Markus Jakobsson and Kim-Kwang Raymond Choo
To deal with a problem, the first thing we have to do is to understand the problem. This means that we have to be able to measure all meaningful aspects of the problem. If we consider the problem of online fraud, it is encouraging that there has been substantial progress in understanding phishing and how malware is used to steal credentials, documents and money. But, strikingly, almost nothing is known about Nigerian scams (also known as advance fee fraud and 419 scams - 419 is a section under the Nigerian Criminal Code Act that prohibits obtaining goods by false pretences). This makes it harder to defend against this increasingly common type of fraud, and almost impossible to predict the extent to which it may become worse onwards.
We designed and performed an experiment that allows us to take the pulse on Nigerian scammers. Are the scammers really from Nigeria, you may begin to ask? What do they want, and how do they get it? What are their strengths, what are their weaknesses? Are they at the peak of their success, or should we fear that they can become dramatically better at what they are doing? What can organizations do to secure themselves and their users?
Here is the experiment in a nutshell. Imagine a camera that sells for $750 new, and I offer one for sale on Craigslist for $250. Only used for a few weeks, in perfect condition. Good deal, right? But what if I instead were to ask $750 (or more) for it used? Not so hot, you might say. It makes more sense for you to buy it in the store. You would not bother contacting me.
But fraudsters would.
They may contact me and ask to buy it - even at a premium. They will tell me where to ship it, and they will send me a payment. Or rather: something that looks like a payment to a would-be victim, who would not realize that it really was not a payment until after the camera was shipped.
We used the technique of offering too expensive merchandise to find fraudsters without bothering honest people. In fact, we used it to make the fraudsters find us, while avoiding everybody else. Then we acted as would-be victims, and paid attention to what happened.
Here are some of our findings:
Nigerian scams are aptly named. Indeed, almost all of the fraudsters we interacted with wanted us to ship our merchandise to an address in Nigeria. Knowing this may help a little in designing countermeasures, whether legal or technical.
Most Nigerian scammers "pay" using PayPal. Then they send an email that looks a lot like a PayPal payment notification. But, interestingly, they do not spoof emails. If they were, which would be very easy, they would no doubt increase their yield.
Some Nigerian scammers "pay" using Western Union. Then they send a confirmation code that lets the seller pick up the money - but with some digits starred out. "When you send me the tracking number, I will send you the missing part, and you can pick up the payment."
Some Nigerian scammers "pay" using Credit Cards. They request the victim's credit card details so that they can "transfer" the money to his or her account.
Nigerian scammers are bullies. As a would-be victim has agreed to sell, but then expresses second thoughts, the scammer becomes mean and threatening. He sends angry emails in all-caps; tells the would-be victim that he or she will be blacklisted or reported; he even sends a notification from a payment provider, stating that the would-be victim's account has been revoked. (This can only be undone by responding to the notification with your password.)
Nigerian scammers know what they want. They want fancy cameras, but do not care as much for laptops, and do not give a darn about refrigerators and other bulky electronic appliances. It makes sense: The merchandise needs to be shipped to them, and then be resold in Nigeria.
Knowing that the scammers remain in business, we can infer that they are reasonably successful. In fact, we see more and more Nigerian scams. So we can conclude that there are enough people who are not very careful, and that bullying them pays off. This is not about people lacking technological skills, it is about them not thinking critically. User awareness and education campaigns could change that.
Of course, Nigerian scams are not limited to Craigslist, nor to frauds in which they try to obtain people's cameras for free. Our experiment only gives us a glimpse at one particular type of scam at one particular point in time. But it gives us hope that it is possible to create a taxonomy of scams and scammers, and develop tools and campaigns that hurt their bottom line.