Real Stories of Cyberscams: Don’t Let it Happen to You.
TECHPol regularly posts information about how to avoid becoming a victim of cybercrime. We hope you take it to heart and implement some of our suggestions on how to protect your personal information and that of your company. In a couple of our posts, we’ve talked about how humans are often the source of vulnerability in cyberdefenses. (See blog posts: Employees: The Weak Link in Your Company’s Cybersecurity and What’s the Biggest Cybersecurity Threat: Employees). You may think it can’t happen to you, but cybercriminals are sneaky and are increasingly skilled at baiting their victims — victims who are unwittingly helping scammers by giving out personal information on email or social media that is then used against them. Criminals are coming up with all sorts of new scams. The IRS reports that tax scams involving phishing and malware are up 400% this tax season. Here are three examples of real-life cyberscams that recently have come across our desks at Focus Data Solutions.
#1 A Tale of Distributed Spam Distraction. We received a call from a client whose wife, we’ll call her Margaret, had her personal email hacked by criminals who guessed her password. It so happened that Margaret used her personal email account to conduct business with her bank, and her bank used the same email to verify password updates. Once the hackers had access to her email, they were able to gain enough information about her bank account to request a password change. Margaret was oblivious to all of this, and only noticed trouble with her email when it was suddenly flooded with spam. There was so much distracting spam that it rendered her email account virtually unusable to her, but not to the hackers. They were able to weed out the spam they had sent and respond to the email from her bank confirming the password change. Then they requested a transfer of funds. Meanwhile, Margaret couldn’t sift through all the bogus email to get to legitimate messages, and so she missed the one from her bank that confirmed the password change and also the one confirming the transfer. She only found out about the crime when her bank finally called her.
#2 The Wire Transfer Tragedy. A man, whom we’ll call Charles, works for the CFO of a mid-sized government contractor. Cybercriminals easily determined that Charles has partial responsibility for accounts payable by looking on the public company website which lists his name, his title and an email address. The scammers also identified a ‘C’-level executive by reading a company news release and guessed when he was out of town by monitoring his social media accounts that gave clues to his whereabouts. The criminals composed a bogus email to Charles that appeared to be from the ‘C’-level email account. The message expressed a sense of urgency and strongly requested that Charles wire money for a purchase to an account that belonged to the scammers. Normally, Charles would not comply with an emailed request for a wire transfer, but the apparent authenticity of the email, the urgency, and the fact that the ‘C’ level was indeed out of the office convinced him to act.
#3 The Story of a Masquerading Microsoft Technician. We received a call from a woman, we’ll call her Mom, who informed her son (an FDS IT professional), that she took a phone call from a man claiming to be a Microsoft technician. He called to inform her that her computer had been hacked. He directed Mom to log onto a website so that he could fix her computer, and then tried to sell her bogus products to correct the problem. This is not a new scam, and it is one that takes a few different forms. For example, sometimes the technician isn’t selling anything, but while remotely accessing the computer, he installs malware on the machine that is later used to steal online account information and passwords.
The list of cyberscams is long and growing. These crimes are becoming easier to perpetrate as individuals put more information online that allows scammers to guess passwords and effectively target their victims. We all need to be ever-vigilant and resist the urge to click on links that are presented to us by unknown sources, to provide sensitive information online, and to respond to requests without first verifying the source. For a list of recent scams or to report a scam, you can visit the FBI’s Internet Crime Complaint Center website.