Understanding School Impersonation Fraud

The operator at the office supply store call center answers the phone, and the person on the other end claims to be a school purchasing officer with questions about his account. But the caller is actually a criminal, and the information the operator may unwittingly divulge could cost the retailer hundreds of thousands of dollars.

It’s called the school impersonation scheme, and it has been carried out in nine states across the country—mostly by Nigerian criminal groups using the Internet and social engineering techniques.

“Most retailers have been pretty good about catching the scam,” said Special Agent Alla Lipetsker, “but it’s an alarming trend, and the fraudsters have had success.”

Here’s how the scam works:

A member of the criminal group poses as a school official on the telephone or by e-mail and uses social engineering—actions that deceive individuals into revealing otherwise secure information—to learn about a school’s purchasing account with large office supply stores.

Using account information obtained from the original call—and sometimes the school’s website—the fraudster makes a second call and bills the school’s line of credit for a large order of laptops, hard drives, printer ink, and other items that can total more than $200,000.

A U.S. shipping address is provided belonging to a third-party—someone who has been fooled into thinking they are working from home, for example, but is another victim of the group’s social engineering tactics (see sidebar). The purchase will later be re-shipped to Nigeria. In some cases, the order is directed to the actual school, whereupon the scammer—posing as a representative of the retail store—contacts the school and says the shipment was sent in error. The school, believing it is returning the order to the store, reships the items to a domestic address provided by the fraudster.

Either way, once the fraud is discovered, it’s too late, and the retailer absorbs the loss.

Those who perpetrate school impersonation schemes are members of an African Cyber Criminal Enterprise (ACCE), said Lipetsker, who has been investigating these groups for the past year as part of a new initiative in our Criminal Investigative Division.

ACCE refers to a network of predominantly Nigerian criminal actors who are engaged in computer-assisted frauds. The schemes are heavy on deception instead of hard-core intrusions, Lipetsker said. “The Africans don’t do a lot of hacking,” she explained. “They deceive their targets through phishing schemes and social engineering.”

Read More