The operator at the office supply store call center answers the phone, and the person on the other end claims to be a school purchasing officer with questions about his account. But the caller is actually a criminal, and the information the operator may unwittingly divulge could cost the retailer hundreds of thousands of dollars.
It’s called the school impersonation scheme, and it has been carried out in nine states across the country — mostly by Nigerian criminal groups using the Internet and social engineering techniques.
“Most retailers have been pretty good about catching the scam,” said Agent Alla Lipetsker of the FBI, “but it’s an alarming trend, and the fraudsters have had success.”
Here’s how the scam works:
- A member of the criminal group poses as a school official on the telephone or by e-mail and uses social engineering — actions that deceive individuals into revealing otherwise secure information — to learn about a school’s purchasing account with large office supply stores.
- Using account information obtained from the original call — and sometimes the school’s website — the fraudster makes a second call and bills the school’s line of credit for a large order of laptops, hard drives, printer ink, and other items that can total more than $200,000.
- A U.S. shipping address is provided belonging to a third-party — someone who has been fooled into thinking they are working from home, for example, but is another victim of the group’s social engineering tactics. The purchase will later be re-shipped to Nigeria. In some cases, the order is directed to the actual school, whereupon the scammer — posing as a representative of the retail store — contacts the school and says the shipment was sent in error. The school, believing it is returning the order to the store, reships the items to a domestic address provided by the fraudster.
- Either way, once the fraud is discovered, it’s too late, and the retailer absorbs the loss.
Those who perpetrate school impersonation schemes are members of an African Cyber Criminal Enterprise (ACCE), said Lipetsker, who has been investigating these groups for the past year.
ACCE refers to a network of predominantly Nigerian criminal actors who are engaged in computer-assisted frauds. The schemes are heavy on deception instead of hard-core intrusions, Lipetsker said. “The Africans don’t do a lot of hacking,” she explained. “They deceive their targets through phishing schemes and social engineering. Our goal is to take down the entire criminal enterprise, not just a few actors.”
Although many people equate Nigerian fraud schemes with ham-handed e-mail scams, ACCE members use sophisticated techniques to fool their targets, and they create forged online documents that are extremely convincing.
“They know where the vulnerabilities are,” Lipetsker said, adding that many school systems make the fraudsters’ job easier by posting information on their websites about their schools, personnel, and purchasing accounts.
“The greatest lesson that comes from this scheme is that retailers and schools systems must be vigilant about telephone and online orders,” she said. “If you get large orders, make sure to independently verify the information. Don’t just call the telephone number on the e-mail you received or be convinced by someone using the name of a known purchasing officer. A little diligence could save a lot of money and aggravation later.”