7 tips to mitigate digital fraud: Lessons organizations and individuals can learn from the Okeke wire fraud scandal

I woke up on Friday morning to read about one of the saddest digital fraud cases I’ve come across in my life. The head line was, “How high tech FBI Investigation led to the arrest of Forbes-celebrated Nigerian Obinwanne Okeke (invictusobi) for $12m wire fraud during his recent trip to the U.S”. As I read this story, a myriad of thoughts and emotions flooded my mind immediately and I had to do a mind detox by reminding myself of many Nigerians doing amazing things and earning a legitimate income locally and internationally. 

For those who have been living under a rock and haven’t heard the latest fraud scandal smear to hit my great country, Nigeria, I will give a recap. Obinwanne allegedly scammed a steel company in America of $12m by hacking into the Chief Financial Officer’s email account and sending an emails with fake invoices to the purchase department. His email was hacked using a phishing email that impersonated Microsoft. He clicked on the link and landed on a page that looked authentic, he entered his login details and voila, they were captured by the hacker.

In this article, I will share some key tips on what individuals and organizations must do differently to immediately mitigate the risk of digital fraud. 

But first, how does wire fraud happen? 

Much like the case described above, the fraudster or someone else, hacks into the victim’s email account. I said “some else” because cybercrime is organized crime, with a fully functional supply chain and market on the part of the internet most of us don’t get to visit. This means your login credentials could be stolen and sold to a different person, the buyer can then access your email account to commit cyber crime. 

So back to my story on how wire fraud happens; when the cyber criminal successfully logs into your email account, they begin to search through your emails using keywords of interest, they study the victim’s conversations for days, maybe months. When the time is right, they strike! Some of the most popular ways they steal money is by altering and sending fake invoices pretending to be existing vendors, sending a rogue invoice, sending a payment instruction to the victim’s or the organization’s bank, requesting payroll information changes, stealing card details and making online purchases, Intercepting and hijacking conversations about business deals, etc. This is why fraudsters doing wire fraud, usually target people in the finance department and C-level executives in general.

The relationship between social engineering and wire fraud

For anyone who still thinks, “these kind things dey only happen for yankee and jand”, nah sorry be your middle name o. To put this in the Nigerian context, according to a 2018 report by Delloite, social engineering attacks carried out through email, phone calls and text messages is the number one cyber threat faced in Nigeria. Simply put, social engineering is the art of convincing, psychologically manipulating or tricking people to reveal confidential information. Confidential information could range from things like usernames and passwords, bank login credentials m, credit or debit card details,etc. The Okeke-CFO story for example is a classic case of social engineering. He was tricked into thinking he was visiting a Microsoft login page, so he entered his login information which was swiftly captured and used by the fraudster to login from a remote location.

I’m sure your next question is what can I do to protect myself and/or organization? 

1. Train train train!

Can I shock you? There is no single security mechanism that can protect from social engineering techniques used by attackers, only educating employees on how to recognize and respond to social engineering attacks can minimize attackers chances of success. Only constant vigilance can circumvent some social engineering techniques used by attackers. It’s very important for every organization to organize cyber security awareness training for employees at least once every three months. Humans are usually described as the weakest link in any information system. However, with frequent and effective training, your employees can become a strong line of defence against phishing attacks like the one I believe the CFO fell for.

2. Turn on Two Factor. 

Have you ever seen physical store owners in Nigeria have only one door? No, they typically have at least two doors, the second one is usually a burglary proof. I’d liken the burglary proof to a two factor authentication, because the burglary proof acts as an extra level of security and makes it harder for a thief to gain access to your account. For example if you turn on two factor on your twitter account, a code will be sent to your phone each time someone tries to login to your account. In this example, if the person trying to login doesn’t have that code sent to your phone, even though they have your correct Twitter username and password, they will be unable to successfully login.

3. Multi-channel conversation authentication

Pick up that phone and call, or walk to your colleague’s desk and say, “Hello Sir, did you request so and so payment...”. The good old verbal confirmation can hardly be hacked. The idea is, if you received a transaction request from your colleague on channel communication A (e.g email), try to reach your colleague on channel communication B (e.g Whatsapp) to verify that they actually sent you that request.

4. Verify changes

If vendor A usually accepts payment or sends invoices in a particular way and suddenly something changes, please verify verbally with the vendor. This also applies to employees because it’s in these changes that payroll fraud happens.

5. Create rock solid internal procedures and information security policies

For example, establish multi level control and approval levels for ALL payments.

6. Shine your eye and lookout for intentional misspelt brand names

One of the tricks fraudsters use frequently is slightly modifying a known email address by adding an extra alphabet, removing an alphabet or adding a symbol. Be on the lookout for this.

7. Leverage technology to enforce controls and filters

For example, there are enterprise solutions that can ensure users only access their email accounts from company-owned pre-registered devices only. Although this isn’t completely fool proof, but it adds complexity and makes it tougher for the fraudster to have access from a unauthorised remote computing device.

This article is by no means exhaustive of tips to mitigate wire fraud risk, you can add more tips in the comment section. Like with any other thing, leveraging technology in business has its risks. Wire fraud is a risk of digitalization but can be mitigated. Don’t go analogue because you read this article.

If you’ve also read this article and thought to yourself, “I’m not a C-level executive so this doesn’t apply to me”, please think again. Remember that even if you’re not the target, if your email account is hacked, it could be a means to reach potential targets in your email contact list. Please practice these online safety tips I’ve shared here.