This blog is another in our series of Pock Guides.
As we are approaching Christmas and New Year, we are all out for a bargain. This is a time when criminals will tempt you into buying something that looks too good to believe, but in your haste to get the cheapest price on something you are vulnerable to fake shopping websites, counterfeit goods and just outright stealing/fraud.
What is a Scam?
This is a term used to describe any fraudulent business or scheme that takes money or other goods from an unsuspecting person. With the world becoming more connected thanks to the Internet, online scams have increased. Scams often fall into the following categories:
- Phishing, and Social Engineering in general
- Auction Fraud
- Donation Scam
- Catfish Scams
- Cold Call Scams
- Chain mail
- Online Survey Scams
- Nigeria Scam
- Cyber-Enabled Financial Fraud , or Business Email Compromise.
Scams can manifest themselves in many forms. This can range from a leaflet pushed through your door to an online type of scam. With the increasing use of technology to initiate and manage scams, I consider most scams of this type to be a cyber attack. and should be considered as such.
In the next few sections I will explain the various types of scam that you can fall victim to as well as some defences/mitigating actions.
We have blogged recently about Social Engineering and how it is used to extract information and drive other cyber attacks. However, social engineering is increasingly being used by scammers to target their victims so that they can be more effective in convincing their target. I urge you to read our blog on combating social engineering.
This is where someone is selling something through an online auction site, such as eBay, that appears to be something it really isn’t. For example, someone may claim to be selling tickets for an upcoming concert that really are not official tickets, or they are selling counterfeit goods for example fake Rolex watches as the genuine article.
The deference here is to engage brain and think about what is being sold. For example, genuine Rolex watches (even the most inexpensive ones) cost £3,000 or more. Do your market research. If it looks too good to be true, it probably is.
You can also look at other items this person is selling on the auction site. If they specialize in a few items then they might be genuine, but this is also a trick they use to provide legitimacy. If they are selling Rolex’s, TV’s, Flash cards, Camera, etc. on the same auction account, then it is possible these items are not genuine. However, a lot of sellers on eBay do not specialize and are selling genuine goods. This is a difficult one to detect.
Also, protect your online shopping and auction sites with secure passwords, as criminals often use stolen credentials to hijack someones account for their own use. You can also look at our guidance on Authentication best Practice to help secure your accounts.
An example of a Donation Scam is where a person claiming they have a child, or someone they know, with an illness and need financial assistance. Although many of these claims can be real, there are also an alarming number of people who create fake accounts on donation sites in the hope of scamming people out of money.
We often see an increase in these types of scams around religious holidays (e.g. Christmas, Easter) as people often feel they have to give back at these times. However, you should always be aware of these types of communications especially if they are from an organization you don’t know.
This is where a person creates a fake online profile with the intention of deceiving someone.
Example of this are where someone
- Creates a fake profile on an online dating website, create a relationship with one or more people and then create a fake scenario that asks others for money
- Creates a fake Facebook account that resembles a friend so that they can view a certain person’s private information
- Someone abroad sends you an email saying they found your profile on a ‘Russian’ dating site and want to have a relationship with you.
These types of scam often prey on lonely people, the recently bereaved and anyone who just wants affection in their lives. Some of these emails are very believable and often attach a photograph of a very attractive girl. One such scam I was sent was very believable. The attached photo was taken from the Eastern European ‘Facebook’ equivalent VK, and the information provided in the email was taken directly from a genuine persons public profile.
In these cases the perpetrator is not this woman, but a gang of scam artists. After a few email exchanges they will present their requests, which normally are:
- Help with getting immigration documents
- Help with buying travel tickets
- Asking for money to help pay off a debt
To combat these types of scam it is best not to respond at all.
If you do reply you will often you will find the replies are not specific to your questions, and requests to meet on Skype, or to talk to them directly on the phone are responded to with excuses why they can’t do that.
You can also use image searchsites (e.g. Google Image Search, Tin Eye and Yandex particularly if the message is sourced from Russia). What this process allows you to do is find public instances of the picture that was sent as part of the email. You can then see if they are genuine or not. In most cases they are not, but this is a process I use to detect scams and report them back to the source and to the authorities.
Cold Call Scams
An example of this type of scam is where someone calls you claiming to be from technical support, typically from a company like Dell, Microsoft, Hewlett Packard, saying they have received information that your computer is infected with a virus, or hacked. They offer to remotely connect to your computer and fix the problem. This typically involves some form of urgency and can be applied to different scenarios.
Cold calling is also used to trick people into applying for services that they would’t normally think about. For example Time Share, Holidays, work on your home, offers to settle insurance/personal injury claims.
Cold Calling is also used in banking scams where a criminal will claim to be from your bank and state there has been suspicious activity on your account and recommends moving your money to a safe account they provide. If you attempt to hang up and call your bank to confirm, use a different phone line/mobile as there are techniques to keep land lines open to which thee criminals can then take control. In this case never give out account information unless you can authenticate the person on the other end.
These types of calls are often driven by information you have willingly provided as part of a service sign-up, where the data has either been sold or has been subject to a data breach. The fact that you once expressed interest in a Time Share means that your information is out there and you will start to get cold calls about holidays and Time Shares.
My best practice is that I don’t respond to these types of call at all. I politely state that I am not interested and if they are persistent then I state that I am hanging up and then hang up. You can also politely request that you are taken off their list. However bearing in mind that this list is just one they have bought and is widely distributed, taking yourself off their list doesn’t do much.
To stop this type of scam, I recommend you read through our guidance on stopping spam and in particular on stopping direct marketing. If you are in the UK there are some very good laws about direct marketing. However so many of these scammers are not in the UK and largely beyond the reach of the UK courts.
Take a look at the UK Governments advice on limiting Direct Marketing. There are also a number of services on the UK governments page that allow you to register your email address, phone number and postal address that removes you from direct marketing lists in the UK. These are:
- Telephone Preference Service
- Fax Preference Service (yes people still use Faxes)
- Mailing Preference Service
- Email Preference Service.
These links are current as of posting, but may age. If they don’t work then just search for the various services.
If you are outside of the UK, your country may operate a similar set of services and laws. It would be worth looking on trading standards websites and government webpages in your country to see what is on offer.
Chain Mail Scams
This is sometimes called Chain Letter or Chain Email, it is an unsolicited e-mail (or letter) containing false information for the purpose of scaring, intimidating, or deceiving the recipient. Its purpose is to coerce the recipient to forward the e-mail/letter to other unwilling recipients, thereby propagating the malicious or spurious message. They can often prey on the sympathy about a sick or dying relative, or a common myth or scare is sent out and because it seems significant or frightening, the recipient feels inclined to let all their friends know. This is also a method of spreading fake news.
I will always recommend not responding to chain letters and destroying them on receipt. While technically you are not being defrauded of money, it is spreading fear and may also be a softening up tactic to seed a fear that can be exploited in another type of scam or social engineering attack.
Online Survey Scams.
This is a web site that says they offer money or gift vouchers to participants for answering questions. Usually, these sites ask the user to spend an unreasonable amount of time, for insufficient payout. Often the promised money or vouchers are never payed out. The main goal of an online survey scam is to obtain demographic information that the site may sell to spammers or other direct marketers.
Some of these sites are genuine and provide real benefits, but if you are taking an excessive amount of time to answer all their questions, and they are asking for very personal information (e.g. income levels, savings account information, relationship information, address, phone numbers, email addresses), then this should sound alarm bells that you are being milked for your information.
You never get something for nothing. If you are not buying a product, you are often the product in these types of scams and more specifically your qualified and authenticated information. This can be used for other scams, social engineering attacks and to feed direct marketing.
Sometimes called 419 or African Scam, is a scam where the scammer gives the impression you can gain a large amount of money and only requires bank information to deposit the money into your account. In reality, the bank information is used against the person or the deposits are kept with no reward. This is typically done over email but can also be done over instant messaging platforms. The 419 scam is named after the penal code that it is prosecuted under in Nigeria, Africa.
Some years ago we would receive an email from an African Prince who said that he needed to extract money from his country to which he was entitled to, but for some reason couldn’t access.
What you are being asked to be is what is called a ‘Money Mule’. You willingly provide a bank account to process funds, for which you receive a payment but the bulk of the funds are sent to another party. If genuine then you are effectively money laundering by taking money sourced from crime and processing it through legitimate transactions to obscure the original source of the funds. If money s transferred electronically it is already in the system and you are participating in what is called layering.
The best defence here is to not respond. If this is a money laundering attempt you can be prosecuted with very high fines and jail time in the UK. If you work in financial services your certifications can be revoked by your regulator and you will never work in finance again. If you are convicted of a money laundering crime, you will never be put into a position of responsibility for processing financial transactions or controlling bank accounts at work.
In law, fraud is intentional deception to secure unfair or unlawful gain, or to deprive a victim of a legal right. Fraud can violate civil law (i.e., a fraud victim may sue the fraud perpetrator to avoid the fraud or recover monetary compensation), a criminal law (i.e., a fraud perpetrator may be prosecuted and imprisoned by governmental authorities), or it may cause no loss of money, property or legal right but still be an element of another civil or criminal wrong. The purpose of fraud may be monetary gain or other benefits, for example by obtaining a passport, travel document, or driver’s license, or mortgage fraud, where the perpetrator may attempt to qualify for a mortgage by way of false statements.
Cyber-Enabled Financial Fraud
Frauds can also be enabled through technology and if often called Cyber-Enabled Financial Fraud. This is often referred to an Business Email Compromise (BEC) and is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly preform payments, including cross border payments. These scams have evolved to also target Personal Identifiable Information (PII) for employees of clients. These scams can also target individuals (e.g. real-estate purchasers, the elderly) by convincing them to make payments to bank accounts controlled by criminals.
The best defense for this kind of fraud is to have robust authentication procedures in place (if you are a business) where you check the details of the person sending you the request via signature cards and/or calling them back to confirm the transaction using recorded phone numbers ad contacts within the organization. If you are a consumer, then be very careful about sending money (or goofs) to someone on the back of an email. The same procedure applies – always authenticate the instruction.
Scams will often prey on the lonely, and on peoples greed to get something for nothing, or significantly less cost. They can also be part of a wider crime of distributing stolen goods, defrauding you of money or money laundering ad can be part of a wider cyber attack campaign.
This is an ever evolving practice by criminals and is increasingly being enabled by technology of some form. My view is that these are often cyber attacks that are often part of a wider cyber attack campaign.
Above I have provided some in-context mitigations, but the best way of protecting yourself is to engage your brain before you respond. Also, where you know of a vulnerable person, keep an eye on what they are doing and help protect them from these attacks.
If you are a victim of a scam or fraud, and resident in the UK, you can report it to Action Fraud, which is a service sponsored by the UK Police Force. This site also has a lot of resources to help victims of scams so worth bookmarking this site.
People who are victims of scams often are embarrassed as to how stupid they feel and often don’t report the crime. There should be no stigma to reporting a scam, even if you haven’t personally been a victim.
You can also look at the UK National Trading Standards website, and in particular there scam teams section for more information. The Friends Against Scams website, also run by the UK Trading Standards Organization, will offer you training on detecting scams and to become one of their scam champions.
Another resource on this website is our guidance pages on Combating Malware and Cyber Attacks, which will prepare you more for the online world where these scams are becoming more prevalent
I hope this blog has been of some use to people, especially as we get closer to Christmas. However, scammers don’t just come out at this time of year, they are active all year round and you just have to be vigilant.