The Future of Social Engineering 2: Nigerian and Friend scams

Read previous: The Future of Social Engineering

Proceeding with her talk, Sharon Conheady creates a historical timeline hundreds of years back to outline the origin of today’s Nigerian scams, and speaks on the prevalent present-day frauds which aim at tricking money from credulous people.

So I am just going to give you some thoughts on the future of social engineering as I see it. First of all, we’ve seen with the pilot thing, we’ve seen with the selling the Eiffel Tower – it’s the same tricks that work over and over in history. We’ve got the same scams, the same cons repeated again and again. It’s just they change with technology. So 10 – 15 years ago, phishing attacks appeared. They took place over email, they took place over social networks. Now we’ve got Vishing, that uses the VOiP technology, we’ve got SMiShing that uses SMS. I am sure we will get whatever ‘ishing’ comes next.

How old are the Nigerian scams? Why are they called that way?

How the 'Spanish Prisoner' scam worked

How the 'Spanish Prisoner' scam worked

The beautiful example is the advance fee fraud. So the Nigerian 419 scams that we see so often today actually date back hundreds of years. The first example I could find was about 500 years old (see image). It used to take place in the UK, at around the time of the Spanish Armada. So they were targeting the members of aristocracy. The con artists would find a noble man, find a beautiful Spanish-looking lady, go to the noble man and say: “This beautiful lady’s father is imprisoned in Spain. We need some money to bribe the guards to help release him. And if you give us the money, not only will you be reimbursed with hundreds and hundreds of Pounds and gold jewels, and rubies, but you can also marry this beautiful Spanish lady.” Quite an offer! So lots of people fell for this. They’d give the cash advance, they’d never see the money or the beautiful lady again.

Scam about allegedly lost casket with jewels, as described by Vidocq

Scam about allegedly lost casket with jewels, as described by Vidocq

So we skip forward to I think the 1700s, or maybe earlier 1800s, and the guy named Eugene Francois Vidocq started his life as a criminal, spent years and years in jail and then interestingly went on to found the French police force as we know it today.

So Eugène François Vidocq published his memoirs, you can read them on Google or you can buy the book. And he mentioned a scam called ‘The Letter from Jerusalem’ (see image). And again, it was very, very similar. They’d target a member of the aristocracy or someone with a lot of money. They’d write them a letter giving them some reason to advance some cash to them. It might be something as silly as saying: “We are the assistant to this aristocrat, and he lost a box of jewels. We need to find them somewhere, so we need to pay the searchers. If you give us the money, we will share the jewels with you.” So I like the statistics that Vidocq mentions, he says of 100 letters, 20 were always answered. Because they were very, very targeted attacks, possibly the first example we saw of spear phishing.

And my favorite quote from Vidocq is that sometimes even the Parisians would fall for this scam. So it was very, very serious. Throughout history, again, they repeated, and we skip forward to the 1980s – that’s when these scams first started appearing out of Nigeria. The oil based economy was in decline. So some Nigerian students thought maybe they could get advantage of this. And they’d contact usually U.S. businessmen, sending them letters or sending them faxes, or even telexes, saying: “We can get you in this really good business deal if you just let us have a little bit money in advance.” So the same thing over and over. And of course it eventually turned into email attacks.

Example of the '419 Scam'

Example of the '419 Scam'

So this is the typical 419 scam that we see today (see image). Attackers will often try to make their victims feel some kind of emotion, because when we are emotional – whether it’s being angry because Facebook is starting to charge for account access, or whether it is because you are feeling obsessed or sympathetic because this guy’s clients all died in a plane crash – once you feel that emotion, you are more open to suggestions. So this guy says his bank clients and his entire family died in a plane crash and he needs some money, and actually if you click through or even type in the URL provided in the email, it shows a story. So this might not work for people in the security industry, but it could work for a lot of other people. So this is the Concord crash that happened in Paris about 10 years ago.

Why is the ‘Friend Scam’ getting widespread?

The really trustworthy-looking 'Friend Scam' involves emails from acquaintances

The really trustworthy-looking 'Friend Scam' involves emails from acquaintances

But today it has turned into more of a friend scam (see image). We often receive emails from our friends now, saying that they have been stuck abroad. The first time I received this attack, even I had to think twice about whether it was real or not, because I received it from an acquaintance rather than a friend, so I didn’t know the lady that well, I didn’t know her background. I didn’t know that she wasn’t in Nigeria, maybe she could have been in Nigeria. So she says that she was on the way to the hotel and she lost her bag. And she now owes a sum of 2000 USD, but she needs me to help out with a sum of 3500 USD, urgently. So no way was I handing over that kind of money. But the interesting this is that with a lot of these friend scams, the amount is often the exact same. You will see these 2000 and 3500 amounts repeated over and over.

So it’s old attacks reworked, and when the request comes in form your friend, of course you are more likely to comply with it. So they are getting very effective.

The latest one appears to be the London mugging. This comes in via social networks or via some kind of chat. Your friend will say: “I am sorry I forgot to tell you I was visiting London, but when I was there I was mugged, they stole my money and stole my wallet, so I need you to give me some money, again, to pay for the hotel.”

But I thought I was surprised that year when we got the whole volcano thing going on. Everybody was stranded across the world. That was the ideal time for social engineers to take advantage. And you can imagine if you were after a particular organization, most global organizations had people stranded somewhere because of the volcano. So find who these people are, offer them a lift, offer them some kind of assistance. There were tons of carpools set up. People disclosed their email addresses, they disclosed their telephone numbers.

This guy here writes: “I am in Amsterdam and I need to get to Dublin. Can anyone help?” He is going to accept a lift with anyone going that way. I didn’t hear of any attacks that used this, but you know it was the prime ground for social engineers.

Read next: The Future of Social Engineering 3: Creativity and Spear Phishing

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: