You’re not paranoid, you’re careful. At least that’s what you tell yourself. You run the most robust antivirus software, dropping money each year for the latest version. You use two-factor identification (2FA) on any website that offers it. You read Krebs on Security. And while most people use passwords, you use passphrases; they’re all more than 20 characters and include capital letters, lowercase letters, numbers, and the odd special character. Not only are your passphrases more secure than complex passwords, but you can also remember “2$hy2$hyhu$hu$heye2eye” much better than “s7Y%2b#&sg.” Not that you need to. You use a password locker and change the master passphrase on your account every month. Your phone has a six-digit passcode that you change each day.
You set the tightest privacy settings on your social media accounts months ago, then, in a moment of clarity, you deleted the accounts altogether. You never communicate personal information via email, picking up the phone anytime you need to share so much as your date of birth. And when you do make calls or send texts, you use an encrypted service. You are, without doubt, much better protected than nearly everyone else on the planet. But you’re still not safe. Scammers are constantly evolving their techniques and exploiting vulnerabilities both technological and psychological. As soon as the security industry puts the clamps on one method of conning people, the scammers find a new one, leaving even the most tech-savvy susceptible to attack. “Anyone who thinks they’re above it is really fooling themselves,” says Steve Weisman, from Scamicide.com. “The person who thinks they can’t be scammed is the best target,” he adds.
Here are ways used to scam.
1. The CEO Scam
Despite decades of warnings and millions of victims, people are still falling for email scams because scammers are becoming more and more creative. Last year, a sophisticated Google Docs phishing attack duped millions into turning over access to their Gmail accounts. And while everyone thinks they can spot a Nigerian prince scam, also known as 419 fraud, that old standby has evolved beyond the mistake-laden messages blasted out to the easily duped. In May, cybersecurity firm Crowdstrike reported on the latest scam from Nigeria’s bustling confidence-game sector. The “business email compromise” (BEC) is a hyperfocused “spear phishing” campaign that targets specific companies. Scammers first infiltrate a firm’s email system. Once they have access, they monitor how a company operates. They steal legitimate documents, and then they pounce. “There will be an email from the CEO saying, ‘I want to complete this transaction. And I want you to wire this to a bank in Singapore,’” says Chris Bronk, a cybersecurity expert at the University of Houston, describing the typical path of a BEC. The scammer relies on his ability to spoof a real invoice and a subordinate’s deference to their boss. When the con works, the employee will dutifully follow the orders from their “boss” and send money to a scammer’s account before realizing they’ve been duped. The broad strokes of this scam aren’t new, but this iteration is working now more than ever, with the FBI reporting in the July that $12 billion has been lost globally due to the scam.
How to Avoid It
Password protection: Preventing this con starts with denying scammers access to a company’s email system. If they can’t steal a real invoice, they won’t be able to make a convincing fake one. Strict password policies are a good place to start. They should be complex, varied, and stored in a password locker such as LastPass, Dashlane, or Keeper. These services aren’t without their risks, but you “have to believe in someone,”. “And it beats the alternative of having the same loose password across all accounts.”
Physical keys: If passwords are compromised, a physical key could still shut down a scammer. Google has had success with this amped-up version of two-factor authentication, which replaces the single-use text messages most banks used to confirm identity with a plastic key that’s inserted into a USB port. In July, the tech giant claimed that after a year of requiring users to use physical keys, not one of its more than 85,000 employees had their account taken over. “That’s one of the big revolutions in terms of authentication,” Dascalescu says of the keys. “They’re tiny, extremely affordable devices that eliminate all the chance of someone getting into your account via traditional phishing methods.”
Skepticism: Not every company is Google. For those firms, it’s essential that people know the classic signs of a suspicious email. They can be filled with spelling and grammar mistakes, promise something that’s too good to be true, or appear threatening. And some scammers stay well-informed, says Eugene Spafford, a computer science professor at Purdue University. “Many will look to see what’s been in the news. If there’s a disaster, they’ll fake aid relief.” Dangerous links can be identified before clicking by scrutinizing the URL. If it looks suspicious, don’t click. Of course, scammers have found ways around this. Homographic attacks occur when scammers create email addresses or URLs that look legitimate but include indistinguishable lookalike letters in place of the expected ones. A capital “I” may be replaced by a lowercase “l,” or Cyrillic letters could be used in place of English ones. This particular con cost one of Australia’s richest men $1 million last year after his assistant was duped by an email that came from an account one character off from his.
2. Sextortion Anyone with the slightest bit of web savvy would have no trouble ignoring an email from an unknown sender claiming to have a recording of them watching porn. But what if the sender revealed that they knew a password you’ve used before? Would that spook you? That’s what the people behind one of 2018’s biggest scams are hoping when they try to get victims to fork over a ransom to prevent lurid videos from being shared with their contacts. The key to pulling off this increasingly popular scam — the FBI says it received 13,000 complaints in July alone — is convincing victims that the threat of exposure is real. That’s where the old password, also obtained from a data breach, comes in. “There are a lot of people who are very nervous, who don’t have unique passwords on every site, who may give in,” Weisman says. Once they do, they’ll fork over thousands of dollars to retain their privacy.
How to Avoid It
Cover your webcam: In addition to regularly updating your passwords and never reusing them, a simple, rudimentary step can prevent victims from falling for this scam. Place a piece of electrical tape over your webcam, and you’ll know that no matter what weird stuff you’re doing in front of your laptop, no one is watching.
3. SMishing They phish via email, they phish over the phone, and yes, scammers phish via text. Since the technique is not as well known, people aren’t always as suspicious of scammy texts as they should be. These attacks are particularly successful because we’ve gotten used to receiving legitimate information via text. Banks allow consumers to receive text alerts, which trains us to trust the messages. This is generally a good thing, because it allows banks to quickly make sure it’s you. Scammers know we’re used to this method of communication, however, and they exploit it. “A savvy attacker is one who says, ‘This is something you do all day, and I’m going to inject one these decisions into this for my purposes.
How to Avoid It
Never click: Don’t reply to texts from unknown senders, and never click on suspicious links. If these scams are done well, though, they won’t be obvious. There are apps, such as VeroSMS and SMS Shield, that will block some spam texts from getting through, but financial institutions also have a role to play here. “They have to do a much better job of alerting consumers of these problems. “Banks should say, ‘No, we’re not going to be calling. We’re not going to be asking for personal information.’ I just think they don’t do enough.”