an accomplice.
Those victims can also be used to move cash. An online lover sends a large deposit to her victim’s bank account, and asks him to transfer that money to Nigeria via Western Union. It’s for a business deal, she says. Or it’s for family, or it’s going into an offshore account. And just like that, a victim becomes an accomplice.
Here is what all of this has to do with the IRS data breach: In our previous story, we detailed the case of Michael Kasper, one of the victims of the breach. After he learned that the government had issued a refund for a fake tax return filed under his name, Kasper tracked down the bank where the refund was sent. It was located in Williamsport, a city of about 30,000 people in central Pennsylvania. The person who owned the account, 21-year-old Isha Sesay, was quickly identified and arrested.
Sesay told the police that she’d been hired on Craigslist to open a bank account, receive deposits–and wire the bulk of the money to Nigeria. Sesay’s account received just one other deposit, aside from the IRS refund: $5,400 from a man in South Dakota. Sesay’s arresting officer contacted the man, according to her arrest warrant, and found out why he sent the money:
[The victim] stated that he believes that he had fallen victim to some sort of internet money scam. He stated that he met a person online who identified theirself [sic] as Pamela Venes. [The victim] stated that he had never met Venes, but they had become close through communicating over the internet over a period of time.
Venes eventually began requesting money from the man, the arrest warrant said, claiming that she needed to pay some medical bills. According to the FBI, this is a common ploy in the world of internet cons: The scammers say they need money for travel documents, or say they’ve been a victim of a crime, or that they were in an accident and now have to pay exorbitant hospital bills.
So how did money from a romance scam and a large government data breach both end up in Sesay’s bank account? It’s certainly possible that she was the person who had posed as Pamela Venes online, tricking the South Dakota man into depositing $5,400 into a bank account. But Sesay opened that account under her own name, and it’s unlikely that a criminal who would make such an obvious mistake was involved in a complex operation like the IRS breach. Her arresting officer, Donald Mayes, said as much in an interview with Quartz.
Many of the details surrounding Sesay’s case are typical in romance scams. Last month, for example, a federal grand jury indicted nine individuals for defrauding 17 men and women they met on dating sites like Match.com and OKCupid. These alleged scammers also made claims of urgent hospital bills, according to the indictment, as well as “fake plane trips to visit the victims, fake problems with overseas businesses, and fake foreign taxes.” The indictment describes a vast web of transactions between the conspirators and victims to and from many bank accounts in Maryland and Virginia—and one in Nigeria.
There’s also the case of Elaine Elrod, whose story was told in detail by Brendan I. Koerner in Wired earlier this month. After falling in love with a man she met on Facebook, but had yet to meet in person, Elrod started receiving the typical requests for money. The man’s son had been in a car accident, he said. The hospital bills were piling up and he needed help. Elrod ended up sending the man every dime she had. And once her money was gone, the man began arranging for deposits to be made to her bank account, and asked her to wire those funds to Nigeria. Suddenly, Elrod was a money mule.
In another case, this one in 2012, a Georgia man was convicted of an array of crimes that included not only romance scams, but identity theft and hacking as well. After stealing login credentials to a payroll company’s computer systems and extracting money, the man and his accomplices used victims of romance scams to funnel the money to Nigeria. According to an FBI press release: “As part of the scheme, more than $300,000 in fraudulent payroll was wired to defendant Olaniyi Jones, a Nigerian national who impersonated a European woman interested in romantic relationships to dupe mules into wiring the proceeds of the scheme overseas.”
So where does all of this leave us? What we know is that the criminals who defrauded the IRS needed to have about 5,000 bank accounts ready to receive the incoming tax refunds. We know that one of those bank accounts also received a deposit from what appears to be a pretty typical internet romance scam. And we know that Isha Sesay told the police that she wired most of the money from both deposits to Nigeria, but she did not have any documentation to prove that. We also don’t have any proof that she was, as she said, hired on Craigslist to mule the money, and we don’t know why she used her real name to open the account.
As of August, the IRS had not followed up with the Williamsport police to inquire further about Sesay’s case. The agency has not yet released any details about the provenance of the data breach, and had no comment about the potential involvement of Nigerian romance scammers. The office of Rep. Peter Roskam, who previously told CNN that the attack originated in Russia, did not respond to emails asking whether he still believed that to be the case.
If it turns out that romance scammers did play a role in the IRS data breach, the next question will be how extensive that role was. Previous cases, like the one in Georgia, demonstrate that these groups have pulled off heists that utilize similar skill sets. It’s also worth considering that their network of bank accounts and mules could be farmed out to other criminal operations.
The IRS, meanwhile, says it is still investigating the breach.