Nigerian Hacking Group Hits More Than 90K Email Fraud Victims Per Month
By: Jim Stickley and Tina Davis
December 12, 2020
It’s not just the 419 scam we have to be concerned with anymore. Email fraud attacks by Nigerian hackers, dubbed SilverTerrier, amounted to 92,739 victims per month last year, focusing on business email compromise (BEC) scams. SilverTerrier added to staggering BEC losses of 1.7 billion in the U.S. alone, according to the FBI. The BEC attacks start with a phishing email where a hacker appears to be a legitimate business contact like a co-worker, contractor, or boss. They involve duping workers into paying bogus invoices and other financial requests with wire transfers, only to have the funds directly deposited into a hacker’s account.
Although there have been some cases brought against Nigerian email scammers, it’s difficult to prosecute wire fraud outside of the U.S. This leads security professionals to believe the BEC campaigns won’t stop any time soon and may in fact continue to grow.
The Facts
Easy and inexpensive to do, BEC attacks are highly lucrative and difficult to prosecute across international borders. According to research by Palo Alto Networks, last year saw SilverTerrier group as a significant part of a 1,163% increase in BEC attacks aimed at professionals and the legal services industry. The group is also responsible for creating 81,300 malware samples (adware, spyware, worms, trojans, etc.) leading to 2.1 million attacks. The FBI found BEC attacks in general have cost U.S. enterprise $26 billion in the past three years. Overall, the report also finds that last year, BEC attacks on legal services reached an all-time high of nearly 300,000. During that same time, the high-tech industry was the most targeted, nearly doubling BEC attacks to 350,000 last year.
What a Business Can Do
- BEC phishing emails are far more believable if the email address in the scam looks like the email address being impersonated. Ensure your organization is purchasing all lookalike domains and request that business partners do the same.
- Make sure staff is educated to spot phishing emails, particularly for those working with company finances.
- Verify wire transfer requests first by using separate emails and phone calls. Use previously known phone numbers and not those provided in the email.
- Have at least two people verify a wire transfer request. This is especially important if it’s a large dollar amount.
- Use 2FA (2 factor authentication) to verify any changes in vendor payment location or account number.
- Whenever possible, a video call is a great way to put a face and voice to a person to verify the wire request.