Solomon Ekunke Okpe and Johnson Uke Obogo, two Nigerian nationals, have recently been sentenced to 4 and 1 year behind bars, respectively, for running a cybercrime operation that caused up to US$1 million in losses to victims. The duo used a variety of fraudulent schemes including business email compromise (BEC), work-from-home fraud, check fraud, and credit card scams, which targeted unsuspecting victims worldwide for more than five years. In order to get access into victims’ email accounts, Okpe and co-conspirators launched email phishing attacks that collected thousands of email addresses and passwords, credit card information and personally identifiable information. Hackers also often take advantage of people’s penchant for creating passwords that are easy to guess without help from dedicated tools. The most popular passwords were found to be “password”, “123456”, and “123456789”, which can be easily cracked. It is essential to use a long, complex, and unique password or passphrase to avoid having access credentials easily guessed or brute-forced.
After gaining access to victims’ accounts, Okpe and his team launched a spearphishing attack, sending emails to employees of companies that did business with the victim, directing them to transfer money to bank accounts controlled by the criminals, their co-conspirators, or “money mules”. If you receive this sort of email, it is critical that you double-check the request before transferring any money. You could call the sender or check with your manager to ensure the request is real before making any transfers. Two-factor authentication (2FA) can also go a long way towards keeping you safe. It requires you to provide two or more identity verification factors to access an account. The most popular option involves authentication codes via SMS messages, but dedicated 2FA apps and physical keys provide a higher level of security and should be used where possible.
In the “work-from-home” scams, the gang falsely posed as online employers and posted ads on job websites and forums under various fictitious online personas. The positions marketed were legit, but the scammers directed the workers to perform tasks that facilitated the group’s scams. Thus, victims were unknowingly helping the scammers with creating bank and payment processing accounts, transferring or withdrawing money from accounts, and cashing or depositing counterfeit checks. To avoid falling for a work-from-home scam, do your research; look up the company’s name, email address, and phone number and check for complaints about the company’s behaviour and practices.
Another scam run by Okpe and co-conspirators was a romance scam. They created fictitious identities on dating websites, feigning interest in romantic relationships with love-seeking people. After gaining victims’ trust, they used them as money mules to transfer money overseas and receive cash from fraudulent wire transfers. To stay safe from such tricks, watch out for online suitors who ask lots of personal questions but are evasive when asked questions about their lives, profess their love quickly, quickly move the conversation off the dating site to a private chat, make convoluted excuses for not meeting in person or joining a video call, pretend to live or work abroad, have picture-perfect profile photos, and tell sob stories about why they need money, including to pay for travel or medical expenses, visas and travel documents.
It is important to exercise caution, especially with unsolicited online communications, and watch out for the tell-tale signs of online fraud. These types of scams are widespread, and scammers continuously evolve and hone their tactics to be more convincing and appealing to their targets. To avoid becoming an easy target for similar ploys, make sure that you are using strong passwords, read up on common scams and how to avoid them, and make sure that you verify requests before transferring any money. It is also important to educate yourself and your employees, as security awareness training can help to prevent employee errors that put organisations at risk, including phishing and other social engineering frauds.