Before there was Elizabeth Holmes or the Fyre Festival, there was the Nigerian prince. For decades, this digital hustler has been seeping through spam filters to offer you a once-in-a-lifetime opportunity: Dear beloved, he writes, I’m a wayward royal coming to you with an incredible investment opportunity. Mr. Sir, he says, did you know you have millions of dollars unclaimed in a Western Union account? I can help you get it out. All he needs is a small cash advance or a bank account number to complete the wire transfer. Then, these unexpected riches are yours.
Most people know this for what it is: a scam. Also known as the 419 fraud, the Nigerian prince is a variation on the centuries-old Spanish prisoner swindle, an advance-fee scam that emerged after the French Revolution, where people sent handwritten letters soliciting help for a (non-existent) nobleman falsely imprisoned. While it’s closely associated with the early internet, the Nigerian prince first went global in the 1980s when West African fraudsters began snail-mailing scam letters around the world. Today, it seems more like a punchline than a real threat, but the Nigerian prince still gets paid: in 2018, the con brought in more than $700,000 from Americans alone.
But fraudsters are using the foundational psychology of the 419 fraud in more innovative and dangerous ways, too. “We all used to snicker at [the Nigerian prince] 15 or 20 years ago,” says Armen Najarian, the chief identity officer at Agari. But “that Nigerian prince has grown up, has gone to college, has learned a thing or two, and has found a new lucrative career.” What once seemed like a simple, isolated grift has evolved into a trillion-dollar threat.
The 419 flimflam is perhaps the best-known example of social engineering, a range of strategies that fraudsters use to manipulate their targets into sharing personal or confidential information and enable further attack.
Jacob Dorval, global director of the adversary group at SecureWorks, leads a team of ethical hackers who simulate attacks to identify weak spots in a client’s security protocol. He says most social engineering attacks begin with a form of phishing—an email, phone call, or even in-person interaction with a seemingly trustworthy source who’s really after your private data.
“Right now, a perfect example of it would be coronavirus,” Dorval says. A hacker could create a false public health warning and circulate the spoofed page to employees at a targeted company. “Maybe it pops up with an exact replica of your HR page and it says, you must login in to view the advisory. Or perhaps it’s just a link that says, click here,” he says. “It wouldn’t look abnormal to you in any way, but the moment you open that file, it could launch malicious activity.”
Instead of asking for money, like the Nigerian prince, fraudsters now seek personal information. And where the Nigerian prince was often satisfied with a few wire transfers, accessing your passwords and personal identifiers is just the first step in a much larger plan.
Right now, the FBI is concerned with business email compromise, or BEC, which involves targeting an employee with access to their company’s financial infrastructure and duping them into moving money to the scammers.
One variation of this is called the “CEO scam,” where a fraudster spoofs the CEO of a company and demands that an invoice be remitted immediately. If the subordinate follows orders, they will have unwittingly transferred the funds to the fraudsters. (Some go even further: between 2015 and 2017, scammers impersonating France’s defense minister Jean-Yves Le Drian in elaborately-staged Skype calls, made $90 million.)
A similar strategy called vendor email compromise, or VEC, is also on the rise, with Agari predicting it will be the number one attack type in 2020. In a typical scenario, a fraudster will create an invoice that looks identical to the real vendor’s, save for the bank account information. When the company issues payment, it once again ends up in the scammer’s account.
In the past, such cons were a numbers game. The more people a charlatan targeted, the more likely they were to find a victim. That’s still true, but attacks today are also more sophisticated. “The Nigerian prince—that was effectively spam,” Najarian says. “There was nothing bespoke about it.” Now, scams are so personalized, even the most careful or skeptical employees are at risk. “It just takes one small mistake,” Dorval says.
The phrase “Cybersecurity” may evoke international rings of hackers equipped with cutting-edge machinery as portrayed in so many movies. But fraud doesn’t have to be high-tech to succeed, as social engineering preys primarily on human weakness. “People are the weakest link when it comes to security,” Dorval says. Some people may be at more risk than others—millennials actually report higher rates of fraud than older Americans, according to the Federal Trade Commission—but anyone could fall prey to the power play of a CEO scam or the allure or a romance racket. Why break in when you can trick someone into opening the door?
No matter the target, successful social engineering can have serious repercussions. Juniper Research, which forecasts trends in digital technology, estimates business losses stemming from cybercrime hit $3 trillion worldwide in 2019. No one is safe from the fallout. Moody’s recently downgraded Equifax over an epic data breach, marking the first time a company has had its credit downgraded over a cybersecurity issue that affected hundreds of millions of people. And, as FBI agent Michael Sohn of the Los Angeles Cyber Division told Wired, “[w]hen a small business gets scammed out of $200,000 or $500,00 they’re just done, they’re no longer in business.”
Just as you don’t need sophisticated technology to conduct a social engineering scam, you don’t need crazy schemes to fight it. Multi-factor authentication, which requires one or more levels of identification beyond a password, is a good first step in fighting fraud, says Lukasz Olejnik, an independent cybersecurity researcher and advisor. So too is ensuring that your passwords are different for every account, so that if one is breached, the others don’t fall like dominoes. But don’t keep them on a Post-It—a digital password manager is just as easy and much safer.
Still, many companies are also turning to artificial intelligence to enhance their fraud detection processes in an effort to keep humans out of the process completely. Organizations with automated phishing responses detect 44 times more malicious messages than employees, according to Agari. And that’s important, because Agari reports that 60 percent of employee-reported incidents are false-positives anyway. The benefits of AI likely appear in your personal email, too, as Gmail’s machine learning-enhanced platform reportedly blocks 99.9 percent of spam.
The one prevention strategy that doesn’t work is shame, says Olejnik. Anyone can fall prey to a social engineering scheme, so punishing, firing, or even suing the employees who do is not only unfair, it doesn’t address the larger problem. While management may feel they’ve taken a stand, they’re just as vulnerable as they always were.
The Nigerian prince may not be as successful as he once was, but he remains the perfect metaphor for an ever-evolving threat. Fraud “is usually a matter of when it’s going to happen, not if it’s going to happen,” Dorval says, whether royalty’s involved or not.