Posted on 08/09/2018 at 11:59 AM by John Lande
The ubiquitous “Nigerian prince” scheme seems like it wouldn’t trick anyone anymore, but a recent report from Crowdstrike explains how the old scheme continues to evolve into more sophisticated forms of cyber-fraud.
The basic scheme is well known: A “Nigerian prince” sends an email asking for a sum of money that the “prince” can use to obtain property, usually a large sum of money, sometimes after the prince “retakes the throne.” After the victim sends money, the “prince” will experience an unanticipated obstacle that requires more money. The fraud will last as long as the victim continues to respond and send money. While crude and easy to identify, enough individuals fall for it to make it lucrative.
The Crowdstrike report reveals an interesting hierarchy among Nigerian criminal organizations that perpetrate this kind of fraud. The crude version of the scheme, also known as advance-fee fraud, is often perpetrated by college students. As fraudsters progress, they move to the more complicated Business Email Compromise (“BEC”) fraud, where fraudsters impersonate high level executives and convince employees or financial institutions to send money abroad. This blog has covered exactly this kind of fraud involving the companies American Tooling Center, Medidata, and UnityPoint. It turns out, that Nigerian confraternities are also heavily involved in perpetrating this kind of fraud.
The report is a fascinating look at the evolution of cyber-crime. The most important takeaway for organizations of all kinds is that there is no reason to believe that BEC and other forms of cyber-fraud are going to diminish. If anything, the involvement of large organized crime will only lead to increasing levels of BEC.
This blog has discussed a number of things that organizations should do to minimize the risk of being taken advantage of by fraudsters. Organizations need to ensure that employees are trained to identify potential scams. They should also make sure that they have controls and procedures in place that involve more than one employee for important tasks like transferring money, sending out payroll, and accessing sensitive employee and customer information. Finally, organizations should look at their insurance to make sure they have coverage for this and other kinds of cyber-fraud.
Mitigating cyber-risk is challenging because it is not possible to prevent it just by plugging in a new piece of hardware or installing new software. Ultimately, it depends on employees being able to identify potential scams, which requires constant vigilance and training.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.