Site icon Easy Prey Podcast

New and Improved Nigerian Scams with Ronnie Tokazowski

Easy Prey
“Business email cybercrime was the number one cybercrime for seven years ago. It’s a big problem.” - Ronnie Tokazowski Click To Tweet

In this episode, we look at two sides of the Nigerian scam: The emotional, psychological, and financial damage done by scammers and the scammers we often look at as bad people doing bad things. But in some cultures, this is seen as an acceptable career option.

Today’s guest is Ronnie Tokazowski. Ronnie has been fighting Nigerian fraud for the last seven years and has collaborated with both law enforcement and the private sector. He runs a mailing list which collaborates with victims in identifying critical pieces of information around how the fraud works as well as working with romance victims themselves.

“With a lot of victims, one of the things they go through is that they don’t want to be the one responsible for not providing that thing for the person they’ve built a relationship with.” - Ronnie Tokazowski Click To Tweet

Show Notes:

“Until we start understanding the victims that are entrenched in this, we can’t get ahead of it.” - Ronnie Tokazowski Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Ronnie, thank you so much for coming on the Easy Prey Podcast today.

Thanks for having me.

Can you give myself and the audience a little bit of background about who you are and what you do?

Yep, I can go ahead and do that. My name is Ronnie Tokazowski. I'm a principal threat advisor with a company called Cofense. One of the things that I do is love workaround tracking business email compromise. For those who don't know what that is, it’s a type of Nigerian fraud where scammers will pretend to be the CEO of a company and say, “Hey, are you in the office? I need you to do this urgent wire transfer.”

From there, what happens is a lot of times romance scam victims get involved. We have cases of check fraud invoice scams, and two dozen other types of crime that most people don't realize is directly related back to that. I do a lot of advocating around explaining how that stuff works.

Awesome. How did you get into the field? Was it just a natural course of things in your life? Was there a family member who was a victim that you got interested in because of it? Or was it just someone at work, “Hey, you're in charge of this now”?

It was very much the latter where it's like, “Hey, you're in charge of this now,” and I inherited the problem. So about seven years ago, while I was here at Cofense—I have left it but I'm back here now—our CFO had received a phishing email from our CEO, pretending to be Rohyt. What the CFO did was he came into the office. He’s like, “Hey, Ronnie. We need to figure out what this is.” 

He was like, “I know this isn't Rohyt. This is a Gmail account.” He was like, “Why would Rohyt be sending me this?” So we responded back to the scammers and we started engaging back and forth with them. We were able to get bank accounts out of them. We were able to identify where they were coming from.

Around late 2015, there were a lot of people who were seeing this business email compromise phenomenon targeting a lot of people in the security industry. So we made the mailing list that actually started tracking a lot of those things. That list is still alive today. We’re behind the scenes. We're working with law enforcement. We're working with the private sector. We're working with a lot of social media, financial institutions, just to get ahead of a lot of this. That's my story. I'm sticking to it.

Yeah, I have a little bit of a personal story of that as well. A small company that I was working for, the accountant got an email that looked to be from the CEO, same signature line. She didn't pay attention to the email address, but it looked exactly like an email from him addressed to her. It was, “Hey, I'm in a meeting right now, so I can't be reached. We’re working on this new project. I need you to send this amount of money to this address, this bank account.”

Luckily, she was like, “That just seems a little bit off.” I think the question was like, she didn't know which bank account she wanted it to be sent from, so she went into his office to ask him and lo and behold, he actually wasn't on a phone call. He's like, “What are you talking about?” So they realize really quickly what it was. But yeah, it's definitely not something that I haven't seen before, or even been very closely related to. You talked about this being related to romance scams as well. So let's talk about how these two things are actually related.

Yeah, so the best way to think of it is I'm assuming that you have a toolbox at your house, right? You might have a screwdriver. You might have a saw in there. You might have a hammer, but if you're going to go and work on your toilet, you're going to pull the stuff out of that toolbox in order to do that.

Those scammers operate very much the same way as when they're trying to go and do as they call a job of the CEO fraud or business email compromise. They will pull from things such as check fraud, where they might try and convince a company to send a fake check to somebody, or they might go and pull from their investment scam, or they might go pull from their invoice scams where they're going to go and use an invoice in order to say, “Hey, make this payment for me.”

More times than not, we actually see romance scam victims as part of this. The way romance scams are directly related to BEC is that in the case where you saw that person said, “Hey, go wire this money to that account.” More times than not, that bank account ties back to a romance scam victim. So those victims are now money mules who are entrenched in this, who are now facilitating a lot of these other crimes.

When you look at the fraud that happens with the victims, they may be cashing checks. They may be sending gift cards. They may have sent a lot of their own money to the scammers, but the scammers have realized that, “Hey, we can use these people to facilitate all these other crimes too, and make a lot of money doing it.”

I assume it helps further the romance scam. If money's getting sent to the victim's account at some point, then they feel like, “Oh, if this person actually is repaying money to me, or doing what they said they do, they were going to do it for them.”

Very, very much so. And so many people will go and give romance scam victims flak for like, “Why would you do that? You would never see that.” But the people on the outside, they're coming from a perspective of not realizing that there was a relationship that's been built. There has been trust built over months, or in some cases, years. I have seen victims in it for over a decade in many of these cases.

That's one of the things that people don't realize is that it's not somebody who's just doing something willy-nilly. They have a whole background of truth that ties back to the story. We've also seen cases where some victims will go and receive flowers. They might receive chocolates. They might actually receive those physical things.

In the case of money, when someone says, “Hey, you're going to be receiving this wire of $55,00 that is part of my inheritance, that we can go live forever, happily, for the rest of our lives. Just take 10% of it out so that you can keep it for yourself.” Those are the conversations that actually happen behind the scenes.

When you have that level of intimacy that plays into these stories, you now have a case where when you go and approach the romance scam victim, they can't consciously unpack that, because to them, this reality here that they've lived, where they're working back and forth with the victim, or working back and forth with the person they're in a relationship with, they're like, “Hey, I know this person. I've known this person for five years.”

But this law enforcement person comes over here, like this is a small thing where they're saying I'm committing fraud, but to them, they've been operating 100% on the up and up. It becomes very, very difficult for both, consciously, physically, and emotionally, for a lot of victims to be able to just process some of this stuff and process the reality of what goes on in many of these cases.

Yeah. I think the story that we often tell ourselves is these romance scams that happened overnight, that they got the email in the morning, and by the evening, they're wiring millions of dollars to people they've never met before. That's really not the perception that these people have what's going on?

No, it's not. Because the reality of the situation is that when it comes to a lot of this stuff with the romance scam victims, that they've actually had relationships built, they're trying to find somebody to go be in relationship with. They may have lost a loved one. They may be widows. They may be a divorcee where they're just trying to go and find somebody to love in their life. That's something that as humans, we all want it. We all just want somebody to love us.

When someone comes in saying the right words in the right order, that sparks your emotions. That's what the victims fall for. -Ronnie Tokazowski Click To Tweet

When someone comes in saying the right words in the right order, that sparks your emotions. That's what the victims fall for. I had a conversation about two weeks ago with one of the victims. Her sentiment was that for the person that she was speaking with, that she believes she was speaking with, they said the right words to actually flatter her. Because she was feeling a lot fired or that a lot more uplifted, that's what made her go for it.

It was something where it's now human emotions that are at play here, that we don't fully understand how these things work. Some people will be so disconnected from that, that you can literally touch some of these people's arms and they can tell you this like, “OK, you're touching my arm, but I can't tell you where that arm is being touched.” There's a lot of physiology that's at play here too.

It really seems like it's got way more advanced than the old days of catching when to use terminology, that when people would get someone in the accounting department, would get a fax from the Nigerian prince. It's really evolved a lot from what it was 20 years ago to now. Do the scammers have a playbook in the sense that they're looking for? They had a spouse that died or a child that died. “Here's how I leveraged that life event to further this relationship.”

100%. The way they call it is—they may not call it a playbook—but their word in the Nigerian case is called a script or a format where it's a long body of text that they can copy and paste back and forth to the victims. They know that they can get a lot of the older folks in there and that's why we see from IC3 statistics that a lot of the older folks are the ones who are most heavily targeted with these types of scams.

In addition to that, many of the templates that we've seen where we've been able to either buy them from the scammers or we've been able to try and collect them. They very much hit on those nerves of I'm single, I'm divorced, I'm widowed, that now plays onto those emotions.

There's another element of romance scams that is coming out of Asia called pig butchering or crypto investment scams. Some of the documents that we have from there very much lines up with that of, hey, we're going to go ahead and actually debug and you want to play on the emotions. You want to build the emotion up, and they actually call that out directly in these tutorials.

The worst part is that when it comes to the crypto side of pig butchering scams, that's the number one cybercrime right now. As of 2022, business email compromise was the number one cybercrime seven years in a row, per FBI… Click To Tweet

The worst part is that when it comes to the crypto side of pig butchering scams, that's the number one cybercrime right now. As of 2022, business email compromise was the number one cybercrime seven years in a row, per FBI statistics. For some of the losses, we know that we have money that has been sent to 140 countries out of 195 in the world. We have victims in 177 countries out of 195 in the world. We have victims in literally 90% of countries around the world, as it relates to BEC romance scams. It's a pretty big problem that we're trying to unpack.

That's just what's being reported. We know that not everybody who falls for these things feels comfortable reporting it.

They don't. That's one of the things that I've noticed. The more I go and present about this stuff, the more people will come and be like, “Hey, thank you for talking about this.” They'll say, “Hey, I was a romance scam victim too.” We have another person who was a victim. She's been an advocate too. She said she has been absolutely inundated with people coming forward saying, “Hey, I was a victim too.” 

The one thing that a lot of people need to understand is that while there is a lot of shame, while there is a lot of stigma around this, there are no problems coming up and speaking about it. -Ronnie Tokazowski Click To Tweet

The one thing that a lot of people need to understand is that while there is a lot of shame, while there is a lot of stigma around this, there are no problems coming up and speaking about it. This is what we're trying to do. We're trying to push back against that societal stigma, and be like, “No, it's OK to come up. It is OK to talk about this because it hurts, it's painful.” There's a lot of other things that are going on psychologically, emotionally here that we're just now starting to tap into. But at the end of the day, we all need to come together to understand this whole bigger picture of it.

That leads to the question of, have you been a victim of either BEC cybersecurity scam, romance scam, in some form or another or close to it?

So if anything, I would say will be closer to it. I don't know if I would have been a victim. But there's been cases where I've really questioned some of my own actions. What I mean by that is because of all the work I do in Nigeria, there are cases where I do help people on the ground. I have actually sent money to people who are trying to learn information security, who may need help, or may be struggling. 

There was one specific case where I did it for almost two years by sending somebody $100. The problem with that is that when you have somebody who is now saying, “Hey, I need this money. I'm starving. I need help.” Your emotions go all cattywampus on that, and it really takes a toll on you. There were times where I would be second guessing myself like, “OK, is this something where I'm really doing the right thing? Sending this person that money?”

With a lot of the victims, many of the things that they go through is that they don't want to be the one responsible for not providing that thing for that person. The people I had to recently cut off and everything, it was very much the same case where it's like, “OK, I want to do everything I can to provide for you,” but I truly felt guilty cutting them off just because of other extenuating circumstances.

Yeah, it's very much those emotions that are at play until we start understanding that there's a lot more than at play here for the victims. We're not going to get ahead of this. The thing is that for a lot of victims who are now entrenched in this, some may say, “Your lover is now in the hospital, and they're getting ready to die, or we have this other great business opportunity here.”

Now, that person doesn't want to miss that opportunity. They don't want to go and be responsible for having their spouse or significant other dying. Unfortunately, just with the way our minds and bodies work, we're feeling all of those emotions, just as in order to process that. With the way everything is connected here, for a lot of the victims, their body very much follows suit on that. Like I said, it's elements of psychology that we're now just starting to understand. But there's so much more here to unpack that we're barely beginning to make heads or tails of it.

Yeah. I'm curious to see what's going to come out over the next couple of years in terms of research on scammers and scam victims and what can be done to help those who are scamming, not scam people, but also help those that are victims or would be victims to see the emotional, the neurological warning signs versus the typical red flag eggs that we would tell people.

Yeah. That's the thing. For what I've seen with a lot of the victims, they very much tend to relate back and forth to people. We've seen nurses targeted who are very empathic, where they can tell if somebody's not feeling good. That seems to be like a prime demographic that we see where people are able to be much more tuned to somebody else's emotions as opposed to theirs.

On the ground in Nigeria, we very much see cases where there's tons of people who's doing it. I agree with you. I can't wait to see what actually happens. There are a lot of newer information security professionals out in Nigeria who're trying to go against the stigma, trying to say no, we can go ahead and come race from within and actually make it a lot better. What they're doing is they're getting to a point where they can go ahead and they're now starting to be successful.

The problem is, you have millions of people who're doing this. You have different cult activities who literally dabble in black magic, voodoo, and human sacrifices in order to go and be better scammers. It's a lot of dark stuff with how this really works. But it's a matter of humanity just coming together and again, making heads or tails, we're doing the best we can to understand and make the difference on that.

Yeah. So earlier, you talked about BEC being the number one scam for a number of years. It's now switching over to the crypto investment scams, the pig butchering. However, I think I've seen a number of attempts of that on me. Let me tell you what my wife and I have seen recently, and maybe you'll think that this is the beginning of pig butchering scams.

So both of us have been getting a lot of LinkedIn requests. For my wife, it's always young, attractive, Asian men. For me, it's young, attractive Asian women. The introductions are always very vague, in the sense of, “Hey, you seem like you have a lot of experience in your field, and you're great. You look like you're a great manager and communicator. I'd really like to get some input from you on growing my business or just to connect with you and become friends or something like that.” 

Then to me that is usually just like, well, that's just not the normal introduction I see from people, so I'm always leery about that. I finally got one far enough to tease it along. It was, “Hey, let's take this over to Telegram or WhatsApp.” I'm like, “OK, you're definitely not a real person.” Is that one of the new hunting grounds, so to speak?

Yep. That's one area that we do see them targeting security professionals and professionals in general, where they will go and try and engage that relationship with you. They'll go and bring the conversation over to WhatsApp. From there, they'll try and keep that relationship going. Then they'll usually say something like, “Hey, I have this really great crypto investment opportunity. You’re going to get 40% on your investment, week after week. Let's go ahead and see if we can go ahead and do that.”

What they'll do is they will make it actually look like you're getting your returns. They may make it to where you can actually pull some money out to make it seem like you're able to go ahead and it's a two-way transaction, and eventually gets to a point where when all the money has been invested that they believe that they can get from you, they will go. The reason it's called pig butchering is they will slaughter the pig and pull the rug out from under you, and take all that money. 

That's one of the things most people don't realize is an element that is something at play here. We've seen some of the stuff happen in terms of romance scams to where there will be a romantic relationship element to this as well. In addition to that, we've also seen cases where the pig butchery scammers will actually send you a text message and try and build a relationship with you like that.

I got one yesterday from somebody named Jennifer. They were like, “I'm from Vietnam. I live out in California. I'm just trying to go and build a relationship. I'm sorry, I sent this wrong text to you.” That's one of the big things that they'll do is be like, “Oh, it was this mistext message.” The problem that we have in the last case, and we've actually seen this, is that for the conditions, many of the scammers are held up.

It's human trafficking victims who have been trafficked from other parts of the world to go and actually do this stuff against their will. We've had cases where our researchers have engaged back and forth with scammers trying to get information and the handlers have found that and realize it and actually will send pictures of the person who's on the other end being beaten the next day.

It's very gruesome with some of the stuff with how this operates. If they don't meet their monthly quotas, they'll get beaten. If they don't go and do certain things, they'll be starved and they'll be chained to beds. It's horrible with what happens on the other end for many of these scammers.

Yeah. It's not the hacker perception of the guy in his mother's basement with the hoodie and the lights turned off and, you know, 18 computer screens. The perception of the scammer is one individual on his cell phone conducting all of this. What do these operations really look like and who are operating them?

Yeah. In terms of pig butchering, what we believe right now, and this might get changed here two years from now as we get further into this, but on the pig butchering side, what we believe is it’s a Chinese organized crime. Specifically, one of the groups that we believe ties back to a lot of Tiandihui, also known as the Heaven and Earth Society. Unfortunately, that group goes back to the 1700s.

If you look in the areas such as Thailand, Myanmar, Laos, which is where we see a lot of these things, they will operate a lot of casinos, too. So from a governmental perspective, we know that some of the individuals that are dabbling in the area have been sanctioned by the United States government. That was as of 2018.

In one case, we also know that they've done human trafficking prostitution out in the area. We know that there's a lot of methamphetamine that gets processed. They had a big drug bust a couple years ago. It was like 163 tons of precursor chemicals.

Going back to that BEC case, a lot of people who were operating these things were doing so many other things as well. The unfortunate thing is that when it comes to tracking a lot of these darker cult groups, I would call them, they go back to the 1700s. With black acts out in Nigeria, we know they go back to the 50s and 60s, but again, they very much have that darker secret society cult like activity to them.

With Nigeria, that's just one very case of that. I know I mentioned the human trafficking elements for the pig butchering side. But I actually had a really cool opportunity to sit down and talk with Nigerian law enforcement and Ghana law enforcement a couple weeks ago. One of the things that they said that really blew my mind is that there's also elements of human trafficking from the Nigerian perspective too.

A lot of the boys who are going to do this type of crime, some of them will actually be trafficked from Nigeria over to Ghana. They will actually go and be put in call centers very similarly, where they're not being provided the best conditions, they will go and are being held against their will to go and try and make money. So even this concept of all of these awful boys doing it on their own, and they want to, that's not the case. There's a whole lot more of a complex issue than we realize.

Yeah, in some sense that maybe it makes it easier for law enforcement to get involved, maybe it makes it harder. You know, if it was a bunch of random individuals, then that is harder to track down. But if it's a criminal enterprise, maybe it's easier to break it up. But also the criminal enterprise is going to be more well funded, and more able to bribe law enforcement.

Yeah. That's a problem that we have right now. I'll use Myanmar as a great example. Because we know that right there in the Golden Triangle. We know that there's a lot of operations that happen there. The current government is a military government that has authority. If you go and look up a lot of politics, that it will seem like it's a democratic government. You have the military who's literally sitting right there.

To give you an idea of just how deep this stuff goes, when that big drug bust happened several years ago, the head of their current military actually had family members who were involved in some of those who were actually part of trafficking those drugs. You now have international drug syndicates who are dabbling in human trafficking, who are hitting romance scam victims to steal cryptocurrency.

This stuff sounds like I'm drinking like the conspiracy theory Kool-Aid, but like I said, if you go research, this isn't how this stuff works. But like I said, it's absolutely insane with the intricacies of how deep this stuff really goes.

It's almost like you were talking earlier about the scammer toolbox. Whether it's BEC scam or cryptocurrency investments or gift cards, that whole scammer operation now just seems to be one of the tools inside the syndicated crime organization.

Yep, 100%. And because of that, you now have that case with the crypto. Now you have a way you need to invest in crypto. What we see is we don't know if these are directly related. But the BEC actors can go and sell gift cards from their scams on different cryptocurrency exchanges, and when they do that, they'll go and exchange Bitcoin for that.

It turns out a lot of that cryptocurrency is coming out from parts of Asia like China. So is it something where those criminal syndicates are now funneling those BEC, those crypto investment scam funds up and wandering that other way? We don't know, but there's a lot of circumstantial evidence where it's a lot of people who are offering a lot of big crimes right now who are doing a lot of this work.

How are they laundering? Do you know how they're laundering the cryptocurrency? Because it's crypto. If you can't get it back to a fiat currency somewhere, sure, you might have billions on paper. But if you can't pay your henchmen, they're not going to hang around very long.

Actually, laundering crypto is a whole lot easier than you might think. So one way that we've seen laundering is that we will see them using cryptocurrency to gift card exchanges. The way that that works is if you have, let's say, $1,000 in gift cards that you want to sell, you might be able to go and get $800 of cryptocurrency for that. You're now able to convert that digital currency over to something like an Apple and iTunes gift card or something like that, that you can use for other crimes. 

We actually did some work with some of the BEC actors where we actually gave them over $500 of gift cards to track what they would do with it. We didn’t know what to expect. We did the research but we came back with a whole lot more questions. We saw them buying Amtrak tickets. We saw possible purchases from a toy store out in Myanmar. We saw them purchasing a TikTok Live account through the Google Play Store.

It wasn't just one thing. It was for five specific accounts for the card that we gave them. We saw a lot of other things too. Like I said, there were so many more questions than answers that we had on that. But that's one way that they'll do it through the gift cards.

The second way that we'll see is if you go on any of these larger exchanges, you can buy and sell other cryptocurrencies too. For example, I know that USDT is a type of currency that is essentially the same amount as having one face dollar in regards to that, so you can go and say, “I want to convert, I want to sell this Bitcoin for that USDT,” and you cash out just like that. So in the past, it's been hard to launder that. But it's getting much easier with the widespread adoption of cryptocurrencies in general.

It almost sounds like when you're talking about the gift cards, like they must be selling them to unsuspecting individuals out there that are just now using them the way I might use a Target gift card.

Yep, yep. That's the thing. When you go and use that, you have what's called—what was the word that they used? I think it was a picker. That was the word that they used. You can essentially have somebody who will go and take that card. You will have them go do that shopping, then once they go and do that shopping, you'll have that physical merchandise.

Then they'll say, “OK, send these Nike shoes in a FedEx box to this address over here,” which now becomes part of a reshipping scam, where you're now being an unwilling participant to go and launder those stolen goods for that person.

Like I said, there's a whole lot more intricacies here. Again, most people don't realize, and even as simple as being a secret shopper. We've seen elements of that where they're like, “Hey, go to the store, use this gift card, then give us some of this money back.” Those are pieces that we've seen for this too. It's a lot of ways that they're literally using humans to go and do the work of trying to get the money and stuff from them.

It makes me wonder, are these single organizations that have every one of these tools in their tool sets? Or is it that you've got individuals, small organizations where we're really good at converting crypto to gift cards, and then a different organization that's really good at secret shoppers and they're all just working together? Or is it one all-in-one solution where this one enterprise runs the whole thing?

For the most part, from what we've seen is people will be good at multiple things. For example, we saw cases where the BEC actors would collaborate with the romance scam actors. What they would say is, “Hey, do you have a client?” Clients that were used to describe the victims. “But do you have a client in New Mexico that can receive funds?” What will happen is for that BEC case, that victim will be the one to receive the funds. That's where we see that collaboration is where they will go and share their “client list” that can go and facilitate these other crimes.

With cryptocurrency, there is one scammer named Hushpuppi. That will be a great use case to walk through that. With Hushpuppi, he was a Nigerian actor who was very popular on Instagram and had a huge social following. What happened with him was he was arrested in Dubai for different types of money laundering. Some of the information that came out from that case was Ramon Abbas, a.k.a. Hushpuppi, was doing things around COVID fraud.

He was responsible for different types of romance scams, and from what I understood, there were like 1.9 million victims he had on his laptop at the time he was arrested. For some of your state-level stuff, he was actually one of the folks who laundered gift cards and cryptocurrency for North Korea. So you now have elements of Nigerian actors collaborating with foreign state adversaries to bypass United States sanctions in order to launder money.

I want to say that some of that stuff is actually tied back to the Lazarus Group here. Your audience can't see me flailing my arms, but flailing my arms here half the time. I believe this stuff that I see but like I said, all of these stories are 100% real of how this works. Hushpuppi was a great example where there were so many different things that they were involved in that it's hard to look away. Again, it's something we're with. It's a lot of things that they were involved in.

So was Hushpuppi running the organization or was he doing it all by himself?

My understanding is Hushpuppi was one specific individual. I don't know what his org structure looked like, but I do know he was working with a lot of other scammers. For him, he was at the top, if you will, where there are a lot of other scammers who tend to be in that topper area and then to push this up downward. I know that at the time he was arrested, he was arrested with his voodoo or Juju doctor at the time, who was doing a lot of rituals to help him be able to get money in order to do some of these things.

But you've also got other folks like Mompha and Naira Marley who will go and do a lot of these other crimes who're saying very positive things about the scammers, but they're still not arrested on some of these cases. You can look at Mompha and say he's one of the ones who has done a lot of stuff. He's been in and out of jail doing these things. 

You talked about there being this correlation with voodoo and witch doctors. Is that a different set of scammers preying on the scammer, so to speak, or is it a societal thing?It's just an odd connection to me. 

Yeah. So we're going to get dark for a second. Earlier you asked what are some of the things I like talking about and it's explaining, like, the darker side of stuff, because again, people just don't realize it. So in Nigeria, one of the things that you have from a religious perspective, you have a lot of tribal religions that are at play. You have a lot of cases where what we would describe as voodoo, or a lot of natural legend, if you will.

The best analogy I can think of to describe it is if you have a superstition where you wear a lucky jersey. You might put a penny in your shoe for good luck, if it's on the edge or whatnot. It very much is that similar concept. For them, what they call it is they call it Juju, if you will. For a lot of the scams, it's something where you may go to your native doctor in Nigeria and be like, “Hey, I want to try and manifest wealth, or I want to acquire this type of belief, or I want to try and get this wealth.” 

What happens is the native doctors will go and do different types of money rituals, as they're called, to make it to where you can go ahead and “acquire” that. What we see with some of these cases is that superstition—I'm not going to say one way or the other my personal beliefs on it—but what we see is a case where some of the scammers will go to the extent of doing what's called a Yahoo boy plus ritual. For definition of terms, a Yahoo boy is a person who does some of these activities. A Yahoo boy plus would be someone who goes through one of these rituals.

With one of these rituals, what they'll do is they will literally use a human sacrifice in order to gain some of these powers. So you will literally have to kill somebody to become a better Yahoo boy. We have cases where they might have to wash over a grave with a certain type of magical soap. They might have to go and have the blood of a lamb put on top of it in some of these cases. These are some of the more mild ones that we know that happened over there. 

But it's something where, again, they truly believe they can use this in order to go and do that. This isn't a case where it's like only a handful of people do this. It's truly baked into that. I've mentioned the group Black Axe several times here. But Black Axe is one of those organizations where they very much dabble in that darker side of things, where they will go and do those rituals. Some of their hazing actually includes killing somebody as to say, “OK, you're now part of the group.”

Because of a lot of that cult activity, many of the people will go and don't want to come out and actually talk about that. The BBC made a very great documentary a couple of years ago. They actually walked through some of the things for Black Axe, what they do and how they operate. I highly recommend it if anybody is curious about this stuff, but it literally has two or three warnings before we actually get into the video. This might be disturbing for some folks.

Like I said, that's the way that some of this stuff works. So many people will be quick to discount it. But be cut from a belief perspective, I feel like you have to account for that. Because unless you're able to understand and get in the scammers’ heads, you're not going to be able to make heads or tails on this and even going back to the toolbox exam example. That's how they think about it in terms of a toolbox. Now you can go put your protection mitigations in for that. So yeah, that was a lot.

That was a lot there. But it's part of the overall process for that.

Yeah, it is.

So speaking of getting into the scammers’ heads, you've talked to some of the people that were being trafficked, and they're participating because their life is on the line. If you don't do this, you're going to get beaten, and whatnot. For those that aren't being trafficked into this and where it's voluntary, what are their motivations and justifications for doing what they're doing?

A lot of the motivation for one is just poverty. In Nigeria, the unemployment between the ages 15 to 35 is over 50%. So there are no jobs, and for many people who are put into this, you have a choice of going and being a scammer or not being able to put food on your table and barely being able to live. We were talking about earlier where I've sent some money over to people. I understand that. That's the hardest part of working here. There are a lot more things at play here than just bad people doing bad things.

The second thing that very much plays to that is a societal stigma, where there's a stigma where you can go and do this. Because of that, a lot of times, we've actually heard scammers referencing reparations as a reason to go and try and continue scamming. Because of that, they will be like, “Oh, no, I can just go.” And again, their words, not mine here. They're like, “Here we scam the Whites to take money back and everything.”

There's a lot that needs to be done. But it's something where in terms of how the scammer is perceived that it's you can't go and rob Peter to pay Paul. It's a whole lot of theft and a lot of hurt that's really happening to the victims.

In some communities, it's just socially acceptable as if I were to go down and get a job working as a cashier at Costco. Well, yeah, you could do that or you could become a BEC scammer. Either one is just perfectly acceptable in the community.

Yep. I actually got into talking with one person during the gift card process that we were doing. We were able to actually get him to open up and for him, he was 50 years old, he had lived a very hard life. The only way that he was able to make money at the time was to make and sell shirts. For the sound of it, making a shirt from scratch. There's a lot of work that goes into it from measuring to acquiring the yarn and everything.

For him, he was saying that he could sell one shirt that he made for 500 Naira, or roughly about $5. At the time, Naira was $1.20. That was the translation. So you can go and do all this work, put in this effort for a shirt based on your skill set and sell it for like a little more than $1. With a lot of that and with knowing that that's how low it is, that the concept of money is a lot different over there. 

For an average salary there, people are making about $100 per month for the entire month and that's a cost of living that it's not the best cost of living unfortunately. People don't understand that that's how foreign power that you may have in Nigeria is; that’s how much you can go and make. 

Like I said, there’s a lot of people who are pushing against that. There's a lot of great things that come out of Nigeria. There's a lot of amazing things that are being built. But like I said, a lot of work needs to have a lot of work and nothing's needed to be invested into Nigeria to help build them out of that and actually provide opportunities. Here's how you can go ahead and actually be successful and not be a scammer.

Is the government in a place where they can help intervene positively—we're not talking about the law enforcement side—but is the Nigerian government in a position to be able to help? Or is it just even the government just like, “Look, I don't have a”—throwing their hands up—but it's like, “This is just a bigger problem that we can’t deal with. We need international help to raise an entire community up to the point where scamming isn't a viable option anymore.”

There's also a sense of nationalistic pride. If you're a Nigerian, there's a huge amount of it's very proud to be able to do that. For that sense of pride, asking for help is something where there's people who feel like there's a lot of shame in asking for help. So when it comes to the government, they try to do a lot of things on their own. But they do need that outside investment in order to try and bring a lot of that up from the inside.

The problem is, some countries will go and invest over there and make it seem like they're investing. But it's also a double-edged sword where if you default on your loans, then that now becomes property of another country. We've seen cases from a lot of Chinese investors where there'll be high-investment loans that will go and make it if they get defaulted on, that's now a port that is now under Chinese ownership.

I'm not going to get into the whole Nigeria-China politics on that and everything, but from a Nigeria perspective, they see China as very much somebody who's trying to help them out on that. But again, it's something where it's very much a double-edged sword all across the board. It's an extremely complex geopolitical perspective. Because you've also got areas of a lot of tribes in Nigeria to where you have the Igbo, Yoruba, who are part of some things, too.

You also mentioned the government aspect on that as well. Specific to the government, you've got cases where scammers are embedded into the government, so it becomes hard to know who to trust and a lot of that.

Yeah, I can from a Western perspective, if society is not functioning at its base fundamental level, it's hard for anything to happen or anything to change.

Yep. I will say from a Western perspective, it's been crazy personally learning all of the complexities and the intricacies that play into Nigeria. It's something from a Western perspective, like I had to put a lot of those mindsets aside and actually just start from scratch here and be like, “OK, what do I want to learn? What do I want to know about it, and try and get into that mindset of, OK, here's all the stuff that's happened over the years. Here's historically what has gone on.” 

Here is where certain things people were taking advantage of, and now because of that, people are being taken advantage of, here's why a lot of it, here's actually what plays into it. So it's very much I agree with you in the case, where from a Western mindset, we're like, “OK, this isn't working,” then you need something to do something, but then where you just want to go and fix stuff.

That's not a Western perspective at all. We can come and fix everything.

Are you saying from a Western perspective, we were to be a player, and those are the places where they don't need to be, we would never do that. We have a history of doing that over hundreds of years. Never.

Well, it's challenging when one culture wants to come in and say, “Well, you need to change your culture to conform to the way we see things.” It's very challenging. It's not as simple as well, people just had better education than everything, but then it would suddenly change, or if people just had enough food and it suddenly changed. It’s a lot more complex of an issue than that.

Yeah. It's a level of neuroplasticity that you have to be able to accept somebody else's perspective, that while it may go against your core belief in your core perspective, it's a matter of being able to account for that perspective, too. It's not that it's putting your perspective in question, it’s just that's how somebody else has done it.

What happens is, again, we see this in a lot of romance victims. When that gets in question the way our body reacts, it reacts in a stress response and because of that, there's a lot of things that inhibit us wanting to go and see things from that perspective. It's a matter of making the choice back. No, I am OK seeing it from that perspective.

Let's change gears a little bit. Because you've done so much research and investigation into this, what should people be doing to keep themselves from becoming victims of the BEC scam, the romance scams, the crypto scams, the pig butcher?

Yeah. Let me get my book. So list item number one, two-factor authentication. So many people will be like, “You don't need two factors.” No, do 2FA. Your people are going to enter the passwords and things. Your human is, unfortunately, that weakest link. So you want to make it to where they can go ahead and have that one last protection before that password gets out.

The second thing, and again, I know that I said your user is your weakest link; they can actually be one of your strongest legs. So it's a matter of having an honest conversation and be like no, people will actually operate and do stuff like this. So you want to train them in a way where you can actually empower them to say, “Hey, here's those things to spot.”

Very much with what you said, when that user was like, “Hey, this feels fishy.” They came forward, they talked about the $250,000 that did not get sent. That's great. That user listens to their gut instinct. They listen to their intuition. That's what so many people will ignore if they don't follow their intuition on that. 

Thirdly, in terms of BEC, I would say establishing processes for how money is being wired out, how many people have to sign off, when that $250,000 wire comes in before that actually goes out, what's the process to ensure that that's actually the vendor that you're coming from and not just some lookalike domain? Like I said, those are things that most people don't account for. They're like, “Oh, we're not going to do that.” But like, those are your easy wins right there.

In terms of romance scams, those are very hard. The one biggest tip I would say for the victims is understand your own emotions. What I mean by that is, we will for so many victims—I’ve spoken with a guy, this is reflecting on seven years tracking this, I've worked with people who have been suicidal. I have seen people who have become shells of their former selves. When we go and do anything, we will create the stories in our heads that make us want to hope and we would go and calculate that.

So many of the victims will do that. Most people go with them. When someone comes in and says, “I'm in pain here,” you need to check yourself, and you need to realize that that may be a case of emotional manipulation. We were talking earlier and you mentioned that a lot of times, it's from the wording that's being used. It can seem like an abusive relationship. It's very much the same case.

A lot of the victims will actually share that they actually felt mentally abused. They felt worn down. They felt psychologically hijacked. These are all sentiments from that person with what they feel. This is how they feel. This is from their perspective here. So these are cases where this is what we see happening and, again, from personal experiences for many of them. We need to account for that. 

I would say that finally if it comes down to someone wanting you to invest in crypto, just don't. I don't want to say there's no legit crypto opportunities, but we literally saw through over $3 billion sold last year. Don't invest in crypto. If it sounds too good to be true, it probably is, said absolutely no one ever. I think Abe Lincoln when he made the internet at first, I think that seems too good to be true. It probably is.

Yeah. I think that's a challenging perspective to say, “Don't do this thing, which lots of people have actually made lots of money off of. But you shouldn't do it.” Yeah, it's kind of a challenge. Well, when is my chance to make a lot of money in crypto?

Yeah. You have that and then you have a gambler mindset that plays into it. It's like, “OK, maybe I can go make this money. Maybe I can go do this.” That's why you see things like the lottery being heavily played here. It's that playing on that fantasy of, “Oh, I might win. What would I do if I win? I'm going to buy a new house.” I go do this and stuff. But I would totally not invest. I will blow all the billions of dollars.

Yep, that's unfortunately what happens. So as we wrap up here, if people want to learn more about what you do, where can they find you online?

Yep. I would say check us out at cofense.com. We do a lot of work around email security. We help train users not to click phishing emails. We try to help provide resources for them to go and do other stuff. In addition to that, I also have a YouTube channel where I ramble on some of the stuff. Ronnie Rants on YouTube, or hit me up on Twitter under the handle @iheartmalware, or look me up on LinkedIn as Ronnie Tokazowski. So nice short American last names.

We'll make sure to link all those in the show notes because I think people are going to have a hard time spelling Tokazowski, although it's actually spelled exactly like it sounds. But we can definitely throw those in the show notes. Ronnie, thank you so much for coming on the Easy Prey Podcast today.

Yep, thanks for having me.

 

Exit mobile version