A principal figure in the domestic arm of an international “phishing” operation that used spam e-mails and bogus websites to collect personal information used to defraud American banks was sentenced to five years in federal prison.
Nichole Michelle Merzi, 26, of Oceanside, was sentenced in the fraud case by Senior United States District Judge Terry J. Hatter, Jr.
After a six-week trial last year, Merzi was found guilty of bank and wire fraud conspiracy, aggravated identity theft, computer fraud conspiracy, and money laundering conspiracy charges.
Along with her then-boyfriend—Kenneth Joseph Lucas, II—Merzi was a lead defendant named in an indictment returned in the fall of 2009 as part of Operation Phish Phry, a multinational investigation conducted in the United States and Egypt that led to charges against 100 individuals—the largest number of defendants ever charged in a cybercrime case.
As a result of Operation Phish Phry, 47 people have been convicted in federal court in Los Angeles. Lucas was sentenced in 2011 in two federal cases—one stemming from the phishing scheme and one from a indoor marijuana grow operation that he constructed—to a total of 13 years in federal prison (see: http://www.justice.gov/usao/cac/Pressroom/2011/092.html).
Operation Phish Phry revealed how Egyptian hackers obtained bank account numbers and related personal identification information from bank customers through phishing—a technique that involves sending e-mail messages that appear to be official correspondence from banks or credit card vendors.
Bank customers who received the spam e-mails were directed to phony websites purporting to be linked to financial institutions, where the customers were asked to enter their account numbers, passwords, and other personal identification information. Because the websites appeared to be legitimate—complete with bank logos and legal disclaimers—the victims did not realize that the websites were not related to legitimate financial institutions.
Armed with the bank account information, members of the conspiracy hacked into accounts at two banks. Once they accessed the accounts, the individuals in Egypt coordinated transfers of funds from the compromised accounts to newly created fraudulent accounts and other accounts used as part of the scheme.
“Records at trial show that, from February 2008 through September 2008, defendant [Merzi] opened numerous BOA [Bank of America] accounts in her name at a variety of branches, and the amount of unlawful ‘phishing’ transfers into those accounts alone was $14,000,” prosecutors wrote in a sentencing memorandum filed with the court. From October 2008 to early 2009, Merzi and Lucas also had the individuals in Egypt make unlawful transfers from phished accounts to other fraudulent accounts opened in Southern California and elsewhere.
The United States part of the ring was overseen by Lucas, who directed associates to recruit “drops” to set up and use bank accounts where stolen funds could be held. A portion of the illegally obtained funds were transferred via wire services to the Egyptian co-conspirators. When Lucas was sentenced, a federal judge determined the total amount of intended loss in the case was more than $1 million.
“The harm done by [Merzi]’s activities is undisputed,” according to the goverment’s sentencing memo. “Although BOA and Wells Fargo reimbursed the individual victims whose accounts were compromised, it is undeniable that the scheme affected a large number of victims,” given that the illegal phishing transfers “occurred in amounts around $1,000 at a time.”
Marzi has been in custody since she was found guilty at trial in March 2011.
The investigation in the United States was conducted by the Federal Bureau of Investigation, which received support from the Electronic Crimes Task Force in Los Angeles and the Social Security Administration’s Office of Special Investigations.