Advance-Fee Fraud and Its Origins Believe it or not, those emails have their roots in the 18th and 19th centuries, where scammers wrote letters to their targets begging for some small financial assistance in exchange for a significant reward. Rather than a Nigerian prince seeking escape from political turmoil, one such attempt featured a wealthy Spanish prisoner that needed to be smuggled out of Spain and required some investment to bribe the guards. These scams continued over the years, appearing in French investigator Vidocq’s memoirs and reports of other transnational scams exist from 1922. Today, these advance-fee scams are most recognizable in the form of the Nigerian Prince scam, as referenced above… and thanks to the Internet, they are far more prevalent, as there aren’t even postal costs to prevent scammers from using them on a widespread basis. Why These Scams are Notoriously Obvious One would think that, as a scam that has become the go-to example of a scam, cybercriminals would have abandoned it long ago—or at least worked to make them more convincing. So, why are these scams still around, and still so transparent? In 2012, a researcher for Microsoft named Cormac Herley asked the same question and conducted a project to find the answer. His conclusion was brilliantly simple: these scams allowed hackers to weed through potential victims to find the ones most susceptible to their efforts. Cyberattacks aren’t free for cybercriminals to carry out. So, just as anyone who invests in something would want, they want to see the greatest return for that investment. In a cybercriminal’s terms, this translates to the highest number of successfully scammed people who comply with their demands. Just like in any business, a cybercriminal will want to minimize the number of false positives (in this case, targets that never send over any money). Looking at it from an economic perspective, the higher the number of false positives the cybercriminal invests in, the lower the net payout for them. After compiling statistics and going through the numbers, it became apparent to Herley that cybercriminals use the now-infamous word “Nigeria” in their scams to eliminate these false positives more effectively. Essentially, by using that word early on in their interaction with a potential victim, cybercriminals were able to shrink their target pool to only the most gullible or naïve people they had found. By cutting out the false positives early in the game, scammers could minimize their investment without sacrificing any payoff. All the grammatical errors, misspelled words, and far-fetched tales just serve to eliminate the people who ultimately wouldn’t be fooled anyway. For more detail, you can find documentation of Herley’s process here. How to Keep Your Business Safe Of course, not all scams operate this way, so it is still important for you and your team to know what to keep an eye out for. The Federal Bureau of Investigation provides the following list of rules to follow to avoid scams: If something sounds too good to be true, it is safe to assume it is. If you receive correspondence from someone asking for money or information, go through the proper steps to confirm the message’s legitimacy through other means, like a phone call. Have a professional go over any agreement you’re about to enter so that you can fully […]
How are Cybercriminals Using Coronavirus? “You can sit in a room and create anything you want on a laptop. That’s why the real con men are gone.”– Frank Abagnale Reformed con man and FBI consultant Frank Abagnale is right, as the cybercrimes shaped around the coronavirus have proven. Due to the deep anxiety and trepidation that the media coverage of COVID-19 has encouraged, cybercriminals have been handed an opportunity to take advantage of the panicked populace through phishing attempts… an opportunity they have embraced since the end of January. These themed attacks have been directed toward a variety of targets. For example: Healthcare providers have been targeted by phishing attacks that deliver keylogging malware, meant to look like emails from local hospitals or the World Health Organization. “Informational” emails referencing coronavirus have enabled hackers to introduce ransomware to the populace. Members of the supply chain have seen coronavirus emails that install information-extracting malware through malicious Microsoft Word documents. Of course, this kind of activity has been going on for far longer than the Internet has been around… it’s just that the Internet makes these attacks much more efficient and effective. How this Complicates Things Unfortunately, the latest application of these attacks have proven effective. Much of this is likely due to the fact that they are leveraging a very visible and nerve-wracking event, which helps to boost the interest of a target. This same tactic is the reason that so many phishing attacks are launched right around tax time, and why fraudulent messages were shared via SMS claiming that the recipients needed to register for the draft… for a fee. Whatever the approach, the tactics have remained the same: scare the recipient enough that they don’t consider that the message may be fraudulent, and give them a perceived “out” if they turn over their information. Adding to the complexity, the situation with COVID-19 is just different enough from other events that cybercriminals typically take advantage of, for it to be uniquely dangerous. For instance, many of the other disasters that a cybercriminal will use to their advantage are over in a relatively short time frame. In comparison, COVID-19 has already spent weeks dominating the headlines, with no way to tell how many more weeks (or months) are yet to come. In addition to this, coronavirus is largely unprecedented, unlike the foundation of many other phishing attacks (such as major sporting events and the like). This means that there is no real resource that is known to be trusted for people to turn to. For weather events, the National Weather Service and FEMA fill that role… no such resource is as commonly trusted for coronavirus. What Can Be Done In most cases, resisting these efforts will require a combination of basic cybersecurity measures and–perhaps more critically–user awareness and education. While your protections will ideally block the majority of phishing attacks and malicious messages, you need to be sure that your employees are aware of how such attacks should be handled: Train effectively – Rather than taking up half of one day on a dull and repetitive training seminar, split your training efforts into shorter pieces, focusing on assorted aspects of the threat at hand. Give your team the knowledge they need to recognize phishing attacks and understand the importance of mitigating […]
Over the last three or four years, we’ve seen some of the world’s biggest data breaches. Yahoo, Marriott-Starwood, and Equifax were the highest profile attacks, with a combined 3.5 billion accounts hijacked for those events on their own. To put that in perspective, you could take any two human beings on the planet, and there would be a pretty good chance that one of them was a victim of a data breach over the last three years. Security breaches like this have increased by over 67% since 2014, and the trend is still climbing. What’s at Stake? We’re Basically All Hacked Now? It’s actually almost a good thing that these massively high-profile data breaches are happening. Hear me out: It brings this type of crime to the public eye – Most Americans know about the Equifax breach. Awareness is a huge step in the right direction. There is so much data in these breaches that it is practically impossible for cybercriminals to use it all – If 500 million credit card numbers are stolen, the chances of one in particular being used goes down substantially. We’re not looking at data breaches in a positive light, but I firmly believe that the last few years has been the lesson the world needed, and it is a lesson a lot of organizations are taking very seriously. Policies and laws are hitting the books, and compliance regulations are being mandated within certain industries. Organizations of all sizes are taking data security seriously. What Does This Mean for Smaller Businesses? Of course, when we talk about data breaches, we always reference the big ones like Yahoo, Target, Sony, eBay, etc. Or we talk about the municipal attacks, where large cities like Albany, NY and Baltimore, MD were targeted, along with smaller towns like Wilmer, TX and Lake City, FL being held at ransom. We don’t hear about the 40-person company that goes under because of a cyberattack, because it affects fewer people. The problem is that small businesses are a major target. In fact, according to a survey by Verizon, 43% of breach victims were small businesses. Smaller businesses are easier targets because they usually don’t pay as close attention to their security. It’s Time to Take Cybersecurity Seriously There are things you can do. If you want to start getting serious about your organization’s cybersecurity, there is no time like the present. Call our knowledgeable IT professionals at SRS Networks today at (831) 758-3636 to get started taking the steps you need to keep your company’s data and infrastructure secure.
You are the only thing that can truly protect you from a phishing attack. Without participation, it simply is a phishing attempt. Hackers are always looking for clever ways to fool their potential victims, so can you trust your employees to recognize the telltale signs of a phishing attempt? Habitual Efforts to Foil Phishers Learning to do things the correct way is a lot easier than breaking a habit. Here are a few habits you can train your staff to do to recognize and avoid phishing attempts: Check Links BEFORE Opening Them Getting in the habit of clicking links without checking the URL is an all-too-common mistake amongst staff. If you receive a link and want to know where it will take you, all you have to do is hover over it. If you aren’t able to see the link, or the entire link, you can also right click it and copy the address it will take you to. From there you can paste it into a notepad and further examine it. While a trained eye can detect a phishing attempt, some phishers cleverly disguise their links. Learn How to Spot Fraudulent Links If your eye is untrained, and you aren’t able to identify the legitimacy of these two links, SRS Networks is here to help. amazon.com/deals/offers amazon.com.deal/offers Which of those two links would you confidently click on? Hopefully you said the first one. The tell-tale sign that a URL is coming from a fraudulent website is there will be a “dot” after the domain. The domain (example.com, example.net) is typically read as example dot com. So, if you see a link that says example dot com dot something, the link is more than likely a phishing attempt. If you aren’t entirely sure, your best bet is to avoid the link entirely. Another method phishers will often use is slight alterations in domain names. Our minds are trained to read words even when the “in between” characters are incorrect, or characters are in the wrong order. As long as the first letter and last letter are correct, typically we can make out the words without issue. Don’t believe me? Quickly skim through this list: amazon.com google.com ebay.com payal.com reddit.com visa.com Did you notice the incorrect link right away? If not, take a closer look. This simple practice is used by phishers with great results. Emotions Lead to Phishing Vulnerability Becoming a victim of a phishing attempt is easier than you might think. Once emotions are involved, instincts often kick in and result in an easy hookset. Let’s take a look at a few scenarios. “Congratulations! You have won a free iPad!” If you are lucky enough to win an item for absolutely no reason, chances are you are unlucky enough to fall victim to a phishing attempt too. Avoid these links at all costs. “You have been issued with a driver’s violation:Type: SpeedingAmount due: $143 This fee will be forwarded by mail to your address. However, you can screen it now by pressing here: DMV Notification” This one is more difficult to recognize, and frustration can easily get in the way of habitual email awareness. It is important to train your staff to recognize all different types of attempts. Examples are the easiest way for your staff to understand just […]
Here, we’ll review the various scams that frequently appear on social media to help you better identify problematic content on your feeds. Many of these may not seem to apply to your business’ social media presence at first glance, but it is important to remember that your personal social media and your professional representation on social media are closely linked. As a result, a breach of your personal account could easily put your business’ representation at risk as well. Gossip Scams “See PHOTOS of the celebrity that secretly lives in your area!” “You’d never believe who DWAYNE JOHNSON spends his free time with!” “You’ll be SHOCKED to learn which beloved ‘90s sitcom cast formed a blood cult!” You’ve likely seen ads pop up on your Facebook (or have had some of your connections share stories on their Newsfeeds) making claims similar to these. People like to live vicariously through the celebrities they admire, but these scams more often than not fool them into downloading malware after visiting a page. Fortunately, avoiding these scams is fairly simple – all you have to do is take in gossipy headlines with a grain of salt and avoid downloading programs from anywhere but the actual source. Nigerian Scam/Stuck Abroad Scam “Hello Dearest Friend, I am Prince Akinola. During the recent uprising in my country, my father was murdered in his sleep. To protect his riches, I seek a trustworthy Person to help me transfer 3 million US dollars into an account for a time. Helping me, you will be able to keep 35% of it to use as you see Fit. Please reply to me immediately with your name and phone number so I can leave this country and transfer the money to you.” These scams are perhaps some of the most famous, originally appearing in Nigeria but quickly spreading the world over. Basically, instead of netting a large percentage of a fortune, the victim usually is scammed out of their banking credentials or are asked to pay “processing fees” before their “payment can be delivered.” “I’m so glad I got the chance to send this message. I’m overseas in Europe and my wallet was stolen! I need $1,300 to get home. Could you wire over the money for me?” In the more personal version of the Nigerian scam, a cybercriminal will hack into someone’s account and start spreading a facetious sob story among their friends and relatives, hoping that someone will wire money in an attempt to help. While we would all want to do anything, we could for a friend, it is important to verify their story with them via some other means of communication. Lottery Scams/Who Viewed Your Profile Scam/IQ Scam “Congratulations! A gift card worth $1500 is reserved for you!” Wouldn’t it be nice, right? Quite a few of the scams that appear on social media come up in the form of pop-up messages, offering a generic prize in exchange for some personal information. Some will ask for a mobile number so they can charge data fees from you, while others will ask for your banking credentials to steal from you that way. While winning anything like what these scams offer would be undeniably awesome, you can’t win a contest that you didn’t enter. “Want to know who’s been looking […]
- 1
- 2