Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Are Nigerian Scams From Nigeria?

Markus Jakobsson and Kim-Kwang Raymond Choo

Markus Jakobsson and Kim-Kwang Raymond Choo

To deal with a problem, the first thing we have to do is to understand the problem. This means that we have to be able to measure all meaningful aspects of the problem. If we consider the problem of online fraud, it is encouraging that there has been substantial progress in understanding phishing and how malware is used to steal credentials, documents and money. But, strikingly, almost nothing is known about Nigerian scams (also known as advance fee fraud and 419 scams – 419 is a section under the Nigerian Criminal Code Act that prohibits obtaining goods by false pretences). This makes it harder to defend against this increasingly common type of fraud, and almost impossible to predict the extent to which it may become worse onwards.Nigerian Scams

We designed and performed an experiment that allows us to take the pulse on Nigerian scammers. Are the scammers really from Nigeria, you may begin to ask? What do they want, and how do they get it? What are their strengths, what are their weaknesses? Are they at the peak of their success, or should we fear that they can become dramatically better at what they are doing? What can organizations do to secure themselves and their users?

Here is the experiment in a nutshell. Imagine a camera that sells for $750 new, and I offer one for sale on Craigslist for $250. Only used for a few weeks, in perfect condition. Good deal, right? But what if I instead were to ask $750 (or more) for it used? Not so hot, you might say. It makes more sense for you to buy it in the store. You would not bother contacting me.

But fraudsters would.

They may contact me and ask to buy it – even at a premium. They will tell me where to ship it, and they will send me a payment. Or rather: something that looks like a payment to a would-be victim, who would not realize that it really was not a payment until after the camera was shipped.

We used the technique of offering too expensive merchandise to find fraudsters without bothering honest people. In fact, we used it to make the fraudsters find us, while avoiding everybody else. Then we acted as would-be victims, and paid attention to what happened.

Here are some of our findings:

Nigerian scams are aptly named. Indeed, almost all of the fraudsters we interacted with wanted us to ship our merchandise to an address in Nigeria. Knowing this may help a little in designing countermeasures, whether legal or technical.

Advertisement. Scroll to continue reading.

Most Nigerian scammers “pay” using PayPal. Then they send an email that looks a lot like a PayPal payment notification. But, interestingly, they do not spoof emails. If they were, which would be very easy, they would no doubt increase their yield.

Some Nigerian scammers “pay” using Western Union. Then they send a confirmation code that lets the seller pick up the money – but with some digits starred out. “When you send me the tracking number, I will send you the missing part, and you can pick up the payment.”

Some Nigerian scammers “pay” using Credit Cards. They request the victim’s credit card details so that they can “transfer” the money to his or her account.

Nigerian scammers are bullies. As a would-be victim has agreed to sell, but then expresses second thoughts, the scammer becomes mean and threatening. He sends angry emails in all-caps; tells the would-be victim that he or she will be blacklisted or reported; he even sends a notification from a payment provider, stating that the would-be victim’s account has been revoked. (This can only be undone by responding to the notification with your password.)

Nigerian scammers know what they want. They want fancy cameras, but do not care as much for laptops, and do not give a darn about refrigerators and other bulky electronic appliances. It makes sense: The merchandise needs to be shipped to them, and then be resold in Nigeria.

Knowing that the scammers remain in business, we can infer that they are reasonably successful. In fact, we see more and more Nigerian scams. So we can conclude that there are enough people who are not very careful, and that bullying them pays off. This is not about people lacking technological skills, it is about them not thinking critically. User awareness and education campaigns could change that.

Of course, Nigerian scams are not limited to Craigslist, nor to frauds in which they try to obtain people’s cameras for free. Our experiment only gives us a glimpse at one particular type of scam at one particular point in time. But it gives us hope that it is possible to create a taxonomy of scams and scammers, and develop tools and campaigns that hurt their bottom line.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.