Scamming the scammers

Why are scams so prevalent? How has technology aided their growth? In analyzing the psychology behind scams, can we inoculate ourselves to better prevent their success?

Are your inoculations up-to-date? I’m not talking about your tetanus shot, I’m talking about an inoculation of skepticism! 

This week alone I received a phony invoice for a conference I attended in 2017, two phone calls from my “credit card company” asking about two transactions made at 4 a.m. that day (eBay and Western Union), a text from my “bank” telling me that my credit card was disabled…  Couple that with the fact that we’ve just concluded tax season – it’s time to talk about scams!  

I’d recently finished reading the book “The Confidence Game: The Psychology of the Con and Why We Fall for It Every Time” by Maria Konnikova. It, along with a long-time favorite resource of mine: “Influence: The Psychology of Persuasion” by Dr. Robert Cialdini, are resources I highly recommend to those trying to dissect the means of manipulation in daily life. 

Cialdini’s Theory of Influence is based on six principles: reciprocity (the tendency to return a favor), commitment/consistency (a promise made is generally kept, even if the original motivation or incentive is removed), social proof (to join a following if they see others doing it first), authority (the tendency to obey authority figures), liking (to join a following if others you like are doing it first), and scarcity (the economic principle that perceived scarcity generates demand).

Konnikova couples Cialdini’s principles with stressors that make people more susceptible to scams, including: FOMO (Fear Of Missing Out), and other concerns (including health, financial, and family), and urgency.  In particular, she focuses on our innate inclination to trust people.  She goes into great detail, describing how confidence games existed (even pre-Ponzi), but how technology has helped broaden the playing field, and how even sophisticated people can be duped. 

Scams, when successful, usually play on a subset of these principles.  Some of the most prevalent scam vectors include:

Phone/impersonation scams

Fraudsters typically call the target and misrepresent themselves. In my most recent case, they claimed to be from VISA. In the background, I could hear a busy call center and my caller had a thick accent. They asked for my VISA number (and even told me the first few digits of my credit card). Note: you can go online and find the first several digits of your credit card, depending on the bank you use (it’s called the Issuer Identification Number (IIN), previously called the Bank Identification Number (BIN)).  I told them I had several VISA cards and wanted to know which bank it was.  They misidentified my real bank and then promptly hung up.

This fraud vector plays on the principles of authority, financial stress, and urgency. 

It’s important that you don’t offer these fraudsters ANY information whatsoever. Don’t confirm or deny any information, including what is your real bank (checking/savings/investment account numbers, etc.) because it can be used to build up a profile to be shared with other groups and used against you later.

Sometimes the fraudsters pretend to be from a tax authority (IRS, CRA), threatening arrest, deportation or revoking your license. Tax authorities do not typically use the phone to demand a payment (and certainly not through wire transfers, gift cards, or prepaid debit cards). In a similar vein, tax season provides ample opportunity for would-be identity theft. One of the best ways to defend against this is to file your tax return as soon as you can (electronic filing and direct deposit to receive a refund are generally considered the best method).

By default, don’t blindly trust any inbound phone call, even if the Caller-ID seems legitimate. If they ask you for personal information, ask for their phone number to call them back. Before calling back, check with Google to see if the number is legitimate (or just call the number on the back of your bank card). If someone claiming to be from the IRS calls you, call them back directly (personal: 800-829-1040, business: 800-829-4933). Similarly, the CRA may be reached at: 800-959-8281.

Many of these scams operate overseas, which adds layers of complexity and difficulty for investigators. It has been demonstrated that they’re well-organized businesses.  Don’t bait them. They have your phone number and you have little recourse if they decide to escalate.

Email scams

Phishing. Good old reliable phishing. It’s still the most popular attack vector for scamming people. From fake login pages for retail (e.g. Amazon, eBay, Apple Store), financial pages (e.g. banking, investment accounts, insurance claims), As-A-Service offerings (e.g. Gmail, DocuSign), and Business Email Compromise (aka “Spoofing the Boss”) it’s an amazingly cost-effective and popular avenue to try and rip off people.  It may (but not necessarily) use malicious content to achieve its goal; in this manner, it may be difficult to prevent through purely technical means. This fraud vector also plays on the principles of authority, financial stress and urgency. 

Increasingly, tax professionals, and finance and human resource personnel are being selectively targeted for user information. Within your business, ensure that those who have access to sensitive employee data are on especially high alert for inbound scams. 

It’s also important that you let family members know about this; those who might be particularly susceptible to fear tactics. 

Some quick tips:

• Use two-factor authentication wherever you can, and if you can’t, use a unique, complicated password for all other uses.
• Never give out sensitive information over the telephone unless you’ve taken steps to verify the other party first.
• Recognize the signs of a well-crafted email scam and exercise skepticism.

Twenty minutes after the first fake “VISA” call, I had another person call me and read off the identical script (4 a.m. charges to eBay and Western Union) amid the same noisy call center background. I figured that they hadn’t had a chance to update my contact information in their database from the earlier call. I told them that the charges were legit, and they quickly hung up.  

In this case, an inoculation of skepticism worked! However, there is no sure-fire way to guarantee a perfect result every time. I distrust every single inbound phone call until I’ve evidence to modify this belief. Not everyone has this ability to be so judgmental. 

For example, when performing corporate social engineering tests, one area ripe for exploit is the IT help desk. Being that their job is to deal with dozens (if not hundreds) of inbound requests for assistance, and usually with mundane issues, such as password resets and access requests, it isn’t unusual for them to be exploited. It is critical that process be detailed (and followed, consistently) to minimize the security surface.

The third book I’d like to reference is “The Art of Deception: Controlling the Human Element of Security” by Kevin Mitnick. It details several stories and strategies that I find valuable. When assembling a strategy to defend against scams (and social engineering), I recommend you (or the course planner) read these three volumes for ideas.

It isn’t sufficient to simply hold a “once-a-year” security training session. Tools, such as weekly advisories (e.g. examples of scam attempts which were caught internally), can help raise awareness. The judicious use of phishing tests can also help to increase the security baseline of skepticism. It is important to note that stylistically, email phishing has become considerably improved and professional-looking. Although Nigerian princes still try to give away their fortunes, in general the days of misspellings and low-resolution graphics are far behind us. 

One last item of note from Konnikova’s book: we don’t generally recognize our own blind spots (of course – that’s why they’re called blind spots), but we’re usually well attuned to those of others. If you find yourself presented with an “opportunity” or unusual email, ask someone near you if it makes sense. Watch for undue urgency (“I need this wire transfer sent immediately!” or “Your email will be shut down if you don’t update your credentials!”).

There is no absolute way to completely eradicate end users’ susceptibility to scams, but with constant care and diligence (coupled with technical measures), it’s possible to provide guidance to ensure a heightened awareness and skepticism.