Revealed: how Nigerian scam stole $60 million

Nigerian authorities have disclosed the techniques used by an multinational gang to con businesses out of $60 million.

The details came to light after a suspect, referred to as ‘Mike’, was arrested following a joint operation by INTERPOL and Nigeria’s anti-corruption watchdog, the Economic and Financial Crimes Commission (EFCC).

The 40 year-old was arrested in the capital of Nigeria’s Rivers State, Port Harcourt. It is believed that just one fraudulent transaction by Mike and his associates landed them $15.4m.

According to a statement on INTERPOL’s website, Mike headed ‘‘a network of at least 40 individuals across Nigeria, Malaysia and South Africa which both provided malware and carried out the frauds, the alleged mastermind also had money laundering contacts in China, Europe and the US who provided bank account details for the illicit cash flow.’‘

Malware are computer programs designed to steal information or otherwise harm anyone who inadvertently downloads them.

The tricks

The main two types of scam run by the gang were:

• Payment diversion fraud – where a company email would be compromised and fake messages would then be sent to customers with instructions for payment to a bank account under the criminal’s control
  and

• CEO fraud – where fraudsters hack the email account of a top executive and send a wire transfer request to an employee responsible for handling such requests. The money is then paid into a designated bank account held by the criminal.

How can you avoid being a victim?

Caution is the best protection against email scams, and police urge computer users to always be distrustful of emails from unknown addresses. Fraudsters typically gain access to accounts by getting their victims to inadvertently download malware by clicking a link or opening an attachment in a mail. Because of this tactic of sending out lots of bait and hoping someone will “bite”, or click, the scams are known as “phishing scams”.

Once an email has been hacked, however, the criminals still need to gain access to the money. To make this more difficult, companies are encouraged to use a two factor authentication process. Typically this demands that to approve a payment, two elements are require to prove the user’s identity. One could be a secret code or password, while the other could be a physical object like a fingerprint or a credit card.

An email asking the money to be sent would therefore not be enough, but could be the first part of the process if followed by a phone call to a known telephone number.

“Close co-operation”

Abdul Chukkol, Head of the EFCC’s Cybercrime Section said the transnational nature of business e-mail compromise makes it complex to crack, but the arrest sent a clear signal that Nigeria could not be considered a safe haven for criminals.

“For a long time we have said in order to be effective, the fight against cybercrime must rely on public-private partnerships and international cooperation, the success of this operation is the result of close cooperation between INTERPOL and the EFCC, whose understanding of the Nigerian environment made it possible to disrupt the criminal organization’s network traversing many countries, targeting individuals and companies,” Chukkol added.

Nigeria’s Minister of Communication, Mr Adebayo Shittu, recently disclosed that Africa’s most populous nation and biggest economy, loses about 0.8% of its Gross Domestic Product (GDP) year-in year-out to cybercrime.

The amount in monetary terms of the loss comes to 127 billion naira, the equivalent of $430 million.