May 22, 2018

Turning the tables on Nigerian email scammers

Surveillance of accounts belonging to e-mail scammers.

Photo: Jaap Arriens/NurPhoto via Getty Images

The email protection group Agari announced the results of an ambitious and — they promise us — legal project to surveil 78 email accounts belonging to so-called Nigerian scammers, both to rescue victims and study the practice. "We’re using social engineering on them the way they have used it on other people," Markus Jakobsson of Agari told Axios.

Why it matters: Studies have examined data provided by victims of Nigerian scams, but this is the first to look at data collected on the other end.

Legal? Agari did not want reporters to reveal the exact methods used to take over the email accounts. But representatives say they've briefed lawyers and law enforcement agencies, including the FBI, none of whom believed there was a legal problem. As described to Codebook, the methods were certainly more aggressive than most traditional research techniques, but appeared difficult to pin down as outright illegal.

The numbers: Nine out of 10 of the scam-spewing accounts researchers observed were actually headquartered in Nigeria at one point during the observation period.

  • The scammers worked for a total of 10 organized crime rings.
  • Most scammers used low yield scams like romance and rental scams as an everyday source of income, and business email compromise (BEC) as a rarer big payday score. Romance scams use fraudulent romantic relationships to extort money or criminal collaboration. BEC convinces users to transfer money to pay off fake invoices, often for large business purchases or real estate.
  • About a quarter of email scams are BEC scams, with sucessful attacks netting an average of $35,000. Out of more than 1,000 emails sent for BECs, four will be successful. But they can be very convincing when opened — four out of every 100 BEC emails opened lead to successful scams.
Go deeper