Last August, a major bust by the Federal Bureau of Investigations (FBI) offered some insight into the growing scale and capabilities of Nigerian online fraudsters. Federal agents arrested 14 fraudsters operating within the US as part of a prolific network of scammers and named 66 others in a 252-count federal grand jury indictment. The fraudsters had defrauded victims of up to $10 million in one of the “largest cases of its kind in US history.” In total, the ring had attempted to steal $40 million from victims in 10 countries as well as the US.
A new report by Palo Alto Networks, a California-based cyber-security company which says it has researched Nigerian cyber-crime for five years, tries to show how these fraudsters have become a lot more proficient at scams over the past five years, employing more sophisticated tactics and tools to carry out Business Email Compromise (BEC) scams. It’s a long way from the classic “Yahoo Yahoo boys” scams 15 odd years ago.
While Nigerian actors were previously classed as “emerging” with regard to malware attacks, recent evidence suggests they “have evolved to a point where they are demonstrating signs of maturity consistent with established threat groups in their delivery techniques, malware packaging, and technical abilities,” Palo Alto Networks’ report notes. Last year, the firm’s malware tracking service identified around 27,000 samples of malware associated with Nigerian actors.
The researchers note the “dominant proportionality and sheer enormity” of BEC scam attempts from Nigerian actors. Last year, BEC scam attempts from these fraudsters resulted in an average of 92,739 attacks per month—172% increase from 2018.
Here’s how BEC scams work: fraudsters use hacked email accounts to convince businesses or individuals to make payments that are either bogus or similar to actual payments owed to legitimate companies. As part of the scam, fraudsters also learn about key personnel in companies who are responsible for those payments as well as the protocols necessary to perform wire transfers in various companies. They then target businesses and individuals that regularly perform such wire transfer payments.
Around $1.7 billion in losses were attributed to BEC attacks last year, more than losses to romance scams, phishing, identity theft, credit card fraud and ransomware, according to the annual report of the FBI’s Internet Crime Complaint Center.
The antics of these fraudsters have come at a wider cost for most Nigerians, as students, business people and tourists are often subject to extra scrutiny from international payment platforms, potential business partners and embassies for visa applications. While successive Nigerian governments have made significant efforts to curb international online fraud from the source at home by awarding notable powers to its anti-fraud agency, the state of the country’s weak economy and large swathes of educated, unemployed young college graduates means fraud is still seen by some as being worth the risk.
However, while growing sophisticated in their methods, Nigerian online fraudsters still “remain indiscriminate in their targeting” with attacks attempted on small and large businesses, healthcare companies as well US government institutions. However, high-tech companies bore the largest brunt of these efforts recording around 313,000 attacks last year—more than double the number in 2018.
And yet, the digital persona linked with young Nigerians has started to change markedly in recent years given several success stories in the country’s fledgling tech ecosystem over the last decade. Nigerian tech startups, innovating to solve many of the country’s systemic problems—from digital payments to online education—have attracted the most funding across Africa last year from major investors.
Nigerian software developers have also become widely sought after beyond the country’s shores, partly prompting a $100 million dollar bet on African development talent by software giant, Microsoft.
But even in Nigeria, local police have often “profiled” young men with laptops as online fraudsters as an excuse for harassment and extortion. This has led to significant protests and crowdfunding legal aid by the burgeoning tech community.
Source: Quartz Africa