All through October, in aid of National Cyber Security Awareness Month (#CyberAware) we’re putting phishing under the microscope. In each post we’ll take a close look at one specific type of phishing, including the actors responsible, who it targets, and how/why it works.
Today, we’re a true phishing classic: Nigerian 419 scams.
We’ve put the 15 best practices for spotting and handling Nigerian 419 scams and other phishing emails into one webcast presentation. Join us Thursday, October 26, 11:00 am – 12:00 pm EDT to learn how you can turn your users into powerful security assets.
Come on now, you’ve seen a few of these in your time. Literally every person who has ever owned an email account has seen a version of the Nigerian Prince scam.
But just in case you haven’t, here’s the deal. This scam originated in Nigeria well over a decade ago, and attempts to entice victims with a “too good to be true” offer. In the classic case, the attacker poses as Nigerian royalty, and uses a sob story to try to convince the reader to send money. To sweeten the deal, the sender explains that the sum will enable them to access their savings account, at which point they will provide an extravagant reward.
In recent months, we’ve observed attackers posing as royalty, government officials, attorneys, businessmen, and even love interests.
Suffice to say, no such reward will be forthcoming if you decide to help out one of these poor souls.
But here’s the thing. 419 scammers have upped their game recently by becoming social media-savvy, establishing profiles on Facebook and dating sites. These profiles are used to attack any individual or business deemed likely to have enough money to make the scam worthwhile. In particular, dating site profiles are often used to gain the trust of older, lonely people, and convince them to part with their money.
Primary Target(s): Anyone with money
Lure Volume: Consistently high
Geography: Global, but over 20% originate from Nigeria
Threat Actors: Individuals and smaller groups
A typical 419 scam relies on instilling a sense of pity in the reader. There are many different sob stories in common usage, but they all come down to the same thing: The attacker needs help, please send money.
Just take a look at this sample:
Straight away, it tries to tug at the heart strings of the reader, and promises a substantial reward. You’ll notice, though, that this lure doesn’t ask for money straight up. Instead, it tries to lure the reader in with big promises… but I can assure you that once a relationship is established, there will be a request for funds somewhere down the line.
In all honesty, though, the real danger with this type of scam comes with the use of social networks and dating sites. Skilled attackers will take pains to build a relationship with the victims over hours, days, or even weeks, and have routinely succeeded in conning people out of thousands of dollars at a time.
If you’re somewhat security savvy, it might seem incredible to you that 419 scams still work… but work they do. They may not appear in quite the same format we all remember from years gone past, but the structure of these scams remains unchanged: ask for money, and promise a significant reward.
To find out how you can fight back against 419 scams, and other phishing attacks, check out a free #CyberAware resources page.
This is a Security Bloggers Network syndicated blog post authored by Amanda Kline. Read the original post at: The PhishLabs Blog