When Adam tweeted last week about a new app to help stop scam phone calls, RoboKiller, I decided I wanted to explore the world of scamming (plus, one of my all time favorite TedTalks is about scamming!).
I think it’s safe to assume everyone has been the target of a scam, even if you’ve never actually fallen for it and become a real victim. My question is — how are scammers getting so good? It’s basically standard nowadays for robocalls to spoof your local area code — it’s called “neighbor spoofing.” I know two people who have fallen for the iTunes gift card scam; a Portico professor I work with in the CSOM office recently received a series of text messages claiming to be from Dean Boynton, asking him to go buy iTunes gift cards and send pictures of them because Dean Boynton forgot he supposed to bring them as a contribution to a charity auction basket. A family friend received the same request from “his priest,” claiming that he had forgot to pick them up on his way to the local hospital, where he was supposed to hand them out to young patients. Both victims said the scammers texted exactly like the real people would have, even using legitimate sayings and nicknames. I wanted to know how scammers create such convincing scams…
Obviously, the point of all scams is to gain access to money or personal information (personal information is normally then sold or used to gain access to your money). Some scams try to get you to give money or personal information up willingly by tricking you into thinking a call, email, or text is something that it’s not. Others try to get into your devices by planting malware via a fake link or attachment in an email or pop-up, or by just hacking into the device or internet network you are connected to. The Money Advice Service and the Australian Competition and Consumer Commision provide detailed lists of some of the most common types of digital scams. If you click through, you’ll see there are A LOT of ways scammers go about this.
Nigerian email scammers are some of the best in the biz, and we can learn about how scammers obtain and use our information by learning about them, since many other scammers have adopted their techniques (although most don’t commit to the scams as much as these guys). Nigerian gang-type groups engage in email fraud on a mass scale, and have turned what used to be a pretty obvious identity theft scam (usually the Nigerian Prince/419 fraud – an African noble or government official asks you for personal information that they can use to illegally get millions of dollars out of Nigeria, in exchange for a portion of the money, or something along those lines) into a portfolio of highly convincing and profitable scamming tactics. Although they use fairly simple technology and malware, their detail-orientation and patience helps trick even the most careful tech-users. They have recently increased the amount they make off of each attack by targeting small businesses, in addition to individuals, since small businesses usually don’t have the resources to be vigilant about potential scams. Their process of attack goes like this:
- Scammers send tailored phishing emails in the hope that someone in a company will click a link that infects their computer with malware.
- After the scammers have access to a computer inside the company, they spend days or weeks gathering information that will help them sound as legitimate as possible. They use key loggers and other surveillance tools to steal login credentials, figure out how a company works, who handles what transactions, and how different emailers sound like over email.
- They use the information they’ve collected to help them choose the tactic that would seem most normal within company; they might impersonate someone in the company and attempt to initiate payment, or pretend to be someone else that the company interacts with and send a normal-looking invoice for the company to pay.
- Wired says that, “If they’ve gained enough control of a system, attackers will even set up email redirects, receive a legitimate invoice, doctor it to change the banking information to their own, and then allow the email to reach its intended recipient.” They’ll sometimes go so far as to make fake Skype calls to legitimize transaction requests, “and use a still from a video they find of the employee they are impersonating to make it seem like the person is genuinely calling and the video is just lagging behind the audio.”
- They also make very little effort to cover their tracks (in fact, they have a whole fraternity thing going on, that you can read more about in Wired, and they really like to brag about their successful schemes). Many international law enforcement agencies have made arrests related to Nigerian email scamming, but the jurisdictional issues make it hard for them to arrest enough people to make a dent in the network.
- And the scammers go through a similar process for scamming individuals.
So, as crazy it sounds, there are actually real people, combing through emails for days at a time in order to perfectly impersonate Dean Boynton or my friend’s priest, behind a good number of common scam emails. Even if a scam doesn’t start with a human, it always gets into the hands of human eventually. A spam phone call that has nothing on the other end (not even a bot) when you pick up may seem fruitless, but that’s just step one in the scam. You saying “hello,” or even coughing, signals to the silent bot on the other end that it has reached an active phone number. Your number, and any other personal information available, is then sold off to criminal rings who go about a similar process as the Nigerian email scammers, but with a series of phone calls that slowly collect your personal information, until they have enough information to contact your bank and take control of your bank account.
It’s pretty scary that some people have devoted their lives to becoming experts on this, but even the most sophisticated scammers often still rely on at least one oversight on our part. There are lot of fraud prevention tips that are intuitive for our generation (don’t open emails from sketchy email addresses, use different passwords for different accounts, don’t pay upfront online, don’t click on weird pop-ups, etc), but here are a few I came across throughout my research that you may not have thought about before:
- Don’t access secure logins (especially your bank account) from public WiFi networks
- Don’t even pick up that scam phone call (any noise on your end can tip the bot off)
- Don’t believe your caller ID (it’s way too easy to trick)
- Do your research on charities that ask for online donations
- Most importantly, stay updated on the latest scams, so you can spot them and warn younger and older people in your life (scammers target children and the elderly especially).
Additionally, AI can help! AI being used for fraud prevention is nothing new, but it’s getting better and better as scammers do too. New algorithms have recently been designed to learn what fake online dating profiles look like, and identity them with a false-positive rate of only 1%. Google Chrome, Gmail, and Android smartphones all use AI to warn you if a website, email, or phone call looks like a scam. And, there are independent apps, like RoboKiller, that try to help on all different platforms.
I hope this research answered some of your curiosities about the scams we’re hit with on a daily basis! Now, you tell me: what’s the craziest scam you’ve ever experienced?