Texas Convicts BEC Scammer

A Texas resident has been convicted of stealing hundreds of thousands of dollars from a school district in Idaho through a business email compromise (BEC) scam.

Teton School District 401, which serves 1,800 students in seven schools in Teton County, fell victim to the cybercrime three years ago. 

In 2018, the district's business manager, Carl Church, unknowingly made an electronic payment to a fraudulent bank account accessed through his district email account. 

Church transferred $784,833.71 in the belief that he was paying Headwaters Construction Company, a general contractor based in Victor, Idaho, which had been hired by the district to build new schools. 

In January 2019, after news of the cybercrime became public, Church resigned from his position. Speaking at the time, Teton County Deputy Andrew Sewell emphasized that Church was not suspected of any wrongdoing.

Sewell said the BEC cyber-attack “was a believable scam that he [Church] fell victim to.”

The incident was investigated by the Federal Bureau of Investigation. Over half the stolen funds were eventually recovered, and the state insurance carrier ICRMP paid the remaining balance. 

Houston resident Julius Joachim Ohumole, who moved to the United States from his native Nigeria, was charged over the cybercrime on November 8, 2019, and later taken into custody. 

On December 31, 2019, the US Attorney's Office for the Southern District of Texas announced that 37-year-old Ohumole had been charged with one count of conspiracy, four counts of bank fraud, and two counts of aggravated identify theft.

Teton Valley News reported Wednesday that Ohumole has now been convicted and is due to be sentenced in February 2022. 

Superintendent Monte Woolstenhulme shared news of the conviction at a meeting of the school board on December 13. Woolstenhulme informed the trustees that he had been notified of the conviction by the US Department of Justice in Texas.

Each count of conspiracy and bank fraud carries a possible sentence of up to 30 years in federal prison and a maximum fine of $1m. The aggravated identify theft charge carries a maximum sentence of up to two years in prison.

What’s Hot on Infosecurity Magazine?