You’re not paranoid, you’re careful. At least that’s what you tell yourself. You run the most robust antivirus software, dropping $40 each year for the latest version. You use two-factor identification (2FA) on any website that offers it. You read Krebs on Security. And while most people use passwords, you use passphrases; they’re all more than 20 characters and include capital letters, lowercase letters, numbers, and the odd special character. Not only are your passphrases more secure than complex passwords, but you can also remember “2$hy2$hyhu$hu$heye2eye” much better than “s7Y%2b#&sg.”
Not that you need to. You use a password locker and change the master passphrase on your account every month. Your phone has a six-digit passcode that you change each day. You set the tightest privacy settings on your social media accounts months ago, then, in a moment of clarity, you deleted the accounts altogether. You never communicate personal information via email, picking up the phone anytime you need to share so much as your date of birth. And when you do make calls or send texts, you use an encrypted service.
You are, without doubt, much better protected than nearly everyone else on the planet. But you’re still not safe. Scammers are constantly evolving their techniques and exploiting vulnerabilities both technological and psychological. As soon as the security industry puts the clamps on one method of conning people, the scammers find a new one, leaving even the most tech-savvy susceptible to attack.
“Anyone who thinks they’re above it is really fooling themselves,” says Steve Weisman, who covers the latest in tech frauds on Scamicide.com. “The person who thinks they can’t be scammed is the best target,” he adds. Here are five ways they could be taken.
1. The CEO Scam
Despite decades of warnings and millions of victims, people are still falling for email scams “because scammers are becoming more and more creative,” says Ana Dascalescu of Heimdal Security, a global security firm based in Denmark.
Last year, a sophisticated Google Docs phishing attack duped millions into turning over access to their Gmail accounts. And while everyone thinks they can spot a Nigerian prince scam, also known as 419 fraud, that old standby has evolved beyond the mistake-laden messages blasted out to the easily duped.
In May, cybersecurity firm Crowdstrike reported on the latest scam from Nigeria’s bustling confidence-game sector. The “business email compromise” (BEC) is a hyperfocused “spear phishing” campaign that targets specific companies. Scammers first infiltrate a firm’s email system. Once they have access, they monitor how a company operates. They steal legitimate documents, and then they pounce.
“There will be an email from the CEO saying, ‘I want to complete this transaction. And I want you to wire this to a bank in Singapore,’” says Chris Bronk, a cybersecurity expert at the University of Houston, describing the typical path of a BEC. The scammer relies on his ability to spoof a real invoice and a subordinate’s deference to their boss. When the con works, the employee will dutifully follow the orders from their “boss” and send money to a scammer’s account before realizing they’ve been duped.
The broad strokes of this scam aren’t new, but this iteration is working now more than ever, with the FBI reporting in the July that $12 billion has been lost globally due to the scam.
How to Avoid It
Password protection: Preventing this con starts with denying scammers access to a company’s email system. If they can’t steal a real invoice, they won’t be able to make a convincing fake one.
Strict password policies are a good place to start. They should be complex, varied, and stored in a password locker such as LastPass, Dashlane, or Keeper. These services aren’t without their risks, but you “have to believe in someone,” Dascalescu says. “And it beats the alternative of having the same loose password across all accounts.”
Physical keys: If passwords are compromised, a physical key could still shut down a scammer. Google has had success with this amped-up version of two-factor authentication, which replaces the single-use text messages most banks used to confirm identity with a plastic key that’s inserted into a USB port. In July, the tech giant claimed that after a year of requiring users to use physical keys, not one of its more than 85,000 employees had their account taken over. “That’s one of the big revolutions in terms of authentication,” Dascalescu says of the keys. “They’re tiny, extremely affordable devices that eliminate all the chance of someone getting into your account via traditional phishing methods.”
Skepticism: Not every company is Google. For those firms, it’s essential that people know the classic signs of a suspicious email. They can be filled with spelling and grammar mistakes, promise something that’s too good to be true, or appear threatening. And some scammers stay well-informed, says Eugene Spafford, a computer science professor at Purdue University. “Many will look to see what’s been in the news. If there’s a disaster, they’ll fake aid relief.”
Dangerous links can be identified before clicking by scrutinizing the URL. If it looks suspicious, don’t click. Of course, scammers have found ways around this. Homographic attacks occur when scammers create email addresses or URLs that look legitimate but include indistinguishable lookalike letters in place of the expected ones. A capital “I” may be replaced by a lowercase “l,” or Cyrillic letters could be used in place of English ones. This particular con cost one of Australia’s richest men $1 million last year after his assistant was duped by an email that came from an account one character off from his.
Anyone with the slightest bit of web savvy would have no trouble ignoring an email from an unknown sender claiming to have a recording of them watching porn. But what if the sender revealed that they knew a password you’ve used before? Would that spook you?
That’s what the people behind one of 2018’s biggest scams are hoping when they try to get victims to fork over a ransom to prevent lurid videos from being shared with their contacts. The key to pulling off this increasingly popular scam — the FBI says it received 13,000 complaints in July alone — is convincing victims that the threat of exposure is real.
That’s where the old password, also obtained from a data breach, comes in. “There are a lot of people who are very nervous, who don’t have unique passwords on every site, who may give in,” Weisman says. Once they do, they’ll fork over thousands of dollars to retain their privacy.
How to Avoid It
Cover your webcam: In addition to regularly updating your passwords and never reusing them, a simple, rudimentary step can prevent victims from falling for this scam. Place a piece of electrical tape over your webcam, and you’ll know that no matter what weird stuff you’re doing in front of your laptop, no one is watching.
There was a time when the most dangerous thing that could be lurking on the other end of a phone call was a 12-year-old asking for Jacques Strap. Not any more. Phone calls remain the most popular method of contact for financial scams, and by 2019, half of all calls to mobile phones will be scams, according to communications firm First Orion.
They’re only getting more sophisticated. Modern voice phishing calls will come from a number you recognize. Your bank, perhaps, calling to say there’s a problem with your debit card. The security appears to have been breached, the polite voice will say.
They’ll ask for account information, such as your PIN, or the three-digit security number on the back of your card. If you hesitate—and you should—they may try to ease your worries by confirming their identity. They’ll read off the last four digits of your Social Security number, something you’d assume only your bank would have, and hope you let down your guard.
You shouldn’t, says Weisman. “They’re providing you with information to make them appear legit,” he says. And most likely, the information will be correct. Scammers are scooping up personal data from companies such as Equifax, which exposed the sensitive information of 143 million people last year. By itself, that data isn’t terribly lucrative. But scammers know how to put it to use, opening up what Weisman calls a “brave new world” of possibilities.
How to Avoid It
Hang up: If a bank or credit card company calls and starts probing for personal account information, that should set off red flags, Weisman notes. “There’s never a reason for the bank to ask for your PIN or CCV. They have that information.”
Spafford says if someone calls from a bank or other financial institution, you should never give away any personal information on that particular call. “You should ask for their name or the case number. Hang up, look up the phone number, call them back, and ask for that person to verify that it’s really them.”
These days, the process of verifying a bank’s phone number isn’t as easy as it might seem. One common mistake, says Dascalescu, is plugging a number into Google in hopes of verifying it. “Scammers are highjacking Google results,” she notes. “No one should believe Google results.”
Call back, but confirm the number first: Pull out a bill and call the number printed on it. Or flip over your credit card and call the number on the back. But be careful when dialing. “Some scammers have purchased phone numbers that are one digit off from the legitimate number,” Weisman says.
Download an app: It’s a good idea to add your name to the National Do Not Call Registry, but don’t expect that to protect you from every bad actor. Downloading a third-party app such as Hiya, Truecaller or Robokiller will help close the gap. These apps check incoming calls against a database of millions of numbers used by spammers, scammers, and robocallers. If they find a match, they reject the calls before your phone rings.
They phish via email, they phish over the phone, and yes, scammers phish via text. Since the technique is not as well known, people aren’t always as suspicious of scammy texts as they should be, Weisman says.
These attacks are particularly successful because we’ve gotten used to receiving legitimate information via text. Banks allow consumers to receive text alerts, which trains us to trust the messages. This is generally a good thing, Bronk says, because it allows banks to quickly make sure it’s actually you buying those Guess jeans at an outlet mall. Or not, in Bronk’s case. “I can’t wear Guess jeans,” he says.
Scammers know we’re used to this method of communication, however, and they exploit it. “A savvy attacker is one who says, ‘This is something you do all day, and I’m going to inject one these decisions into this for my purposes,’” Bronk explains.
How to Avoid It
Never click: Don’t reply to texts from unknown senders, and never click on suspicious links. If these scams are done well, though, they won’t be obvious. There are apps, such as VeroSMS and SMS Shield, that will block some spam texts from getting through, but financial institutions also have a role to play here, Weisman points out.
“They have to do a much better job of alerting consumers of these problems,” he says. “Banks should say, ‘No, we’re not going to be calling. We’re not going to be asking for personal information.’ I just think they don’t do enough.”
5. RFID Wallets
The stories have been around for years. High-tech hackers are walking around crowded places stealing credit information with radio frequency identification skimmers. They’re called electronic pickpockets, and a whole market of RFID-blocking wallets, purses, and even jackets has cropped up to thwart them. These solutions appeal to the tech-savvy consumer. Turns out, however, that there’s very little evidence that this is a problem. In this case, it’s not the shadowy scammer conning victims out of their money, it’s the people purporting to protect them.
How to Avoid It
Don’t bother: Since it’s not happening, there’s no need to avoid it. But if you’re ultra cautious, Dascalescu says there is product that’s less expensive and more effective that the RFID-blocking wallets in SkyMall. “Any piece of aluminum foil would work,” she says.