West African criminals are moving on from Nigerian Prince scams to duping your business

Emails about princes to personal emails have made way for fake supply chain invoices to your CFO

Variants of the Nigerian Prince/419 scam have existed for over 100 years. During the 18th Century there was the “Spanish Prisoner”, where a previously unknown relative was trapped in Spain, but promised a “sizable reward” to anyone who paid for their release. Obviously, no such relative existed and no reward ever came.

Fast forward to the 1990s and the advent of the internet age, and we see this morph into a common scam perpetuated by cybercriminals based in Western Africa. Promises of Nigerian Princes or long-lost family with millions of dollars trapped in accounts have been filling our inboxes for nearly three decades now. But they work: the 419 scam—named after the fraud designation in the Nigerian criminal code—and similar such scams are estimated to have cost people billions of dollars over the years.

419 in 2017: the same but different

While many of us have moved on from those days—it’s rare that anyone who saw the rise of the web or any of today’s ‘digital natives’ would fall for such a trick—there’s still no shortage of attempts. Why are they still trying?

“There are new people coming online on a daily basis,” says David Sancho, senior threat researcher at Trend Micro. “Those guys are having the same shock that we did when we first saw these kinds of scams, and some of them might be susceptible.”

Sancho, along with Interpol, published a paper researching the habits of West African cybercriminals. The report, “Cybercrime in West Africa”, points to a new guard of upstarts moving away from simple emails to more personal platforms, while the experienced veterans from the scam’s early online days are moving on to better and more lucrative targets.

As times move on, so do criminals. While the classic 419 will be around for a while yet, dating apps have become a common point of entry for criminals looking to extract money from people. “They put these pictures of beautiful women; in reality it’s a guy from Nigeria,” says Sancho. “And then they try to convince you that they’re getting a liking for you.”

Once they’ve ensnared an unwitting victim, the story is largely the same: Phony declarations of love are made; fake stories about needing money for visas, bribes, and flights, are told; money is sent. Repeat ad infinitum.

Compromising emails and processes

On the business side, however, things are very different. The report says there’s been a shift towards business email compromise (BEC) and business process compromise (BPC). In short: hackers putting themselves in the middle of your perfectly legal and normal operations, and siphoning off money where they can.

In classic 419 style, such attacks normally start with an email. They will target corporations and, using keyloggers and other basic off-the-shelf hacking tools, will compromise accounts. Once embedded, they will watch and learn your processes and then jump into the lucrative ones around payment requests and invoices. They might start an email chain about payment from a legitimate email account, then change the email slightly (add a hyphen etc.) and continue the conversation with less chance of being spotted.

“They subvert the process so that the process works as intended but has an advantage to the attacker,” says Sancho. “And that’s insidious because if the process works as intended then the company sometimes has no chance of seeing that it’s been subverted.”

The FBI estimated business email compromise scams cost businesses around $3 billion last year. Notable cases of compromise of both email and process include; the Austrian engineering firm FACC, which lost up to €50 million ($54 million) after a fake email impersonating the CEO authorised transfers of funds; the SWIFT bank hack, which saw hackers hijack legitimate processes to redirect funds; and earlier this year drug dealers began using intercepting containers full of frozen food to hide drugs until they were found out at a port in Belgium. Though these are the most high-profile examples and didn’t originate from West Africa, they show how subtle and costly BEC/BPC can be if they nestle comfortably into your business.

“We’re seeing that there’s a shift and now older people who are knowledgeable, are moving into the business. They’re older, they’re more experienced, and they’re ruthless. These guys can scam you for millions.”

“When you get a glimpse at the kinds of tools they are using, you can see there are things that are not high-tech, it’s stuff you can use, I can use, we can download for a very minimal investment—$100, $200—that’s all you need. As easy as that.”

It’s that combo of social engineering experience combined with the readily available criminal tool set which is proving to be so effective. “It’s not those young guys trying to make a quick buck, it’s more established people that have the means and the willingness to create a wider network of money laundering.”

“A normal Nigerian scam would just tell you send it through Western Union. In order for this scam to work, with a company in the UK, you have to have a UK account. So they’re establishing these wider networks.”

Sancho cites a recent example he had seen, where criminals hacked into a company that handled payroll for other companies, and created virtual employees that didn’t exist. Everything within that company was working as intended and because only one extra employee is unlikely to make a massive dent on the bottom line, the crime is less likey to be discovered for a while. Meanwhile, one extra employee across a number of companies, each drawing a monthly salary, can generate a decent reward for the criminal.

Accord to Trend Micro’s research, the US and China are the most commonly targeted countries for compromise attacks followed by India and the UAE. Manufacturing is the industry most affected, but everything from food ∅ beverage to retail to transport and more have seen attempts made.

Catching criminals

While it is often clear where these attacks are originating from—and during a presentation Sancho shows off several Facebook accounts of known criminals—stopping them can be difficult. “In a lot of countries, there are legal roadblocks, and in other countries, it’s more about the legalities of inter-police.”

“When Nigerian police try to get data from the US or from Germany, then there’s a lot of roadblocks—they have to find a judge who can give a warrant so that finally they can access the data.”

Sometimes getting that warrant can be difficult because there are inconsistent laws in different countries, especially what counts as a “serious” crime. Those million-dollar scams will attract the attention of any police force, but the time and effort to work with police in different countries and continents over $500-a-time scams is often seen as not worth it. “That lack of sync sometimes is an obstacle to successful investigations.”

Another obstacle, he says, is a lack of the right skill set. “Law enforcement is not set up for cybercrimes, to combat cybercrime. It’s set up for going somewhere, knocking on a door. Once you have that skill, doesn’t matter if it’s drugs or not.”

“But cybercrime, you’re talking completely different mindset. It’s more about investigations long term, so you have to go to PayPal and you have to get a warrant, and you have to go to Western Union, it’s so different, getting that skillset, getting that person trained, takes a long time.”

According to the report, however, there are increasing number of arrests. So progress is being made, albeit slowly. “For me that’s encouraging, and it also sends a message because it’s very easy for bad guys to see themselves as invulnerable; nothing’s going to happen. Every arrest is sending a message that you are not invulnerable. We are putting people in jail for this stuff.”

“When you up the risk of them doing their business, you discourage them.”


Despite those arrests, Sancho predicts that this problem could only become more pronounced over time as these criminals become more experienced and build their networks.

“Once they have the means to create a more encompassing kind of threat then they’re going to be doing these kind of more involved operations.”

He says it is “super difficult” to protect against because in theory everything is working properly, and often there are only a few people who have full knowledge or visibility of an entire process from start to end.

“You have to design or redesign a process you have to keep in mind that somebody might be trying to subvert it, so you need double checks and triple checks so that every step of the way is being monitored.”

On the technical side, he recommends installing defence systems: strong web filters, file filters, and the like. On the social side, he says education is key. “Telling people it’s not that these attacks might happen, it’s that these attacks will happen, so be ready for them. Having training programs if your company can afford it is absolutely a must nowadays with the environment we’re living in. Be aware. By default, do not trust.”

This story, "West African criminals are moving on from Nigerian Prince scams to duping your business" was originally published by IDG Connect.


Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)