A peek under the hood of a cybercrime operation and what you can do to avoid being an easy target for similar ploys
They hacked into corporate emails, stole money from people and businesses, and tricked others into transferring the loot. Nigerian nationals Solomon Ekunke Okpe and Johnson Uke Obogo ran a sophisticated fraud scheme that caused up to US$1 million in losses to victims. A US court recently sentenced the duo to four years and one year behind bars, respectively.
Their criminal operation engaged in a variety of fraudulent schemes – including business email compromise (BEC), work-from-home fraud, check fraud and credit card scams – that targeted unsuspecting victims worldwide for more than five years.
Here’s how they pulled out the cons and, even more importantly, how you can avoid becoming a victim of similar ploys.
Step 1 – hacking into email accounts
In order to get access into victims’ email accounts, Okpe and co-conspirators launched email phishing attacks that collected thousands of email addresses and passwords. Additionally, they amassed large amounts of credit card information and personally identifiable information of the unsuspecting individuals.
Generally, the most common variety of phishing involves sending out emails that pose as official messages that have a sense of urgency and come from reputable institutions such as banks, email providers, and employers. Using false pretenses and evoking a sense of urgency, these communications attempt to dupe users into handing over their money, login credentials, credit card information or other valuable data.
Another technique to break into one’s account is simply overcoming a weak password – think a password that is either too short or made up too simple a set of characters and scammers can easily crack it with the help of automated tools, i.e. “brute-force” it.
For example, if your password is eight characters long and consists only of lower-case characters, an automated tool can guess it in a couple of seconds. A password that is complex but is made up of only six characters can be cracked just as quickly.
Hackers also often take advantage of people’s penchant for creating passwords that are extremely easy to guess without help from dedicated tools. According to a 3TB database of passwords spilled in security incidents, the most popular password across 30 countries was, you guessed it, “password”. Second came “123456”, followed by the slightly longer (but not really much better) “123456789.” Rounding out the top five were “guest” and “qwerty.” Most of those logins can be cracked in less than a second.
The takeaway? Always use long, complex, and unique passwords or passphrases to avoid having your access credentials easily guessed or brute-forced.
Step 2 – attacking business partners
After gaining access to victims’ accounts, Okpe and his team would send emails to employees of companies that did business with the victim, directing the targets to transfer money to bank accounts controlled by the criminals, their co-conspirators or “money mules”. These emails were made to looked like they were coming from the victim, but were instructions for unauthorized money transfers from Okpe and his co-conspirators.
These attacks, called business email compromise attacks, are a form of spearphishing. While regular phishing attacks involve casting the net wide and target unknown victims, spearphishing takes aim at a specific person or group of people. Bad actors study every piece of information available about a targeted person online and tailor their emails accordingly.
This obviously makes such emails harder to recognize, but there are some obvious giveaways. For example, these messages often come out of the blue, evoke a sense of urgency or use other pressure tactics, and contain attachments or (shortened) URLs leading to dubious sites.
If a spearphishing campaign aims to steal your credentials, two-factor authentication (2FA) can go a long way towards keeping you safe. It requires you to provide two or more identity verification factors to access an account. The most popular option involves authentication codes via SMS messages, but dedicated 2FA apps and physical keys provide a higher level of security.
If you as an employee are asked to wire any money, especially under a tight deadline, doublecheck that the request is genuine.
Step 3 – tricking people into transferring stolen money
In the “work-from-home” scams, the gang falsely posed as online employers and posted ads on job websites and forums under a variety of fictitious online personas. They pretended to hire large numbers of individuals from around the United States for work-from-home positions.
Although the positions were marketed as legitimate, the scammers directed the workers to perform tasks that facilitated the group’s scams. Thus, victims were unknowingly helping scammers with creating bank and payment processing accounts, transferring or withdrawing money from accounts, and cashing or depositing counterfeit checks.
To avoid falling for a work-from-home scam, do your research. Look up the company’s name, email address, and phone number and check whether there are some complaints about the company’s behavior and practices. Indeed, when looking for a job online, start with legit job sites and other trustworthy sources.
Additionally, Okpe and co-conspirators conducted romance scams. They created fictitious identities on dating websites, feigning interest in romantic relationships with love-seeking people. After gaining victims’ trust, Okpe and others used them as money mules to transfer money overseas and receive cash from fraudulent wire transfers.
Many romance scammers borrow from the same playbook, which makes it easier to recognize and stay safe from their tricks. Watch out for online suitors who:
- Ask victims lots of personal questions but are evasive when asked questions about their lives
- Profess their love quickly
- Move the conversation quickly off the dating site to a private chat
- Make convoluted excuses for not meeting in person or joining a video call
- Pretend to live or work abroad
- Have picture-perfect profile photos
- Tell sob stories about why they need money, including to pay for travel or medical expenses, visas and travel documents
Be scam-smart – exercise caution especially with unsolicited online communications and watch out for the tell-tale signs of online fraud.