According to the U.S. Attorney's Office for the District of New Jersey, Atlanta resident Waya Nwaki recently admitted his role in a fraud ring that stole more than $1.3 million through phishing attacks. Nwaki was arrested in Atlanta on December 29, 2011.

"According to the indictment [PDF file] filed with the U.S. District Court in New Jersey, Nwaki and six co-conspirators between August 2000 and June 2010 worked across three continents to launch phishing attacks through spoofed websites designed to mimic banks and payroll processors such as ADP," writes GovInfoSecurity's Tracy Kitten. "When online users visited the spoofed pages, they were asked to provide confidential personal and financial information, such as dates of birth, Social Security numbers, mothers' maiden names, and online account user names and passwords."

"Nwaki admitted he used stolen identifiers to intercept and respond to emails -- sometimes sent by banks to customers when an unfamiliar computer or IP address accesses an account -- to impersonate the real account holders," the U.S. Attorney's Office said in a statement. "Nwaki also admitted he was asked as part of the scheme to impersonate company payroll officers in conversations with ADP, a national payroll processing company headquartered in New Jersey. Chase Bank, Bank of America, ADP and Branch Bank & Trust Co. together lost approximately $1.3 million to the fraud ring."


"The wire fraud conspiracy and wire fraud counts to which Nwaki pleaded guilty each carry a maximum potential penalty of 20 years in prison," writes Sophos' Lisa Vaas. "Aggravated identity theft carries a mandatory two-year prison sentence. The computer fraud conspiracy count carries a maximum potential penalty of five years in prison. Each count also carries a maximum $250,000 fine."