Vanity Scams: How I nearly fell for one and why you shouldn’t

Photo: Jeremy Vessey

Congratulations! You’ve been selected as the winner in our “Having a Presence on the Internet” Award!

Huh? But everyone I know has a presence on the internet, surely that’s not award worthy? Exactly! Which is why vanity scams are usually a lot cleverer than that.

If you get targeted for a vanity scam, you’ll probably be ‘selected’ for an award in the industry you work in. It’s likely to be tied to some project you’ve been working on recently — one that you’re already feeling pretty good about. Your award is a shiny trophy and some great graphics that you can put on your website. You can also feature in a glossy magazine that the whole world will see, and attend a fancy dinner. The marketing packages are attached (alarm bells ringing yet?). At the end of the day, the real reason you’ve been ‘selected’ for your award is simply because a scammer found you on the internet.

Give me a person’s name, and I can spend 5 minutes on a search engine coming up with a pretty convincing case as to why they should get an award. Allowing for all the healthy skeptics and people too busy to read their email, I probably could get a bite at least 20% of the time. Most people would choose the free package — which is fine, their use of my logo on their website only enhances my credibility. If only 1 person in 100 forks out a few hundred dollars for whatever random reward I have made up, that’s still a pretty good return. If I send out a couple of thousand emails a month, that 1 in 100 definitely makes it worth my while. It still works for banking scam emails, you bet it can work when enough ego stroking is involved.

On the face of it a vanity scam is pretty harmless, except for maybe making you feel a bit foolish for falling for it, and a bit lighter in the pocket. Displaying a graphic on your website saying that you’ve won an award that isn’t really real is pretty harmless right? Most people aren’t going to research it so they’ll look at an award and genuinely believe it adds to your kudos. At the end of the day isn’t it just an expensive form of advertising? Unfortunately, they can have a dangerous edge and potentially serious risk for your business.

It happens to the best of us

I was recently targeted in a vanity scam and for a brief period of time I was convinced. I admit it felt great! The award appeared to relate to a project I had just completed so I did believe that someone out there had noticed the great work I and my team had done. The person I was in contact with reassured me I had already won the award, I didn’t need to pay for anything unless I wanted to participate in their marketing campaign. It was a soft sell and I didn’t see any harm in it.

Once I thought deeper however, I realised there was a huge amount of risk. Not just to my bank account, but to the integrity of my business.

Do your research

A preliminary google on this award enhanced their credibility. The award had a pretty substantial internet presence, plenty of people were online crowing about their awards, and there were a number of major company logos attached to their slick publications.

Once I started to dig deeper however, the shiny facade fell off the walls of the caravan very quickly. Searching the award name with some of the company names quickly revealed these companies disassociating themselves with it. The award allegedly had an associated magazine that would have global distribution yet I could find no evidence of previous publications, despite this award having been around for a while. The awards dinner allegedly attracted royalty, celebrities and a very expensive ticket price, yet no photos of previous events seemed to exist online.

Now I don’t know about you, but my understanding of modern event publicity is that if there’s no event photos on social media, it never happened!

Thinking deeper about risk

Let’s for a moment consider that I had fallen for this scam and participated in their process to receive my award.

At a bare minimum I would have handed on some basic information about myself. Giving away information such as contact details and date of birth immediately open up the risk for identity theft. These ‘award’ organisers themselves probably wouldn’t engage in the theft themselves but I bet they’d be selling my information to someone who would.

If I had put their award on my website and out to my social media networks I would immediately suffer a credibility loss. For an expert in infosec to fall for a vanity scam would be a bit embarrassing wouldn’t it! Now I’m sure one of my great trusted colleagues would have quickly alerted me that I’d had the wool pulled over my eyes. But imagine for a moment no one did, how many current and future clients would see this and the impact that would have on my credibility? The award I apparently won was for a service I don’t actually offer — and indeed have no idea how to do — so it would have looked a bit out of place. Trust me, people are falling for it. I’ve seen other businesses displaying awards for services they don’t offer!

When researching this award I came across a number of people who were proudly displaying their wins. Some of these people came from large companies which meant the company logo was splashed all over their award win. I would suggest that all of the large corporate logos that were on the awards partner pages were there for the same reason.

Some companies I looked at had gone to the extent of insisting their names and logo be removed from all materials published by this award. Needless to say, that hadn’t happened so these companies still had their brand associated with this award. The credibility loss from such an association is probably pretty negligible. However, another company making profit out of an association with your credibility without your permission is not a great situation for any company to be in.

Of course, if I had have been suckered into handing over money for a trophy or advertising space in their ‘magazine’ I would also be severely out of pocket. The top tier package would set me back almost AUD$15,000 and I guarantee if I had told them I was interested in that package they’d be talking me into all sorts of other wonderful and costly opportunities to capitalise on my ‘great achievement’.

If I was gullible enough to hand over vast quantities of money to an award like this, it is pretty likely they could have talked me into handing all sorts of other private information too. Who knows where it could have gone. If I was silly enough to use bad password security, I could have just handed over enough information for a hacker to access my email and subsequently my organisation’s networks.

Minimising the risk

There are, of course, genuine awards out there to be won, and it’s quite likely that if you won a genuine award you’d be notified by email or a phone call. So how do you know the difference between a vanity scam and a genuine award? Here are my top tips:

6 ways to avoid falling for a vanity scam:

1. Ask detailed questions as to how you got the award
   Ask specifically how you won the award. Ask for the name of the person who nominated you. Ask who the other nominees were. Any serious award would be upfront with this information from the start.
2. Do some serious research into the legitimacy of the award. Don’t just take their word for it.
   Don’t just take their website as evidence. Research their partners and their association with the award. Look for previous winners. Research the name of the award AND the words scam, legitimate etc. If there is an event or publication tied to the award, search for evidence that these exist.
3. Ask a friend
   Ask a trusted colleague, manager or friend to take a look at it for you. Fresh eyes often see what you can’t, especially when pride is part of the equation.
4. Don’t hand over private information
   This is a general piece of advice that you should always follow, but specifically relevant in this case.
5. Don’t pay
   No matter what you do, don’t hand over any money. If you win an award that asks you for money FOR ANY REASON, it is not likely to be legitimate. Many people run awards to increase exposure and business for their company. However, if the award is their sole reason for being, all you are doing is giving them money for nothing.
6. Educate your team about the dangers of email scams.
   It is critical for all of the reasons listed above that your staff and colleagues are aware of the risks.

Vanity scams are not new, but in the internet age, they are becoming increasingly more sophisticated. If you receive notification that you have received an award for your work, take pause before popping the champagne and do your research. Remember: a fool and their money are soon parted!

Kevin Fitzgerald has had over 40 years’ experience in Information Security research and consulting and is considered one of the leading pioneers in the infosec world. During this time he has worked with a broad range of organisations including mining, manufacturing, government, banking and finance, insurance, transport, telecommunications, entertainment, sport, and legal organisations, amongst others.