Part 3! Creative Scams and How They Compromise CyberSecurity

Creative Scams and How They Compromise Cyber Security

In Part 1 and Part 2 of our series on scams we have explored many of the common scams that cybercriminals use to steal our data. It may result in an instant financial loss or later down the road when you least expect it.  Some scammers simply sell your information.  Being scammed once may not effect you greatly, especially if you have secured your accounts.

However, the more information that is gathered about you can eventually result in identity theft.  At the very least, more scams will come your way. So, in our final article in this series (part 3) we look at additional scams that affect individuals and businesses alike.

Creative Scams Compromising Security

CEO Fraud

CEO fraud, also known as Business Email Compromise (BEC), has evolved from emails to text messages, tricking employees into divulging sensitive information, transferring funds, or interacting with malware.

Employees are advised not to respond to suspicious text messages that appear to be a CEO fraud attempt. Instead, it’s best to inform IT, and the impersonated executive of the incident, and then delete the message.

Cybercriminals can easily obtain personal and company information for their scams through social media networks.  Social media networks, especially those focused on business and employment, provide cybercriminals with a wealth of personal and company information.

Making social media profiles private, and being cautious about connection requests, can help protect against CEO fraud.  This reduces the amount of personal information that is publicly available and can be used by cybercriminals to carry out their scams.

BEC Scams are no longer limited to message from someone impersonating a CEO, emails may also come from fake suppliers and business associates.

Job Scams

A job scams has a very basic promise.  A scammer poses as a company that wants to hire you. They prey on the emotion that you are excited to get the job. The pay is good, and you can start right away. It may be a full time, part time, or temporary job.

Cybercriminals use the lure of work to trick job seekers into providing personal Information.

A resume plus a photo ID is more or less a complete picture of a person’s personal identity, which is what makes these types of scams so dangerous.

In order to make this scam work, cybercriminals are counting on our level of comfort in providing personal information to potential employers, as well as our motivation to earn extra cash.

These two components allow this scam to operate, so it is important to stay ware.

The Fee-Based Scam:   When a cybercriminal posing as a legitimate employer will insist that a job seeker pay a small fee for “start up” materials.​ Or they are asked to pay twenty or thirty dollars for things like training or a background check, only to have the prospective employer vanish into thin air.

For a remote salesperson job opportunity, job seekers may be asked to pay for access to a list of sales leads could never lead to a scam.

Even if a job is only temporary or seasonal, it’s important to take the time to confirm that the company is legitimate before forwarding personal information to the potential employer.

The Use of Images in Phishing Email

When most of us think about phishing email, we consider the subject line and the message that as been cleverly written to fool us. But what if there isn’t much text at all in an email.  Instead, there is an image.

Your standard phishing email doesn’t usually come with an image. Which is why a gift card phishing email that includes images looks so legitimate.

Visual marketing is just as successful in the professional world as it is in the cybercrime industry.  Visual marketing is defined as a strategy used to depict concepts that would otherwise be hard to explain through text.

To add to the confusion, 67% of scammers opt to leave the subject line empty in malicious emails. Empty subject lines are quick and easy for cybercriminals to send out and have an engaging air of mystery for the user.

Phishing emails that have blank bodies and blank subject lines are known as “blankets.” These type of phishing emails are known as “probes,” and are sent as a quick way for cybercriminals to identify active email accounts.

Scams Related to Selling Items Online

The Fake Payment, or Bogus Fund request:  It’s when a scammer poses as a buyer and asks to pay via a mobile payment app, but then sends a fake payment notification. They hope you will send the item before you notice the payment never occurred. Or the scammer will insist that they actually paid you twice and ask for a refund for one of the fake payments they sent you.

Fake Check Overpayment Scams:  A scammer will send you a check for more than the sale of your items.  They will ask you to refund back the difference.  The check you deposited won’t bounce for a few days, long after you have given the scammer your hard-earned money. They will also have the item that you were selling if you have already sent it to them.

Verification Code Scams

If you have been wise and set up multi-factor authentication for your accounts, there is a way scammers can trick you into sending them that code. It’s called the verification code scam.  They will call you pretending to be someone official associated with your account. They will say there is an issue and for it to be solved, you first need to verify yourself by sending them an authentication code.

You agree.

From there, the scammer will try to login into your account. This will trigger the code to be sent to you.  You think the person on the phone sent you the code, but it; s actually your legitimate account that the scammer is truing to clog into.

This scam can also be carried out when selling items online.  The scammer will claim to be nervous about online scams and send you a verification code. They will then ask you to send them the code, which, if you do, will allow them to open a new account linked to your phone number.

One-Time Password Scams

A one-time password (OPT) is a form of multi-factor authentication that provides a unique code each time a user tries to log into an account. These newly created passwords are sent to a user’s mobile device or email. They are triggered after a user tries to login to an account, providing an extra layer of security.

Scammers are now trying to dupe people into giving them this password. The scammer may have learned your phone number and email from various sources. They will try to log in to your account, which will generate a password being sent to you. The scammer will then call pretending to be the company of your account. They’ll say they need your password to verify you as the account holder. This is a scam. You should never share your one-time password with an unsolicited caller.

These one-time passwords are automatically sent to you as a convenience. No legitimate organization will call unsolicited, asking for your OPT.

Signs of a potential scam is if your email inbox is flooded with one-time passwords. You should consider resetting your main password as a precaution.

Caller ID Spoofing

We have covered phone scams in other parts of our scam series, but it’s worth noting that caller ID spoofing takes things to a new level as scammers try to get people to let their guard down when answering calls.

With online communication services like Google Voice, cybercriminals can change their area code or even their full phone number to match that of the person they are calling.  If you identify a call as spoofed, you should not answer it. When a scam call is answered, it will often lead to more calls in the future.

Caller ID Spoofing

If you do answer an unknown call that appears to be from the government, remember; employees do not call unsolicited, especially to ask for money or account information. If someone calls claiming to be a friend or family member in urgent need of money, it is recommended in this training that you proceed with caution.  Consider confirming with the person through another method of contact before taking action.

Public Wi-Fi Scams

The main security issue with public Wi-Fi is that it is public.  Their public nature becomes a tempting environment for cybercriminals, as a password given out by a barista or written on a chalkboard is the same as no password at all.

It’s important to always verify the network you are using.  Cybercriminals can set up fake or spoofed networks disguised as a public hotspot.  The spoofed network may even have a name similar to the network in question and allow you to browse normally.  However, it may send you to a fake website and ask for login or payment information.  Or it may simply spy on you.

Always verify the network you are using with a staff member and look for encryption.  Encryption, such as SSL, helps to make network connections more secure. Website should begin with https. A padlock icon also indicated that the network is secure.

It’s good practice to turning off the Wi-Fi on your mobile device when you are not actively using it. This will prevent it from automatically connecting to public networks in places you’ve visited before.

How Scams Increase Cyber Attacks

While cyber criminals are looking for a quick easy profit by scamming money directly from you, there are many other reasons why your personal information alone is of great value to them.

An email address and a password can be worth as much as $1000 on the dark web.  The information gathered in scams increase the effectiveness of cyber attacks against people and companies,

Here are a few ways just one piece of information can compromise your data many times over.

Credential Stuffing Attacks

In this this type of cyberattack a cybercriminal uses previously exposed account information across other unrelated services to try and gain access to multiple accounts.

Credential stuffing can be highly effective, as many of us who don’t use a password manager rely on the same, or similar, passwords.

Preventing a credential stuffing attack is focused primarily on not re-using passwords. Utilizing truly unique passwords across all accounts is the way to go, which is where a password manager tool can be so effective.

Credential stuffing is similar to a brute force attack, but with credential stuffing, the cybercriminal is using a password they already know.

This creates a much more targeted and successful attack if their target reuses the same, or similar, password.

Brute Force Attacks

The tools associated with a brute force attack are relatively easy for a cybercriminal to get their hands on, which makes them common.  Brute force attacks are a trial-and-error method of trying to decode a password or encryption key to access a device or account, which can also lead to a hijacking attack.

Using automated tools, cybercriminals can systematically test thousands to millions of password combinations every second. Even adding a few extra characters can help extend the overall decoding time significantly and may be enough to deter an ongoing brute force attempt.

Cybercriminals have been using artificial intelligence technology to train their tools to target passwords more efficiently by feeding it previously exposed passwords as a reference point.  By using these previously exposed passwords, mixed with our tendencies to use common passwords, cybercriminals can improve their success rate in their attacks.

Read Part 1 and Part 2 of our scam series to learn specifics about how to:

  • Be alert about common scams.
  • Create unique passwords for each of your accounts.
  • Use a password manager so you don’t have to remember your complicated passwords.
  • Set up multi-factor authentication.
  • Ensure your Wi-Fi connection is secure.
  • Enable automotive updates for all devices and software installed on those devices.
  • Learn the SLAM method to prevent clicking malicious links.
  • Don’t respond to unknown texts.
  • Don’t call back anonymous phone numbers.

Part 1:  Common scams to be aware of and prepare for.
Part 2: Common scams and common sense prevention.

Share This Article