The Nigerian Prince is Alive and Well: Cybercriminals Use Generative AI and New Themes to Run Their Scams

The term “Nigerian Prince” has become nearly synonymous with the first email scams of the nineties. Mostly targeting individuals, these emails often came from allegedly wronged and robbed Nigerian nobility, who asked for financial assistance and promised millions in repayment as soon as they regained access to their wealth. Despite their absurdity and the huge sums of promised money, people fell for these scams by the thousands.

But as they became more popular and more people lost their life savings, awareness grew until they are now the subject of many popular memes. So surely no one is continuing to fall for these scams decades later, right?

Unfortunately, that doesn’t appear to be the case. Abnormal recently uncovered more than a thousand attacks targeting organizations using at least 70 unique email addresses. While it feels that these are old news, we can surmise that these attacks are still being sent because they work—people continue to fall for them at a rapid enough pace that they are still worth the effort put into them.

And making matters worse? Now they’re using generative AI to create them.

These attacks rely on common social engineering tactics like urgency and human decency, preying on the empathy of the recipient and their willingness to help in an emergency. And they’re not simply sent to personal email addresses anymore. These attacks were all sent to business email addresses at organizations and appear to be entirely industry agnostic, targeting higher education, retail, healthcare, law firms, and more.

The emails identified by Abnormal all have the same subject line that simply says “GREETINGS” but are sent from multiple email addresses with multiple hooks. In this attack, the sender states that his mother was the former Minister of Petroleum from 2010-2015 under the Administration of President Goodluck Ebele Johnathan. He goes on to say that he has $250M he wants to invest in the firm. Obviously, the recipient will be “greatly rewarded” for their efforts.

Unfortunately, it is no longer only Nigerian royalty that are being impersonated. There are a variety of other emails using the same “GREETINGS” subject line, impersonating individuals from the United Nations, Ukraine, the Ivory Coast, Switzerland, the Central African Republic, and even the United States.

Some of them remain closely related to the traditional scam, speaking of dead relatives with large inheritances. Though they do often mention countries other than Nigeria, like this one from the Central African Republic, much of the rest of the email is what we would expect.

That said, there has also been a shift in tactics. Whereas the traditional Nigerian Prince schemes spoke only of personal gain, some of these newer versions are related to business transactions, including this one from The Ministry of Defence of Ukraine. This attack asks the recipient to deposit $50M in exchange for 10% of the money, in a “100% risk free” business transaction. This is an evolution of the traditional 419 scam, now referencing business transactions rather than personal ones.

In approximately half of the emails detected by Abnormal, the theme focused on a business transaction rather than a personal one—a clear shift since these first appeared on the scene nearly three decades ago.

Unfortunately, as the average person becomes more aware of these schemes, cybercriminals continue to find ways to outsmart them. Spelling mistakes and grammatical errors have long been characteristics of an attack, making them easy to spot even if they did land in the inbox. But with the rise of generative AI, this is no longer the case.

It’s clear that at least one threat actor is testing their luck with it, evidenced by these two attacks we’ve found. While they are using different sending addresses, they both have the “John Albert” display name and the same reply-to address. Additionally, they both mention the United Nations and the sum of $3.5M.

However, this first email is clearly human-generated with a number of syntax errors.

In contrast, this second email is likely entirely AI-generated, with zero errors or inconsistencies. As a result, employees may be less able to tell that this is an attack, making it more likely that they will respond should it land in the inbox.

One interesting point to note is that the human-generated email was sent four days after the AI-generated email. Perhaps this is an indication that cybercriminals are still testing out the technology to determine how useful it may be for their work.

Most everyone now knows not to respond to an email from Nigerian royalty and threat actors clearly know this. As a result, they are refining their scams, using similar tactics but different themes to target personal and business accounts alike. And with the rise of generative AI, we’re likely to see even more convincing emails sent from these threat actors. In fact, in our recent survey of 300 cybersecurity stakeholders, 80% said they suspect their organization has been targeted by AI-generated email attacks.

As these examples show, the Nigerian Prince scam is far from over and is instead rapidly evolving. As a result, organizations must be prepared to stop them before they reach the inbox. Because they are entirely text-based and often use free webmail domains, traditional security solutions may not stop these attacks. In contrast, modern solutions like Abnormal use AI to understand the signals of known good behavior, creating a baseline for each user and each organization and using natural language processing to understand when an email contains high-dollar figures.

Unfortunately, we can’t rely on humans not to fall for these schemes, as the millions lost to them each year can attest. As attackers shift from personal emails to business ones, you need a solution that can block them before they reach inboxes. Abnormal can detect email attacks that bypass other solutions—whether they’re written by a real Nigerian Prince, your typical attacker, or generative AI.

To discover more about how Abnormal detects these attacks, request a demo today.