Nigerian cyber criminals have launched a targeted advance fee fraud (AFF) scam since at least January 2024, aimed at universities, colleges, healthcare professionals, and food and beverage industries across North America. The scheme, which employs piano-themed emails as bait, highlights a troubling escalation in online fraud, posing significant risks to organisations and individuals.
Advance fee fraud (AFF), also known as ‘419’ or ‘Nigerian Prince’ email fraud, involves soliciting a small upfront payment from victims in exchange for a promised larger payout or benefit, which never materialises.
These scams often employ elaborate narratives to lure victims, including promises of inheritance, job opportunities, government payouts, and international business ventures.
Cybersecurity researchers discovered more than 125,000 messages in 2024 in which threat actors attempted to sell a piano, often under false pretences such as a family tragedy.
Upon engagement, the threat actors prompt the victims to contact a fictitious shipping company to arrange delivery, with the contact address being yet another deceptive email managed by the same malicious actor. The scam escalates as the ‘shipping company’ requests upfront payment for shipping costs before delivering the promised piano.
The threat actors employ a range of payment options, including Zelle, Cash App, PayPal, Apple Pay, and cryptocurrency, to facilitate payment.

Moreover, they attempt to harvest personally identifiable information (PII) such as their targets’ names, addresses, and phone numbers, further exacerbating the potential for identity theft and financial loss.
Upon further investigation, cybersecurity experts discovered at least one Bitcoin wallet address linked to these fraudulent activists, currently holding over $900,000 in transactions. This substantial sum indicates the likelihood of multiple threat actors orchestrating various scams under the same umbrella, utilising the same wallet address for financial transactions.
“It is likely that multiple threat actors are conducting numerous different types of scams concurrently using the same wallet address given the volume of transactions, the variations in transaction prices, and the overall amount of money associated with the account,” noted researchers from Proofpoint.
While the email content remains consistent across campaigns, the sender addresses vary. They typically use freemail accounts with random combinations of names and numbers. This tactic aims to evade detection and increase the chances of successful phishing attempts.
To uncover more about the perpetrators behind these scams, cybersecurity researchers engaged in dialogue with the threat actors, eventually tracing back to at least one IP address and device information, leading to a high-confidence assessment that part of the operation is based in Nigeria.
In May, reports came out of a Chinese scam targeting 800,000 people in Europe, USA and Australia since 2015. In April, we reported that Korean portals were being exploited by scammers for phishing campaigns.
In the News: USIBC lobby group urges India to rethink proposed antitrust law