Just about everyone has received or has seen an email from someone claiming to be a Nigerian prince that is in desperate need of your help and willing to reward you greatly for a seemingly small task or a small amount of money. Most wonder how anyone could ever fall victim to these fraudulent attempts as the emails often contain spelling and grammatical errors and are rewarding sums totalling millions or tens of millions of dollars. However, these email scams do reliably elicit payoffs, which is why their campaigns continue relentlessly.
These scammers are not lone wolfs, they are more akin to gangs or a mafia working, learning and evolving their expertise together as a syndicate. Over time, their skills have evolved and adapted to the point they have become specialized in social engineering and targeted spear phishing, but surprisingly lacking complex technical sophistication. These groups do not only target personal emails, or the elderly, but they are increasingly going after small businesses that can be lacking significant security measures which allow them to evade detection and remain inside an environment undetected. Their typical entry points are through spear phishing campaigns against payroll, accounting or financial related personnel at target organizations who will end up submitting their credentials to a fake login page or downloading malware that enables attackers unauthorized access to the target organization. From there, the attackers can remain silent for weeks observing business operations and scouring through troves of email inboxes to understand an organizations layout, user’s roles, and identify who handles payments, purchasing and related duties.
Once they have the lay of the land, they devise a ruse such as impersonating another employee, client, contractor or business partner to create fake invoices or intercept legitimate business communications and tamper emails to change banking information to an account under their control. These techniques have resulted in large success with some victims reportedly being scammed out of hundreds of thousands and even millions of dollars. Federal agencies from Canada, USA and European countries have investigated large cases and have successfully arrested some of these scammers. Due to the groups lacking technical sophistication, their IP addresses can be tied directly back to their locations and the devices they use, without any proxies or VPN protections to hide their identity.
This also means protecting against these attacks is realistic for small businesses and will not overwhelm their technology budgets with complex security solutions. Regularly updating software, having strong password requirements and anti-virus solutions can help prevent attackers from getting in; implementing a two-factor authentication mechanism will limit the success of those that do as credentials cannot be used readily. Creating business processes and channels for large payments that require multiple people to verify a transaction can significantly reduce the risk of any business falling victim to these types of scams. Back in January, Packetlabs covered a case-study of a small local Toronto business that fell victim to a devastating hack, read more here.
A full report on emerging business threats from Nigerian email phishing is available from CrowdStrike.