In online advance-fee fraud, cybercriminals don’t hack computers because they don’t need to. Instead, they manipulate humans. Time and again, organisations and individuals are caught out by cybercriminals perpetrating online advance-fee fraud.

Organisations are increasingly discovering their employees have fallen victim – unaware they are willingly giving cybercriminals the organisation’s money. In some situations, victims drain business accounts or give their life savings to cybercriminals at their request. How is this even possible?

The psychological methods cybercriminals use in online advance-fee fraud can be deployed against you without you being aware of it. This chapter will prepare you to recognise the methods cybercriminals use and how to defend your organisation and yourself against them. As you will discover, anyone can be susceptible to becoming a victim in the right circumstances.

ANATOMY OF ADVANCE-FEE FRAUD

Think of advance-fee fraud this way. You send money to someone expecting to get something back, except you get little or nothing of value in return. It is as simple as that. A cybercriminal only has to convince you to send them money. Most online transactions are trustworthy. You order a book from Amazon, and it arrives a day or two later. It’s the norm. You trust the process. No one sends money to someone they think is a cybercriminal.

The advance-fee fraud methodology is as follows. Get the victim excited about something (for example making lots of money), get the victim to make a small payment to get something in return, then use a range of other persuasive tactics to get the victim to give even more money. Cybercriminals will usually not stop until the victim runs out of money or realises they have been conned and refuses to give anymore (see Figure 3.1).

What makes advance-fee stand out from some other frauds is its ability to escalate losses. Once the victim provides an initial amount to the cybercriminal, additional amounts can escalate to far greater numbers – far beyond what victims ever thought they would initially give. Victimisation can be for a short period, lasting several email exchanges, but it can also last months to even years. Why this happens will be explored later in the chapter.

The advance-fee fraud playbook isn’t new. It has been in use for hundreds of years.

LESSONS FROM HISTORY

The story of advance-fee fraud cannot be told adequately without first looking at its history.

One of the more infamous advance-fee fraud cases took place in France in the early 1800s. It was called the Letters of Jerusalem.

The prison of Bicêtre in the Rue de Jerusalem quarter in Paris in the early 1800s was notorious for its roughness. When an inmate arrived in Bicêtre, the operating assumption was that a segment of the population would strip him of his clothes and rob him of any remaining possessions he had on him. That was just day one.

The prisoners, however, didn’t just spend their days victimising each other and new arrivals. They were running a coordinated money-making machine. They invented the Letters of Jerusalem fraud, and what’s more, the guards were in on it. Everyone was corrupt.

A Frenchman would receive a letter. It was a plea for help. His reputation for being an honourable person was renowned across France. The sender was imprisoned at Bicêtre and before his arrest, he’d had to hide his treasure. Now, he needed to recover it and use the funds to secure his release. For helping him, the Frenchman would get a percentage of the treasure.

Here is an excerpt of part of the letter:

You will doubtlessly be astonished at receiving a letter from a person unknown to you, who is about to ask a favour from you; but from the sad condition in which I am placed, I am lost if some honourable person will not lend me succor… I carried the luggage, consisting of a casket containing sixteen hundred francs in gold, and the diamonds of the late marchioness… desired me to throw the casket into a deep ditch near us, so that it might not implicate us in case we were apprehended… until on reaching Bicêtre I was obliged to go to the infirmary, where I have been for two months… obtain the casket in question and get a portion of the money which it contains.

(Vidocq, 1828)

New prisoners were arriving all the time. These new arrivals brought with them information about where they were from. They knew individuals’ names, addresses and wealth from their region. This meant prisoners knew where to send their targeted letters. It was precision marketing that would make any marketer envious. An estimated 20 per cent of letters received a response.

Once a victim responded, the prisoners sent a follow-up letter. The prisoners gave lavish praises such as ‘it was an honour the esteemed individual responded’ and ‘he was kind enough to sympathise with his sorrows’. The treasure map was ready to be sent. First, there was a small matter to sort out. For safekeeping, the treasure was said to be under the supervision of a nurse. The nurse had to be paid a small amount before she would send the map. The victim needed to send the money first.

Once the victim sent the funds, the fraud kicked into gear. Invariably, the victim would receive additional letters with different excuses for a delay. The victims needed to provide additional funds. In many cases, the victim would receive a map, sending them to a forest somewhere. Once there, they would search endlessly for the imaginary treasure. They would meet the same fate as those chasing rainbows trying to find a lucky leprechaun with a pile of gold.

Who were the victims? They were successful, honourable and confident men. Wealthy men. They did not need the money. Yet, they became victims. Many would lose their wealth. The formula for advance-fee fraud then is the same as today, but instead of the postal service being utilised, it’s email, social media and websites, the same song and dance.

Advance-fee fraud continued into the early 1900s. In the United States, mailboxes would be flooded with letters from a supposed banker sitting in a Spanish jail. He urgently needed the victims to receive a large sum of money sitting in an American court. He only needed the victim to help pay for part of the expense of recovering his money. There were many variations for this fraud. This became widely known as a Spanish Prisoner fraud (Welter, 2015).

In the 1980s, advance-fee fraud would again gain notoriety with the Nigerian Prince scheme. Letters were sent en masse all over Europe and the United States. There was a Nigerian Prince in urgent need of help getting millions of dollars smuggled out of Nigeria. If the victim could help, they would receive a large portion of the money. They only had to pay a small token fee.

With the arrival of the internet, there was no longer a need to send letters by post, which is expensive. Email is free to send. Here is a sample of the various advance-fee frauds in 2021 in the United Kingdom:

• National Lottery (you have won but need to pay fees before getting the lottery).
• Loan Fee (your company is guaranteed a loan but you need to pay an up-front fee to get the loan).
• HMRC (you are due a large surprise refund from the HMRC but must first pay a small up-front fee to get it).

There are hundreds of different online advance-fee variations.

ADVANCE-FEE ATTACK METHODS

Advance-fee attacks are designed as ‘lures’ to reel in victims to launch further psychological attacks. Cybercriminals want to get their victims to make contact. They do not ask for money in the initial contact with their victims. They want to build trust and rapport with the victim before making any payment request.

Cybercriminals tailor their attacks to whatever will elicit an emotional response. They will use any number of methods to get someone interested, ranging from the promise of getting your company an urgent business loan to acting as a charity case in need of urgent assistance. They especially like it when there is uncertainty and people are fearful about their future. The financial crisis of 2008 and the pandemic of 2020 were two global events that caused mass fear. People were in a heightened emotional state. Cybercriminals could not have asked for a better playground to play in. In 2020, the FBI reported that cybercrime complaints rose to 791,790, an increase of 300,000 from 2019 (FBI, 2021).

What emotional state the victim is in matters. Cybercriminals know their chance of success increases if victims are emotional. It is a crucial part of their attack methods.

Using emotional decision making and persuasion

How do you think emotions impact your decision making? Is it easier to convince someone if they are in a good mood? The answer is usually yes. Emotions can affect your judgement, clouding your decision making. Emotions are like catnip for cybercriminals. They just can’t get enough.

Doug Shadel is a former fraud investigator and associate District Attorney for Washington State. In his book, Outsmarting the Scam Artist, he explains that a critical strategy for fraudsters is to get victims in an emotional state. He calls it ‘Under the Ether’ (Shadel, 2012). He identified two tools fraudsters use.

Tool #1: Get the victim ‘Under the Ether’.

Two conditions must be met to get the victim ‘Under the Ether’. First, something about the victim’s life situation must make the victim want to engage with the fraudster, perhaps fear of going bankrupt, or a need to have more funds for retirement, boredom or loneliness. The trigger will vary from person to person.

The second condition is that the fraudster must find out what this triggering life situation is and focus the victim’s attention on it. Fraudsters ask probing questions to do this, such as ‘what do you plan to do with your money?’ For example, suppose the victim says they will use their money to quit their job and buy a yacht to sail around the world for a year. In that case, the fraudster will direct the victim’s attention towards the trip. They will talk about how good it is going to feel being out on the open sea and not worrying about going back to a job they hated. They will talk about the kind of yacht the victim will buy with their money. They will talk about all the exciting locations the victim will visit while sailing. The victim is kept excited, in an emotional state.

Tool #2: Use persuasion techniques while the victim is ‘Under the Ether’.

When in an emotional state, the ability to reason diminishes. In other words, people can make bad decisions. An anonymous fraudster interviewed in Shadel’s book explains:

Emotion is unpredictable – it peaks and valleys. And once you know where to take the person for the peak, and you can keep them at that altitude, then you can control them. If you drop them back into the valley of logic, you will lose them.

(Shadel, 2012)

The persuasion methods discussed in the previous chapter are in use here.

A magician keeps the audience focused in one direction while the mechanics of the magic trick happen elsewhere. It’s the same here. The victim is kept in an emotional state and focused in one direction, while persuasion is used to commit the fraud. The victim doesn’t realise what is happening until it’s too late.

In the following sections, different advance-fee attack methods are discussed through which cybercriminals draw on emotional decision making and use persuasive techniques.

Email attacks

Cybercriminals tend to use the spray and pray strategy. They send out millions of phishing emails, hoping to get a response. If only a tiny fraction of people respond to their offers, it’s viewed as a success.

While email may be the initial attack point, the victim is then targeted with more sophisticated methods once they respond to an email.

The Nigerian Prince email: The longest-running online advance-fee fraud

The Nigerian Prince email fraud, also commonly known as 419 fraud (419 is the Nigeria criminal code concerning fraud) (Nairaland Forum, no date), is an advance-fee fraud that is arguably the longest-running and most famous cyber fraud. It’s been talked about on popular TV shows like The Office (Pak, 2020) and even featured in the opening monologue in 2008 on Saturday Night Live by actress Anne Hathaway (Silverman, 2008).

This started with letters being sent to victims in the 1980s. Then the arrival of the internet in the 1990s presented the perfect medium for the scheme. Criminals could send thousands of emails at a time with a single keystroke.

When the Nigerian Prince email began arriving in people’s inboxes, no one knew what to make of the email. Initially, it was a plea for help from someone in Nigeria. It usually said that there was a Nigerian Prince in dire straits who needed urgent assistance. The prince knew of the receiver’s reputation for integrity and honesty and would handsomely reward them for their effort (the amount is always in the $ millions) in aiding him. Would they please help?

There were many different variations. Here is one showing how they typically worked:

Dear Sir,

Confidential Business Proposal

Having consulted with my colleagues and based on the information gathered from the Nigerian Chambers Of Commerce And Industry, I have the privilege to request your assistance to transfer the sum of $47,500,000.00 (forty seven million, five hundred thousand United States dollars) into your accounts.

The above sum resulted from an over-invoiced contract, executed, commissioned and paid for about five years (5) ago by a foreign contractor.

This action was, however intentional and since then the fund has been in a suspense account at The Central Bank Of Nigeria Apex Bank.

We are now ready to transfer the fund overseas and that is where you come in. It is important to inform you that as civil servants, we are forbidden to operate a foreign account; that is why we require your assistance.

The total sum will be shared as follows: 70% for us, 25% for you and 5% for local and international expenses incidental to the transfer.

The transfer is risk free on both sides. I am an accountant with the Nigerian National Petroleum Corporation (NNPC). If you find this proposal acceptable, we shall require the following documents:

(a) your banker’s name, telephone, account and fax numbers.

(b) your private telephone and fax numbers – for confidentiality and easy communication.

(c) your letter-headed paper stamped and signed.

Alternatively we will furnish you with the text of what to type into your letter-headed paper, along with a breakdown explaining, comprehensively what we require of you.

The business will take us thirty (30) working days to accomplish.

Please reply urgently.

(Crimes of Persuasion, no date)

Think about this, what are the odds someone in an African country would be contacting you offering you the chance to make millions for doing almost nothing? Not great. Most people didn’t take the email seriously. Yet, a small amount chose to respond.

Many victims believed they were chosen and had been singled out to share in a multi-million dollar windfall. They didn’t register the email had not been personally addressed to them, a sign that it was one of a mass communication campaign sent by cybercriminals. They fell in the same trap as the Letters of Jerusalem victims. They thought, ‘What’s the harm in having a phone call or following up with an email to investigate? The rewards are too good to ignore.’ It’s been over 20 years since the Nigerian Prince emails started, and people continue to fall victim to it today.

Of course, when a victim responds, the cybercriminal insists they keep the proposal secret from everyone. They explain they are taking a risk and are fearful of consequences if the proposal becomes known.

A fraud syndicate around the 1920s run in Boulder, Colorado by gangster Lou Blonger ran an array of different cons. Many required teams of fraudsters to call people across the United States with various schemes. When someone became a victim, they would go on their ‘suckers list’ (Reading, 2012).

During this time, fraud syndicates around America would always look for victim lists. They would buy and sell different lists from each other. It was a vibrant market. Depending on the type of individual, the price changed. For example a teacher would cost one cent, a professor two cents. There was one type of victim that was always the most expensive – that was a previous victim. While most victims would cost from one to four cents, the former victim’s details would cost eight cents. The highest conversion rate for finding fraud victims is previous fraud victims. It is no different today. Victims of cyber fraud are often put on ‘suckers lists’ to be targeted by various cybercriminals with other schemes.

The Nigerian Prince cybercriminals discovered that those who fell victim to their scheme would be vulnerable to receiving a call offering hope.

The same cybercriminals call their victims again, pretending to be a ‘specialised fraud recovery firm’ who have heard about the victim’s story and want to help them. They offer to recover their stolen money and make everything right for the victim. For this, they require an up-front fee along with a small percentage of the recovered funds. The victim, already desperate, usually agrees. They never hear back from the agency and lose their money yet again.

There are many cases where victims borrow from employers, family and friends in the false assumption they will pay everything back once they get their fortune.

Next are two examples of other phishing emails used for advance-fee fraud.

Identity theft settlement email

The victim receives an email from a supposed government agency. It says cybercriminals running identity theft frauds have been arrested and convicted. Government agencies are contacting victims to submit a claim for part of the seized funds. Once requests for funds are approved, the victim will receive a large settlement. First, though, the victim must pay an up-front processing fee.

It will be the first of many costs.

For the mutual benefit of the orphans

The victim receives an email about a wealthy widow diagnosed with a terminal brain tumour. She isn’t going to live long. In her last days, she wants to help the world’s orphans. She wants to give her life meaning. She has set up a multi-million dollar investment fund. The widow has no children or family to entrust with it. Will the victim help?

In return for the victim’s kindness, she will reward them with 50 per cent of the fund. The victim will help poor orphans and get rich in the process. Of course, once the victim agrees, there are surprise fees. One after another, the costs keep appearing like magic. The victim never sees any money. The story is not true.

Message attacks

Cybercriminals use messaging tools like text, WhatsApp or Facebook Messenger to target victims. These messages often appear innocent and look legitimate.

In many cases, small business owners have received what look like legitimate requests for their business services. Next are two examples of messages sent to dog sitters with profiles on the petsit.com website:

Hello, I am John by name I will like to know if yo do dog setting and also if you accept credit card as form of payment? thank you

Hi how are you? we need a Dog walker/Dog sitter for our dog, I am currently in the process of moving to your neighbourhood (according to your profile on PSI) I will be in your area in next few days, I’m willing to pay $25/hr, the days and time are flexible, you can send me an email confirming your interest at (……[email protected]) for more details.

(PetScams, no date)

These appear to be legitimate enquiries about the dog sitter’s service, but in responding, the fraud started to kick in. Victims were offered business but would have to pay a fee to get it. The business opportunity is fake (PetScams, no date).

Fake prizes

Another example of message attacks are those proclaiming you have won a big prize, like a lottery. Sounds great, doesn’t it?

If the victim responds, they will learn they only have to pay a small fee to claim it or cover handling costs. If they do pay, they will soon discover there are more and more fees (ConsumerFraudReporting, 2021).

Vishing attacks

Vishing attacks are similar; cybercriminals call victims with exciting, enticing stories – such as they have just won a lottery or dream vacation. Many vishing attacks start with an automated voice message. The voice message will then transfer the victim to a real person (assuming they haven’t hung up the phone). Once the victim responds, the same process starts, with different reasons stated as to why the victim must pay a small amount to get their anticipated rewards.

Fake websites and online advertisement attacks

Buying online is safe, isn’t it? When you purchase something from Amazon, it usually arrives. If it doesn’t arrive, Amazon will refund you. The same is true for most things you buy online. It feels safe to buy something online.

It is a false sense of security. Online advance-fee victims are increasingly getting caught out by this. Cybercriminals create fake companies and run digital advertisements for them. One example is advertising hard to find items at low prices, which then directs victims to a fake website once clicked. The victim pays, the goods never arrive.

Fake websites appear in search engine results on major platforms like Bing and Google. They look appealing and are professionally built. Pleasing aesthetics are used. This generates a certain level of respectability that helps to gain the victim’s trust.

Lender loan fraud attack

Fake loan lending websites are built by cybercriminals. In many cases, these websites offer attractive deals, saying the victim can get a loan regardless of their credit history. In other words, they offer a 100 per cent approval rate for all applicants.

Want a £10,000 loan with no credit check? No problem. Only an up-front processing fee is required. Cybercriminals will sometimes disguise the payment as a loan guarantee insurance, pitched to people with poor credit. The victim is told they will receive their initial fee back after 12 months of on-time payments. Except, no loan ever arrives.

Bogus job offer attacks

Being unemployed is stressful, and for many, the job search can be long. Applying to job adverts can feel like a full-time job.

One day, the job searcher gets a reply from a recent application. A company wants to interview them. The interview goes well, and a job offer is en route. The candidate is understandably excited. However, there is a slight snag. It is company policy to carry out security and police checks before hiring any candidate, and it’s the candidate’s responsibility to pay for these to be undertaken. If the results come back clean, then the candidate is reimbursed. The candidate pays.

There never was any job. The advert was fake.

Cybercriminals may even go as far as to give a start date for the candidate. The individual then shows up at the company expecting to start a new career. The company has never heard of them.

HOW ARE PEOPLE IMPACTED?

Often businesses that fall victim to advance-fee fraud are the least able to survive the impact. Cybercriminals exploit businesses in short-term financial struggles. Many are struggling to get the loans they need to survive. Companies falling victim to promises of loans or investment that never arrives give money they need and waste valuable time thinking they are about to get funds that never come.

Cybercriminals will string along victims for as long as they can. Individuals can find themselves in dire financial difficulties having given so much of their money to cybercriminals. What’s surprising is that victims can often give cybercriminals far more than their initial payment.

Why do victims keep on giving?

Why can losses snowball for victims? In 1979, economists Kahneman and Tversky published a landmark behavioural economic report on loss aversion (Kahneman and Tversky, 1979). Their revelation? People feel losses more acutely than gains. Here is an example: if you lose £10 today, you will feel the pain of the loss. But if you find some money tomorrow, you will have to find more than £20 to make up for the loss of £10. People feel the emotional impact of losing £10 greater than that of gaining £10. The pain of losing is psychologically twice as powerful as the pleasure of gaining. It is a ratio of 2:1.

Loss aversion plays a role in the ‘sunk cost fallacy’. In economics and business decision-making, a sunk cost is an incurred cost and is not recoverable. Any future financial decisions should not be affected by previous investments. Sunk cost fallacy is defined by the Corporate Finance Institute as follows:

The sunk cost fallacy reasoning states that further investments or commitments are justified because the resources already invested will be lost otherwise. Therefore, the sunk cost fallacy is a mistake in reasoning in which the sunk costs of an activity are considered when deciding whether to continue with the activity. This is also often known as throwing good money after bad.

(Corporate Finance Institute, no date)

The sunk cost fallacy can influence a person’s behaviour. It can push them to do things that will leave them worse off. Once they have invested time or money in an endeavour, they tend to continue with it to justify their initial investment and avoid losing it.

Once a victim has given money to a cybercriminal, they are then emotionally invested in the scheme. Cybercriminals understand this. Even when the losses are compounded, victims can remain in denial. They believe the excuses and accept the apologies. They will avoid losses at all costs. After all, what’s the big deal about another payment when the victim will soon be fabulously wealthy? It’s also the reason why it’s so easy to victimise a victim once again. They cannot stomach losing their money and are willing to take another punt in the hope of receiving it, and more, back.

Truth-Default Theory

Consider this story. During a crisis on 24 February 1996, two Cuban jets shot two US planes out of the sky. What happened afterwards was a media blitz from Cuba. The Cubans claimed they warned the US government the day before that they would shoot the planes. It implied the US knew they would be shot down and sent them regardless, almost to certain death. The US was caught flat-footed. It was quickly becoming embarrassing.

It caused an ‘all hands on deck’ moment for the Central Intelligence Agency (CIA). Everyone was in the office that Sunday evening. The top Cuban experts for the CIA were there. The Cuban star expert was Ana Belen Montes; her nickname was the Queen of Cuba.

For over 20 years, she was instrumental to the CIA in gathering Cuban information. She had proven herself time and again as a great CIA asset. Nonetheless, she would be exposed as a Cuban double agent in the end. There were warning signs over the years that suggested something wasn’t right. But every time, people gave her the benefit of the doubt.

Arguably, one of the essential persons needed at the meeting in 1996 was the Queen of Cuba. Yet, early on during the day, she had received a phone call and became agitated afterwards. Later, during the meeting, she just left. She gave no explanation except that she was tired. Everyone thought it was strange.

Months later, the CIA got intelligence that the Cubans had a highly placed operative in the CIA. The CIA was concerned. There were concerns that the Cubans had set up the plane incident. Suspicions were rising about Ana. Yet, when questioned, she had an innocent answer for everything. They were plausible. Here is one:

‘Yeah, I did leave early that day,’ she said. ‘You know, it was on a Sunday, the cafeterias are closed. I’m a very picky eater, I have allergies, so I don’t eat stuff out of the vending machines. I got there around six o’clock in the morning, they didn’t need me, so I just decided I was going to get out of there. Go home and eat something.’

Everything she said had some basis in truth. The cafeteria was closed and it had been a long day. It was plausible. The CIA didn’t have anything more than that. They defaulted to believing she was honest and telling the truth. They gave her the benefit of the doubt. Yet, she was lying. It wasn’t until 2001 that the CIA caught her. No one picked up any of the cues she was lying repeatedly for years (Gladwell, 2020). If any organisation in the world should be able to detect a liar, it’s the CIA. It’s their job.

Timothy R. Levine is a deception researcher professor at Birmingham University. He has been researching deception for over 30 years. He is the creator of the Truth-Default Theory (TDT). It goes like this:

When we communicate with other people, we not only tend to believe them but the thought that maybe we shouldn’t does not even come to mind. It is a good thing for two reasons. First, and most importantly, the truth-default is needed for communication to function. Second, most people are mostly honest most of the time. But, the truth-default makes us vulnerable to deception.

(Levine, no date)

He has done numerous deception experiments over the years. Here is one case: a student takes a trivia test. If answered correctly, a cash prize is given to the student. In the test room, the student has a partner who is a stranger. An instructor provides the test to both. Part way through the test, the instructor leaves the room. It’s then the partner says to the student, ‘I don’t know about you, but I could really use the money. I think the answers are right there.’ He points to an envelope. The students cheated 30 per cent of the time.

Afterwards, the students are interviewed. None of them admitted they lied. Then a wide range of people watched the interviews. Levine divided the videos in half. There were 22 liars and 22 telling the truth. People correctly identified the liars 56 per cent of the time on average, slightly above the average result. Usually, in Levine’s studies, the average is 54 per cent. It doesn’t matter if the judges are college students, police, friends, romantic partners or intelligence agents. The results are consistent.

The news worsens. The students knew they were participating in a psychological experiment. They would have been on their toes. In this experiment, both the instructor and the students’ partner were in on the deception. Some of the students suspected the instructor might not be truthful, yet none suspected their partner was in on it. Almost all of the students failed to detect their partner was lying to them. Everyone defaulted to trusting their partner. People can notice when someone is telling the truth with greater accuracy than when someone is lying. They are poor lie detectors.

When talking to a stranger, the challenge is that most people trust by default. They take what the stranger says at face value. This is even more true when the person isn’t a stranger but someone they know.

Cybercriminals understand this and use it to their advantage. They know persuasion techniques like reciprocity develop a relationship with a victim, fostering a false sense of trust. The more a victim trusts the cybercriminal, the greater the chance the victim will default to the truth and believe the lies a cybercriminal tells.

How can lie detection improve? One way Levine discovered was what he termed ‘content in context’. In other words, listen to what is said, not how it is said. For example, say you are hiring someone for a new role. The interview for a particular candidate goes well. The candidate has charisma and is charming, they know all the correct answers in the interview. You decide the candidate would be a great fit for the company and decide to hire the person. Before hiring, however, you do a security screening, and the results contradict what the candidate said when interviewing and what they had put on their CV. You are now looking at the evidence and will not hire them because of that. You based your decision not on what the person said but on what can be proven (Levine, 2014).

Levine ran six experiments to prove his ‘content in context’ theory. They ranged from interviews with real criminal suspects in a bank embezzlement case to mock crimes and cheating cases. In controlled groups, the accuracy was 51 per cent compared to 76 per cent with context. That’s a whopping 25 per cent increase (Levine, 2019).

WHAT THE FUTURE HOLDS

John is a rare car dealer. He gets an email from a seller who has a vintage car John hasn’t been able to find. John has been looking everywhere online for this car. It’s as if the sender has read his mind.

He has never heard of the dealer, though. He checked their website, and it looks professional with a list of glowing customer recommendations. The car is in another country, but the price includes shipping.

There is a snag. The seller has another interested buyer. If he doesn’t buy it today, John will lose it. He calls the phone number. A five per cent deposit reserves the car. The seller cannot accept credit cards but sending the money by a payment app like Revolut or Zelle is fine. John already has a buyer for the car for a much higher price; he will make significant money. The deal is too good to pass up. John pays the deposit and receives official-looking paperwork confirming the agreement.

John gets a call two days later. In transporting the car across the border, the customs officials have slapped it with an unknown exit duty required for vintage vehicles. It’s a small amount of only two per cent of the value. The seller has never shipped a car overseas and didn’t know about it, and apologises. John believes him and pays.

In another two days, he gets another call. Another surprise fee has come up.

There never was a car to sell.

In the future, expect advance-fee attacks to become automated. Computation and communications will speed up. ‘Big’ datasets will train AI. Targets will no longer receive anonymous messages or calls. They will be personalised, like John’s message was.

Cybercriminals will trawl Facebook, Google or any other online platform to learn a victim’s interests. They will find the victim’s friends or family and learn more about them than they possibly know about themselves. They do not need to research targets one at a time; automation will do this on a large scale.

It will get harder to recognise advance-fee fraud.

DEFENDING AGAINST ONLINE ADVANCE-FEE FRAUD

Knowing the techniques cybercriminals use is half the battle in defending against cyber advance-fee fraud. Following the advice here will help you to protect yourself and your organisation from becoming a victim.

Preventative measures

There are some preventative steps you can follow to stop yourself becoming a victim. Following these steps will help you to recognise advance-fee attacks:

• Only transfer money by a method that has payment protection, like a credit card. If unsure, check with the payment company.
• Use a reputable escrow service like escrow.com. These services safeguard the buyer and seller by keeping the funds secure until the seller delivers their goods or services and the buyer approves of the goods or services. It will offer complete protection for your purchase. If the seller disagrees, then walk away.
• Does the website have trusted third party reviews? Customer reviews on a website should be treated with scepticism unless independently verified by companies like www.trustpilot.com (even then, Trustpilot has been known to contain fake reviews).
• Do thorough research on any entity you are thinking about sending money to.

Warning signs

Here are some warnings signs that should alert you to an advance-fee fraud attack. If you recognise these, be extra vigilant:

• Does the offer sound too good to be true? For example, you have been denied a loan at multiple places, yet this loan company you have never heard of before is willing to give you the loan, no problem. Ask yourself why?
• Is it legal? Are words like ‘secret’ or ‘confidential’ used?
• Sweat the details. Push for lots of information and check the answers; do they seem vague? Are they sparse in detail? Does the wording seem off to you? Cybercriminals do not like details.
• Be wary if there are surprise fees after you have already paid. Advance-fee frauds are rarely singular. Independently verify everything.
• Have you been asked to send payment by Western Union, cryptocurrency or to wire money to a location outside your country? Cybercriminals know there is no payment protection for these types of payments. Once payment has been made using these methods, it is very difficult for victims to ever recover their money.

What to do if you are a victim

If you do find yourself a victim of advance-fee fraud, here are some things to be aware of and to do:

• Be aware you may be targeted again. You will likely be on the ‘suckers list’. Cybercriminals resell these lists to other cybercriminals. You may be contacted by different individuals bringing you new opportunities or offering to get your money back.
• Consider changing your phone number, locking down your social media accounts or changing your email address.
• Be wary of any other similar messages you receive and messages from people you don’t know and aren’t expecting. Don’t engage with any of them.
• Report the crime to your local police agency. For the UK, use https://www.actionfraud.police.uk/. For the USA, https://www.ic3.gov and https://www.usa.gov/stop-scams-frauds. There you will find support and further information to help you.

SUMMARY

The reason why advance-fee fraud has been around for so long is simple. It works. Time and time again, victims fall prey to it and are willing to give criminals their money. Some do not even know they have been a victim of fraud for years afterwards.

It should be apparent by now that people are poor at detecting when someone is lying, while a cybercriminal is good at it. Recognising you are not so great at detecting liars is the first step in defending against them.

Here are some rules that help against psychological advance-fee attacks:

1. Separate what is being told from the person telling it. Look at the evidence. This way, you will give yourself a better chance of detecting a lie.
2. Understand the triggers that can get you in an emotional state. Learn to spot when a cybercriminal is trying to keep you focused on them instead of the actual deal on the table.

Attack methods are changing rapidly. Current technologies have enabled cybercriminals to launch an endless array of different types of advance-fee frauds, and this is constantly evolving.

Now that you understand the cybercriminal methods for this type of cybercrime, you will be more prepared to recognise a new type of advance-fee attack when you encounter one.

REFERENCES

Carnegie, Dale (1936) How to Win Friends and Influence People. New York: Simon & Schuster.

ConsumerFraudReporting (2021) Top 10 list of scams for 2021. Available from https://www.consumerfraudreporting.org/current_
top_10_scam_list.php

Corporate Finance Institute (no date) Sunk cost. Available from https://corporatefinanceinstitute.com/resources/
knowledge/economics/sunk-cost/

Crimes of Persuasion (no date) West African/Nigerian scams using advance fee fraud techniques by email. Available from https://www.crimes-of-persuasion.com/Crimes/business/
nigerian.html

Downes, Hannah (2021) How to spot a fake review. Which.co.uk. Available from https://www.which.co.uk/reviews/online-
shopping/article/online-shopping/how-to-
spot-a-fake-review-aiDaS3e1ivfr

FBI (2021) Internet Crime Complaint Center 2020 internet crime report, including COVID-19 scam statistics. Available from https://www.fbi.gov/news/pressrel/press-releases/
fbi-releases-the-internet-crime-complaint-
center-2020-internet-crime-report-
including-covid-19-scam-statistics

Gladwell, Malcolm (2020) Talking to Strangers. London: Penguin.

Hafenbrack, Andrew C., Kinias, Zoe and Barsade, Sigal G. (2013) ‘Debiasing the mind through meditation: Mindfulness and the sunk-cost bias’. Psychological Science, 25 (6 December). 369–376. Available from https://doi.org/10.1177/0956797613503853

Interpol (2020) Unmasked: International COVID-19 fraud exposed. Available from https://www.interpol.int/en/News-and-Events/News/2020/
Unmasked-International-COVID-19-fraud-exposed

Kahneman, Daniel and Tversky, Amos (1979) ‘Prospect theory: An analysis of decision under risk’. Econometrica, 47. 263–292.

Krebs, Brian (2020) Promising infusions of cash, fake investor John Bernard walked away with $30m. KrebsOnSecurity. Available from https://krebsonsecurity.com/2020/10/promising-
infusions-of-cash-fake-investor-john-bernard-
walked-away-with-30m/

Kulish, Nicholas (2021) MacKenzie Scott gave away billions. The scam artists followed. New York Times. Available from https://www.nytimes.com/2021/04/24/business/
mackenzie-scott-giving-scams.html

Levine, Timothy R. (2014) ‘Active deception detection’. Policy Insights from Social and Personality Psychology, 1 (1). 122–128.

Levine, Timothy R. (2019) Duped: Truth-Default Theory and the Social Science of Lying and Deception. Tuscaloosa, AL: The University of Alabama Press.

Levine, Timothy (no date) Truth default theory. Available from http://timothy-levine.squarespace.com/truth-default-theory/

Nairaland Forum (no date) The section 419 of Nigeria criminal code law. Available from https://www.nairaland.com/3509890/section-419-
nigeria-criminal-code

Pak, Jaron (2020) The best cold opens on The Office ranked. Looper. Available from https://www.looper.com/273480/the-best-cold-
opens-on-the-office-ranked/

PetScams (no date) Pet sitters beware: Email scams. Available from https://www.petsit.com/scams

Reading, Amy (2012) The Mark Inside. New York: Vintage Books.

Shadel, Doug (2012) Outsmarting the Scam Artist. Hoboken, NJ: Wiley.

Sharma, Mayank (2021) LinkedIn jobs adverts targeted in new scam campaign. Techradar.com. Available from https://www.techradar.com/news/that-dream-job-
advert-on-linkedin-could-be-a-scam

Silverman, Stephen M. (2008) Anne Hathaway laughs at her boyfriend woes. People. Available from https://people.com/celebrity/anne-hathaway-
laughs-at-her-boyfriend-woes/

Staff Writer (2018) What you don’t know about ‘Yahoo-Yahoo’ internet scam in Nigeria. Dnbstories.com. Available from https://dnbstories.com/2018/04/all-about-yahoo-boys-
internet-scam-business-in-nigeria.html

Ultrascan AGI (no date) Case study of a high loss victim of a Nigerian 419 fraud. Available from https://ultrascan-agi.com/419%20Advance%20Fee%20
Fraud%20Statistics.html

Vidocq, Eugene Francois (1828) Memoirs of Vidocq. London: Hunt and Clarke.

Welter, Ben (2015) Feb. 13, 1910: Spanish fraud letters flood state. StarTribune. Available from https://www.startribune.com/feb-13-1910-spanish-
fraud-letters-flood-state/84354257/

Zajonc, R. B. (1980) ‘Feeling and thinking: Preferences need no inferences’. American Psychologists, 35 (2). 151–171.