How a cybercrime ring operated a multi-level fraud scheme

Scams

A peek beneath the hood of a cybercrime operation and what you are able to do to keep away from being a straightforward goal for related ploys

30 Might 2023
 • 
,
4 min. learn

They hacked into company emails, stole cash from folks and companies, and tricked others into transferring the loot. Nigerian nationals Solomon Ekunke Okpe and Johnson Uke Obogo ran a classy fraud scheme that precipitated as much as US$1 million in losses to victims. A US court recently sentenced the duo to 4 years and one 12 months behind bars, respectively.

Their prison operation engaged in a wide range of fraudulent schemes – together with business email compromise (BEC), work-from-home fraud, test fraud and bank card scams – that focused unsuspecting victims worldwide for greater than 5 years.

Right here’s how they pulled out the cons and, much more importantly, how one can keep away from changing into a sufferer of comparable ploys.

Step 1 – hacking into e mail accounts

With a view to get entry into victims’ e mail accounts, Okpe and co-conspirators launched e mail phishing assaults that collected hundreds of e mail addresses and passwords. Moreover, they amassed massive quantities of bank card data and personally identifiable data of the unsuspecting people.

Usually, the commonest number of phishing entails sending out emails that pose as official messages which have a way of urgency and are available from respected establishments reminiscent of banks, e mail suppliers, and employers. Utilizing false pretenses and evoking a way of urgency, these communications try and dupe customers into handing over their cash, login credentials, credit card information or different worthwhile knowledge.

One other approach to interrupt into one’s account is solely overcoming a weak password – assume a password that’s both too quick or made up too easy a set of characters and scammers can simply crack it with the assistance of automated instruments, i.e. “brute-force” it.

For instance, in case your password is eight characters lengthy and consists solely of lower-case characters, an automatic instrument can guess it in a couple of seconds. A password that’s advanced however is made up of solely six characters may be cracked simply as shortly.

Hackers additionally typically reap the benefits of folks’s penchant for creating passwords which are extraordinarily simple to guess with out assist from devoted instruments. Based on a 3TB database of passwords spilled in safety incidents, the most popular password throughout 30 international locations was, you guessed it, “password”. Second got here “123456”, adopted by the marginally longer (however probably not a lot better) “123456789.” Rounding out the highest 5 have been “visitor” and “qwerty.” Most of these logins may be cracked in lower than a second.

The takeaway? At all times use lengthy, advanced, and distinctive passwords or passphrases to keep away from having your entry credentials simply guessed or brute-forced.



Step 2 – attacking enterprise companions

After getting access to victims’ accounts, Okpe and his staff would ship emails to workers of corporations that did enterprise with the sufferer, directing the targets to switch cash to financial institution accounts managed by the criminals, their co-conspirators or “cash mules”. These emails have been made to appeared like they have been coming from the sufferer, however have been directions for unauthorized cash transfers from Okpe and his co-conspirators.

These assaults, known as enterprise e mail compromise assaults, are a type of spearphishing. Whereas common phishing assaults contain casting the online broad and goal unknown victims, spearphishing takes goal at a selected individual or group of individuals. Unhealthy actors research each piece of data out there a few focused individual on-line and tailor their emails accordingly.

This clearly makes such emails tougher to acknowledge, however there are some apparent giveaways. For instance, these messages typically come out of the blue, evoke a way of urgency or use different stress ways, and comprise attachments or (shortened) URLs resulting in doubtful websites.

If a spearphishing marketing campaign goals to steal your credentials, two-factor authentication (2FA) can go a good distance in the direction of conserving you protected. It requires you to offer two or extra id verification components to entry an account. The most well-liked possibility entails authentication codes through SMS messages, however devoted 2FA apps and bodily keys present a better degree of safety.

For those who as an worker are requested to wire any cash, particularly beneath a good deadline, doublecheck that the request is real.

Step 3 – tricking folks into transferring stolen cash

Within the “work-from-home” scams, the gang falsely posed as on-line employers and posted adverts on job web sites and boards beneath a wide range of fictitious on-line personas. They pretended to rent massive numbers of people from round the US for work-from-home positions.

Though the positions have been marketed as respectable, the scammers directed the employees to carry out duties that facilitated the group’s scams. Thus, victims have been unknowingly serving to scammers with creating financial institution and cost processing accounts, transferring or withdrawing cash from accounts, and cashing or depositing counterfeit checks.

To keep away from falling for a work-from-home rip-off, do your analysis. Lookup the corporate’s title, e mail deal with, and cellphone quantity and test whether or not there are some complaints in regards to the firm’s conduct and practices. Certainly, when searching for a job on-line, begin with legit job websites and different reliable sources.

There’s extra

Moreover, Okpe and co-conspirators conducted romance scams. They created fictitious identities on courting web sites, feigning curiosity in romantic relationships with love-seeking folks. After gaining victims’ belief, Okpe and others used them as money mules to switch cash abroad and obtain money from fraudulent wire transfers.

Many romance scammers borrow from the identical playbook, which makes it simpler to acknowledge and keep protected from their tips. Be careful for on-line suitors who:

• Ask victims a number of private questions however are evasive when requested questions on their lives
• Profess their love shortly
• Transfer the dialog shortly off the courting website to a non-public chat
• Make convoluted excuses for not assembly in individual or becoming a member of a video name
• Fake to reside or work overseas
• Have picture-perfect profile photographs
• Inform sob tales about why they want cash, together with to pay for journey or medical bills, visas and journey paperwork

Be scam-smart – train warning particularly with unsolicited on-line communications and be careful for the tell-tale signs of online fraud.

RELATED READING:

5 signs you’ve fallen for a scam – and what to do next