Second person charged in 2017 phishing scheme that targeted Groton Public Schools
A federal grand jury in New Haven on Thursday indicted a Nigerian citizen residing in Georgia on charges connected to the March 2017 email phishing scam of a Groton Public Schools employee.
Olukayode Ibrahim Lawal, 35, has been charged with wire fraud, conspiracy to commit wire fraud and aggravated identity theft, according to a news release from the office of the U.S. Attorney for the District of Connecticut.
The U.S. attorney's office said Lawal allegedly entered the U.S. on a visitor's visa on Nov. 24, 2016, and did not leave by his scheduled departure date of Dec. 1, 2016.
Lawal is the second person charged in this case. In August, Daniel Adekunle Ojo was arrested in North Carolina and charged with conspiracy to commit wire fraud and aggravated identity theft.
Ojo, who Department of Justice spokesman Thomas Carson said is awaiting trial, also is a Nigerian citizen. His arrest warrant affidavit stated that he came to the U.S. on a visitor's visa on May 23, 2016, and did not leave by his scheduled departure date of June 8.
The U.S. attorney's office said Lawal was arrested May 9 in Georgia on a federal criminal complaint. U.S. Attorney John Durham stressed that a complaint is "only a charge and not evidence of guilt."
Investigators found Lawal through authorized searches of Google and Yahoo email accounts, IP addresses, records provided by AT&T and a search of FBI databases, according to the May 7 affidavit in support of the arrest warrant for Lawal.
The affidavit said Lawal also was involved in a Feb. 23, 2017, phishing scheme at Sacred Heart Academy in Hamden, in which 103 employees' W-2 forms were compromised. The IRS did not distribute any refunds in that case.
It is likely Lawal also was connected to the Feb. 17, 2017, phishing scheme targeting Glastonbury Public Schools, the affidavit stated.
According to the affidavit, two email accounts associated with Lawal contained 760 unique W-2 forms, which appeared to be from 11 companies that have fallen victim to phishing scams.
'Everybody is a bit sobered by the whole notion of data security'
Lawal's indictment was news to Superintendent Michael Graner when reached by phone Thursday afternoon. His response was, "Holy mackerel, that's fabulous."
On March 1, 2017, an imposter posing as Graner sent an email to the district business office and asked for W-2 forms. The affidavit stated that an email was sent using the address firstname.lastname@example.org.
The email stated: "I need W-2copy list of "all Employees wage and tax statement for 2016.Kindly prepare and attach the lists in PDF file type and email them to me for review as soon as possible. Thanks Michael."
Graner said at the time that the employee thought the superintendent was asking for the information and sent an email with the W-2 forms of all 1,300 Groton Public Schools employees.
The superintendent two days later placed business manager Don Meltabarger on leave and began an internal investigation. Graner said Thursday that Meltabarger came to him while on leave and said he decided to retire. The district since hired Ken Knight as its business manager.
Graner said Meltabarger was the only business office employee to get the phishing email, meaning no other employees resigned or were terminated.
Graner called it "extremely poor judgment for the person to send it, to allow for the sending of the information."
The affidavit for Ojo's arrest stated that about 66 suspicious 1040 forms were filed with the IRS but the returns were flagged as part of an identity theft scheme and the IRS didn't process them, meaning no money was released in connection with the returns.
But the Thursday news release said about 100 suspicious 1040 forms were filed and the IRS processed about three, meaning "$23,543 in fraudulently-obtained funds were electronically deposited into various bank accounts."
Graner said Thursday he knows of about a dozen Groton Public Schools employees who "had to either go to Norwich or Hartford to personally identify themselves to prove that they were the real person filing the tax returns."
The superintendent said that following the phishing scheme, the district changed its method of W-2 circulation. The business office previously printed all the forms and distributed them, he said, but now employees sign into a password-protected system and print their own forms.
Graner said the district paid for two years of credit monitoring for all employees. He also said he's clarified to employees that "we never ask for personally identifiable information, ever," and that the technology director alerts staff to suspicious emails going around.
"Everybody is a bit sobered by the whole notion of data security," Graner said, "and we put everyone on alert and we try to monitor it much more carefully."