They’re Getting Good: How Scammers Do It

When Adam tweeted last week about a new app to help stop scam phone calls, RoboKiller, I decided I wanted to explore the world of scamming (plus, one of my all time favorite TedTalks is about scamming!).

I think it’s safe to assume everyone has been the target of a scam, even if you’ve never actually fallen for it and become a real victim. My question is — how are scammers getting so good? It’s basically standard nowadays for robocalls to spoof your local area code — it’s called “neighbor spoofing.” I know two people who have fallen for the iTunes gift card scam; a Portico professor I work with in the CSOM office recently received a series of text messages claiming to be from Dean Boynton, asking him to go buy iTunes gift cards and send pictures of them because Dean Boynton forgot he supposed to bring them as a contribution to a charity auction basket. A family friend received the same request from “his priest,” claiming that he had forgot to pick them up on his way to the local hospital, where he was supposed to hand them out to young patients. Both victims said the scammers texted exactly like the real people would have, even using legitimate sayings and nicknames. I wanted to know how scammers create such convincing scams…

The iTunes gift card scam looked a little like this…

Obviously, the point of all scams is to gain access to money or personal information (personal information is normally then sold or used to gain access to your money). Some scams try to get you to give money or personal information up willingly by tricking you into thinking a call, email, or text is something that it’s not. Others try to get into your devices by planting malware via a fake link or attachment in an email or pop-up, or by just hacking into the device or internet network you are connected to. The Money Advice Service and the Australian Competition and Consumer Commision provide detailed lists of some of the most common types of digital scams. If you click through, you’ll see there are A LOT of ways scammers go about this.

Nigerian email scammers are some of the best in the biz, and we can learn about how scammers obtain and use our information by learning about them, since many other scammers have adopted their techniques (although most don’t commit to the scams as much as these guys). Nigerian gang-type groups engage in email fraud on a mass scale, and have turned what used to be a pretty obvious identity theft scam (usually the Nigerian Prince/419 fraud – an African noble or government official asks you for personal information that they can use to illegally get millions of dollars out of Nigeria, in exchange for a portion of the money, or something along those lines) into a portfolio of highly convincing and profitable scamming tactics. Although they use fairly simple technology and malware, their detail-orientation and patience helps trick even the most careful tech-users. They have recently increased the amount they make off of each attack by targeting small businesses, in addition to individuals, since small businesses usually don’t have the resources to be vigilant about potential scams. Their process of attack goes like this:

  • Scammers send tailored phishing emails in the hope that someone in a company will click a link that infects their computer with malware.
  • After the scammers have access to a computer inside the company, they spend days or weeks gathering information that will help them sound as legitimate as possible. They use key loggers and other surveillance tools to steal login credentials, figure out how a company works, who handles what transactions, and how different emailers sound like over email.
  • They use the information they’ve collected to help them choose the tactic that would seem most normal within company; they might impersonate someone in the company and attempt to initiate payment, or pretend to be someone else that the company interacts with and send a normal-looking invoice for the company to pay.
  • Wired says that, “If they’ve gained enough control of a system, attackers will even set up email redirects, receive a legitimate invoice, doctor it to change the banking information to their own, and then allow the email to reach its intended recipient.” They’ll sometimes go so far as to make fake Skype calls to legitimize transaction requests, “and use a still from a video they find of the employee they are impersonating to make it seem like the person is genuinely calling and the video is just lagging behind the audio.”
  • They also make very little effort to cover their tracks (in fact, they have a whole fraternity thing going on, that you can read more about in Wired, and they really like to brag about their successful schemes). Many international law enforcement agencies have made arrests related to Nigerian email scamming, but the jurisdictional issues make it hard for them to arrest enough people to make a dent in the network.
  • And the scammers go through a similar process for scamming individuals.

So, as crazy it sounds, there are actually real people, combing through emails for days at a time in order to perfectly impersonate Dean Boynton or my friend’s priest, behind a good number of common scam emails. Even if a scam doesn’t start with a human, it always gets into the hands of human eventually. A spam phone call that has nothing on the other end (not even a bot) when you pick up may seem fruitless, but that’s just step one in the scam. You saying “hello,” or even coughing, signals to the silent bot on the other end that it has reached an active phone number. Your number, and any other personal information available, is then sold off to criminal rings who go about a similar process as the Nigerian email scammers, but with a series of phone calls that slowly collect your personal information, until they have enough information to contact your bank and take control of your bank account.

It’s pretty scary that some people have devoted their lives to becoming experts on this, but even the most sophisticated scammers often still rely on at least one oversight on our part. There are lot of fraud prevention tips that are intuitive for our generation (don’t open emails from sketchy email addresses, use different passwords for different accounts, don’t pay upfront online, don’t click on weird pop-ups, etc), but here are a few I came across throughout my research that you may not have thought about before:

  • Don’t access secure logins (especially your bank account) from public WiFi networks
  • Don’t even pick up that scam phone call (any noise on your end can tip the bot off)
  • Don’t believe your caller ID (it’s way too easy to trick)
  • Do your research on charities that ask for online donations
  • Most importantly, stay updated on the latest scams, so you can spot them and warn younger and older people in your life (scammers target children and the elderly especially).

Additionally, AI can help! AI being used for fraud prevention is nothing new, but it’s getting better and better as scammers do too. New algorithms have recently been designed to learn what fake online dating profiles look like, and identity them with a false-positive rate of only 1%. Google Chrome, Gmail, and Android smartphones all use AI to warn you if a website, email, or phone call looks like a scam. And, there are independent apps, like RoboKiller, that try to help on all different platforms.

I hope this research answered some of your curiosities about the scams we’re hit with on a daily basis! Now, you tell me: what’s the craziest scam you’ve ever experienced?

9 comments

  1. Very applicable post! This rarely happens to me personally, but it happens at work all the time. We’ve gotten many bot calls that look like they are coming from a major client. Just last week I received a message on my work email which looked like it was coming from my boss, telling me something serious happened during his meeting that he needed to discuss. I figured out it wasn’t him pretty easily because it said: “Sent from my iPad” at the bottom, and I know he doesn’t own an iPad. Crazy how much it sounded like him though.

    Our back office has made it a lot easier to report these types of phishing emails by creating an add-on in our Outlook where we can mark certain messages as suspicious. They then get deleted and sent to the IS team for review. I think more companies should implement something similar!

  2. It is such a bummer to hear that I shouldn’t even pick up the calls. I actually enjoy picking up these scammy phone calls and seeing how far I can press them into admitting that they’re a scam. Before they got really good at spoofing local numbers, I actually called one back at the same number so many times that *they* blocked *me.*

    I really worry about my parents, though. Some of this seems so innocuous to us and probably even more so to them. But it also makes me wonder if the major demographic for these scams is aging out faster than the scammers can innovate.

  3. This was so interesting. I have never personally gotten an email or text that sounded like someone I knew, but I do get a lot of spam phone calls (usually telling me I won an iPad or a week-long all-expenses paid vacation!!) that are generally pretty easy to spot, and I usually don’t answer the phone if it’s an unfamiliar number. Definitely scary that there are a whole group of people who dedicate their lives to this, and that there are so many ways for them to do it. Nice tip about accessing secure logins from public WiFi, I have definitely logged into my bank account while on public WiFi and I honestly didn’t even think about the risks, but I will be thinking about them now!

  4. This is top of mind right now, I have received so many robocalls and obvious scammer calls over the past few months. As technology is becoming so much more sophisticated, so are scammers and hackers. These are all really interesting tip and even knowing the background of what they are after is helpful to protect yourself. You hot the nail right on the head, public WiFi is a slippery slop that I have always had a hard time trusting, it is one thing to get that one text out while trying to conserve data while traveling, but it is another thing to do some mobile banking. I have recently downloaded a call safety app that has partnered with AT&T called Call Protect, the service has actually helped to reduce the number of call I get, it auto blocks the calls that have been widespread reported, and other my caller ID will flash “Potential Spam” just like Robokiller. Awesome post!

  5. Great post. I confess that I completely ignore calls now from people who have the same prefix as my cell phone (and pretty much ignore anytime the land line rings).

  6. Wow this is scary to think that I can’t even trust my own caller ID anymore. My Grandma actually told me the other day that she keeps getting calls from a number impersonating her home phone claiming to be Microsoft and that there is something wrong with her computer. After checking with the real Microsoft to make sure that her computer was actually OK, she called her phone company to figure out how on Earth someone else could be using her home phone number. The phone company told her basically that there was nothing they could do to stop it and that these hackers are getting better and better at getting around the phone companies security. Although phones don’t really qualify as “emerging” tech, I definitely see an urgent need for innovation in phone lines because as we all know, there can be serious consequences (money loss, identity theft, etc) when these hackers are successful. These apps sound very helpful and I will definitely be downloading at least one and then probably forwarding the rest to my Grandma.

  7. This was a fantastic writeup! It’s been really interesting to see how hackers have shifted their approach to theft as technology has improved. Once companies created some basic gateways to block out the majority of scam attempts, social engineering became significantly more attractive to scammers. I had no idea social engineering went as far as some of the examples you provided! I took a cybersecurity class at BC a semester or two ago and it seems like these types of scams and phishing attempts have gotten significantly more complex even in that short time. Hopefully, we can continue to improve AI to detect these types of scams before they even reach the end-users.

  8. This was such an interesting post to read! I had no idea how much work went on behind the scenes after an initial phishing email is sent by a scammer, and it is crazy (and scary) to hear about how much time is spent perfecting their craft. I avoid answering any calls on my cell phone that start with the first few digits of my own phone number, and at work I have gotten to know which numbers to screen because I know it’s someone claiming I won a free vacation, but it’s crazy how often they call. My parents had a voicemail left on their land line about a year ago, claiming that my mom’s Apple account had been compromised and asking for a call back. She thought it was odd that they would call (let alone have on file) our home phone number, but told my sister and I about it anyway, and we all agreed this was not legitimate. It is worrisome to think about older folks or other vulnerable groups who may not be able to tell the difference between what’s a real threat and what’s a scam attempt. Hopefully technology can continue improving efforts to stop these attempts.

  9. Great post, this really scared the heck out of me! I get robocalls all the time from all sorts of New York and Boston numbers, sometimes I can’t even understand the folks on the other end. I also get really concerned when I receive billing emails as I am never sure what’s real and what’s fake. I will certainly be putting these apps to use to help identify sketchy calls and will continue to remain vigilant when receiving suspicious emails as it seems the can be quite crafty!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: