Cyber Criminal Minds

Cyber Criminal Minds

Nigerian prince email scams — also called 419 scams — are some of the oldest forms of cyber-attacks around. It’s easy to think that they’re just old news, now more the punchline of a joke than something that could actually happen. But the truth is, these scams continue to be highly successful. In fact, Americans lost $703,000 in 2018 by falling for them.  

How they work

The most famous examples usually involve a too-good-to-be-true investment opportunity or an urgent plea to help get money out of the country in exchange for a piece of the sum. However, as people started to catch on to the scam, the scenarios they scammers use began to change.  

But in whatever form, 419 scams generally follow a specific format. It starts when the victim receives an email (and more recently texts) out of the blue. The scammers will quickly try to build the trust of the victim, sometimes using official-looking documentation or even impersonating someone you know, with the goal of eventually getting the victim to disclose their bank account number and other personal information. At this point the scammers can access the bank account and withdraw any amount of money they want. 

The Better Business Bureau highlights a few of the most common form these scams take today: 

Beneficiary of a will

In this case, the victim receives an email claiming they were named the beneficiary of some long-lost relative who has left them large sums of money or valuable property. The email will request personal information to confirm the victim’s identity and of course ask for bank account information so they can transfer over the funds.  

Fake cashier’s checks – targeting online sellers

In this variation, a person selling something online is contacted by someone who wants to purchase an item. The scammer then “accidentally” sends a (fake) cashier’s check or money order for far more than the agreed upon price and asks the seller to transfer back the difference. Often, the scammer will claim they urgently need their money back so the seller will transfer the money before the bank can verify the check is a fake.  

Donation solicitations

Lastly, this scam involves the victim receiving a request for a donation to help fight against a corrupt government or violent group of criminals. The email will specify how urgent the need for money is and so request a money transfer for more immediate help.

Why they’re so successful 

Given how widely known this type of scam is, it’s a bit of a wonder that people continue to fall for it. But along with the fact that they’ve changed up the scenarios there are a couple of good reasons they continue to work. After all, they wouldn’t be so common if they weren’t successful 

Scammers are highly organized

We often think of scammers as some loner hunched over their computer in a dark room. But when it comes to 419 scams, there are entire organized crime circles devoted to carrying out these attacks. A 2019 CrowdStrike report breaks down how these scams are structured. At the top, a crime boss directs an entire team of “spammers, catchers, and freelancers” to carry out various aspects of the attack. Spammers acquire email lists and operate advanced mail systems. The catchers monitor the responses to the spam campaigns and make first contact with victims….in order to advance the scam. Freelancers perform additional duties such asacquiring and developing infrastructure and creating fake documents.” 

They exploit social vulnerabilities

Instead of looking for technical vulnerabilities to plant malware or other malicious software, the scams instead focus on our social vulnerabilities. Simply put, they look for ways to play on our emotions. 

In some cases, they’ll try to pray on our greed. In other cases, they try to make us feel like a hero. As social psychologist Dr. Frank McAndrew explains, “we get the opportunity to feel good about ourselves by helping another person in need…After all, what could be more noble than helping an orphan in need or helping some poor soul recover money that rightfully belongs to them in the first place?” 

They start small

Another way these scams work is by starting with small requests. Often the scammer won’t ask for much at first, but over time will claim they need more and more. And there are even psychological reasons this is so effective. In an article for Psychology Today, McAndrew writes, “Changing course is cognitively difficult because not only is it an admission of a bad decision, it also means giving up any hope of recouping our losses.” 

 

Even if it’s not from a Nigerian princereports show that email scams are on the rise. Not only could they lead to financial loss but could even expose the sensitive information of you and your company. That’s why it’s important to learn to identify these scams in all there forms and be extra cautious about anyone —even if it comes from someone you know— asking you to send money or other personal information over email. Taking the extra time to verify what’s really going could be what saves you from getting tricked. 

Learn Your BECs

In March of 2018, the director of the Dutch branch of the Pathé film company received an email from the CEO: “We are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai. The transaction must remain strictly confidential. No one else has to be made aware of it in order to give us an advantage over our competitors.” 

After some back and forth, the employee transferred 800,000. The days after, more requests were made a subsequently filled, resulting in a total of 19 million transferred. Only after did they discover these emails weren’t sent from the CEO at all, but instead from a spoof email address set up to impersonate Pathé’s chief executive.  

Situations like this are more common than you might think

While there were certainly a number of red flags that Pathé’s employee could have picked up on, business email compromise (BEC) schemes are actually a common form of cyberattack — and often successful 

This month, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of Treasury, released an updated advisory on BEC schemes. The new advisory reflects just how easy it is for someone gather information on an organization and pose as a boss in order to mislead employees into transferring funds to outside account. 

In fact, instances of email scams are increasing. As the report states, the number of successful email scams have more than doubled between 2016 and 2018, with an average of over $300 million per month in attempted thefts. What’s more, the advisory shows these attacks are moving beyond traditions wire-transfer schemes to include virtual currency payments, automated clearing house transfers and even purchases of gift cards.  

How it Happens 

According to the advisory, scammers have become successful in impersonating leaders within an organization by identifying vulnerabilities within the targeted company. They accomplish this in two main ways. 

The first method is by gathering publicly available information. This could include information listed on an organization’s website, or even employee information found on LinkedIn and other social media sites.  

The second method is more nefarious, including “cyber-related reconnaissance efforts.” In other words, scammers gather more intimate information on an organization through methods such as phishing campaigns and malware.  

What You Should Do 

Of course, organizations cannot respond to these risks by closing themselves off to the outside world. Publicizing what your business does and speaking with potential customers is an important part of how business grow. However, there are common sense steps organizations can take to prevent the success of these email schemes. 

The FinCEN advisory suggests all organizations should assess their risk around business processes and practices. They suggest all organizations put in place a multi-faceted verification process for all electronic transactions. For instance, before any funds are transfered, steps need to be taken to verify all participants in the transactions are who they say they are. This includes using multiple means of communication (email, phone, etc.) and contacting others authorized to conduct transactions. Organizations should also put in place a step-by-step policy for transferring funds both within and outside the organization.  

The bottom line is that mail schemes succeed because someone’s been tricked. All organizations need to invest in proper training and awareness-building. In fact, after the attack, Pathé’s CFO stated that the company “never trained or instructed him to identify fraud.”  

BEC schemes can target employees at any level of your organization. Taking the time to teach all employees to identify fraudulent emails, and even simulating phishing campaigns can go a long way to prevent email scams from taking place.