Sunday, February 22, 2009

.

Nigerian scams work, redux

A few months ago, I wrote about a woman who fell for a “Nigerian scam” and lost close to half a million dollars. I wondered how she could believe it and get bilked. But, well, it isn’t just people like Ms Spears who get suckered.

Maybe you’ve seen it in the news: a Nigerian man and his accomplices have been scamming Citibank, to the tune of $27 million before they were caught:

Swindles in which someone overseas seeks access to a person’s bank account are so well known that most potential victims can spot them in seconds.

But one man found success by tweaking the formula, prosecutors say: Rather than trying to dupe an account holder into giving up information, he duped the bank. And instead of swindling a person, he tried to rob a country — of $27 million.

To carry out the elaborate scheme, prosecutors in New York said on Friday, the man, identified as Paul Gabriel Amos, 37, a Nigerian citizen who lived in Singapore, worked with others to create official-looking documents that instructed Citibank to wire the money in two dozen transactions to accounts that Mr. Amos and the others controlled around the world.

The money came from a Citibank account in New York held by the National Bank of Ethiopia, that country’s central bank. Prosecutors said the conspirators, contacted by Citibank to verify the transactions, posed as Ethiopian bank officials and approved the transfers.

On the one hand, this shows how one can trick anybody, with sufficiently careful planning. It almost sounds like a Mission: Impossible plot, on reading the details. These guys were good.

On the other hand, though, Citibank, which should have known better, fell into the trap of accepting in-band assurances. If I give you documents and ask you to wire money — large sums of money — to my colleagues and me, you’d better not use information I gave you to verify that the transaction is legitimate. And, apart from eyeballing signatures, that seems to be what they did:

Prosecutors said the scheme began in September, when Citibank received a package with documents purportedly signed by officials of the Ethiopian bank instructing Citibank to accept instructions by fax. There was also a list of officials who could be called to confirm such requests. The signatures of the officials appeared to match those in Citibank’s records and were accepted by Citibank, the complaint says.

In October, Citibank received two dozen faxed requests for money to be wired, and it transferred $27 million to accounts controlled by the conspirators in Japan, South Korea, Australia, China, Cyprus and the United States, the complaint says.

Citibank called the officials whose names and numbers it had been given to verify the transactions, prosecutors said. The numbers turned out to be for cellphones in Nigeria, South Africa and Britain used by the conspirators.

There’s the problem: Citibank called the numbers that the crooks gave them. Surely, they had contact information for the Ethiopian accounts, information that had been set up separately — out of band — when the accounts were set up. They should have verified the request through those trusted channels, rather than relying on new, unconfirmed information. Why they handled it this way is mystifying.

Of course, back on the Mission: Impossible TV show, they would have tapped into Citibank’s telephone system and redirected the confirmation calls anyway.

No comments: