Take a peek under the hood of cybercrime operations and what you can do to avoid becoming an easy target for similar tactics
They hack corporate email, steal money from people and businesses, and trick others into transferring loot. Nigerian nationals Solomon Ekunke Okpe and Johnson Uke Obogo ran a sophisticated fraud scheme that resulted in losses of up to US$1 million for victims. A A US court recently handed down the sentence the duo were four years and one year respectively behind bars.
Their criminal operations have been involved in multiple fraud schemes – including business email compromise (BEC), work-from-home fraud, check fraud, and credit card fraud – that have targeted unsuspecting victims around the world for more than five years.
Here’s how they draw out the cons and, more importantly, how you can avoid falling victim to similar scams.
Step 1 – hack the email account
To gain access to the victim’s e-mail account, Okpe and co-conspirators launched an e-mail phishing attack that collected thousands of e-mail addresses and passwords. Additionally, they collect large amounts of credit card information and personally identifiable information from unsuspecting individuals.
Generally, the most common type of phishing involves sending emails that pretend to be legitimate messages that have a sense of urgency and come from reputable institutions such as banks, email providers, and employers. Using false pretenses and generating a sense of urgency, these communications attempt to trick users into handing over money, login credentials, credit card information or other valuable data.
Another technique for breaking into someone’s account is to overcome weak passwords – think of passwords that are too short or too simple a set of characters and fraudsters can easily crack them with the help of automated tools, i.e. “brute-force” him.
For example, if your password is eight characters long and consists of only lowercase characters, an automated tool can do that guess in a few seconds. A password that is complex but only six characters long can be cracked quickly.
Hackers also often take advantage of people’s penchant for creating passwords that are very easy to guess without the aid of special tools. According to a 3TB password database spilled in a security incident, the most popular password in 30 countries is, you guessed it, “password”. The second is “123456”, followed by the slightly longer (but not much better) “123456789”. Rounding out the top five are “guest” and “qwerty.” Most of those logins can be hacked in less than a second.
Take it home? Always use a long, complex, and unique password or passphrase to prevent your access credentials from being easily guessed or brute forced.
Step 2 – attack business partners
After gaining access to the victim’s account, Okpe and his team would send emails to employees of companies with whom the victim did business, directing the target to transfer money to a bank account controlled by the crooks, their co-conspirators or “money donkeys”. These emails pretend to be from victims, but are instructions for unauthorized money transfers from Okpe and his co-conspirators.
This attack, called a business email compromise attack, is one form spear phishing. While a typical phishing attack involves spreading a net and targeting an unknown victim, spearphishing targets a specific person or group of people. Bad actors study every available information about the targeted person online and customize their email accordingly.
This obviously makes such emails harder to recognize, but there are some clear payoffs. For example, these messages often appear unexpectedly, generate a sense of urgency or employ other pressure tactics, and contain attachments or (abbreviated) URLs that lead to questionable sites.
If a spearphishing campaign aims to steal your credentials, two-factor authentication (2FA) can help keep you safe. You must provide two or more identity verification factors to access the account. The most popular options involve authentication codes via SMS messages, but dedicated 2FA apps and physical keys provide a higher level of security.
If you as an employee are asked to send money, especially under a tight deadline, double check that the request is genuine.
Step 3 – trick people into transferring stolen money
In “work-from-home” scams, the gang poses as online employers and places advertisements on job websites and forums with various fictitious online personas. They pretend to hire people from all over the United States for work from home positions.
Although the position is marketed as legitimate, the fraudsters direct the workers to perform tasks that facilitate the group’s fraud. Thus, victims unknowingly assist scammers by setting up bank accounts and processing payments, transferring or withdrawing money from accounts, and cashing or depositing fraudulent checks.
To avoid work-from-home scams, do some research. Look up the company name, email address and phone number and check for any complaints about the company’s conduct and practices. Indeed, when looking for jobs online, start with legit job sites and other trusted sources.
There is more
Additionally, Okpe and his co-conspirators staged a romance scam. They create fictitious identities on dating sites, pretending to be interested in romantic relationships with people looking for love. After gaining the victims’ trust, Okpe and others used them as money mules to transfer money overseas and receive cash from wire transfer scams.
Many romance scammers borrow from the same guidelines, which makes it easier to spot and keep them safe from their scams. Be wary of online applicants who:
- Ask the victim lots of personal questions but be evasive when asked questions about their life
- Express their love quickly
- Quickly move conversations from dating sites to private chats
- Create convoluted reasons not to meet in person or join a video call
- Pretend to live or work abroad
- Have the perfect profile photo
- Tell sad stories about why they need money, including to pay for travel or medical expenses, visas, and travel documents
Be scam-smart – be especially careful with unsolicited online communications and watch out for signs of online scams.