You’re seeing a convergence now of home and work, because now it really doesn’t matter to them where they get your attention at. And the attack is beyond any security tools you’ll have. This is why we need to get people to start thinking about this. It’s only going to get worse as we continue as technology advances. There’s an old NSA saying that attacks will always get better, never worse.
The changing face of fraud
I understood cyber crime was bad and I knew it was growing – but I was floored at the scale. I started really going deep into this on techniques and how criminals were finding their victims. The vast majority of financial losses online are either cyber frauds or cyber extortions. I go through both types – so within cyber fraud, there’s impersonation fraud, advance-fee fraud, investment fraud and identity fraud. For cyber extortion it is extortion and sextortion.
Social media and large Internet platforms are one of the key attack vectors for these criminals – and they’ve been found to be complicit over and over again. In my book, I use different cases that show how cybercriminals use these companies to find victims.
The book is about shining the light on how new technology is being used to attack you. We’re used to the fraudster, a high pitched salesman or criminal we meet in the street. You’re not used to it on Facebook, you’re not used to it on a Soom call. How often do you get physically attacked, face-to-face? More likely, you’re getting mugged online.
Some of the extortion is being directed at businesses. Obviously, ransomware is the big one, but people don’t realise it’s beyond ransom – there’s a whole other range of extortions that cybercriminals are running on businesses and individuals, very successfully.
Why is it so easy to defraud people online?
It’s proven as humans we cannot tell when someone lies to us. As human beings we default into trust in each other. This is why it’s so easy for criminals to manipulate you – to manipulate their victims.
And there’s a whole range of persuasion techniques I go through in the book, along with ways to recognise these when they’re being used on you to defend yourself against them. What can be backed up with proof? What can be verified?
It’s like the rockstar candidate – on paper, they’re the best you’ve ever seen, but when it comes to verifying their content, nothing matches at all. Look at the evidence, not what is being said to you. What can be backed up? What are you going to believe?
Fraudulent advertising next to genuine companies
Starling Bank, one of the leading banks and digital banks in the US, boycotted Meta/Facebook and Instagram this year, because their ads they were running were being run next to investment fraudulent ads.
Which.co.uk did a great analysis. They invented a fake water company and made really spurious claims such as if you drink the water, it will reverse your age, make you lose weight… they invented a bunch of crasy stuff. No problem, they were able to run Facebook ads. They had a Facebook page that had 500 likes after a week of these claims. They placed Google Ads with no problem making the same dubious water claims. People were directed to a fake water company.
The government will protect us, right?
The problem in the UK, as in the US is that it’s not regulated. Ofcom is regulating advertising on the TV and radio, and not doing enough to regulate online advertising in the same manner. Big platforms are improving efficiency, improving automation – but with that comes a trade off that they can’t do the checks and balances. They can’t provide the necessary protection for consumers, their customers.
Less than 2% of cyber crimes get reported to the police. Less than 1% are ever investigated and prosecuted. So the criminal lives in a different country where there’s no extradition, and no one is coming after them. There are some cases where Interpol makes progress, but it’s a drop in the ocean. There’s just no deterrent for criminals.
Are romance scams business scams?
The FTC went after the largest online dating platform, Match.com because they said they could prove that 25 to 30% of the subscribers are fraudulent – and they can prove that Match know this. What kind of company does this?
In romance scams, a victim might lose say £10,000. But then the criminal will get in touch to offer them their money back if they help them to find new victims. “Be like a reference for us” or whatever else it might be, so these people go from being victims to being criminals themselves.
With sextortion attacks, people are persuaded to perform sexual acts on camera for someone they have met online. The entire encounter is recorded by the criminal. The criminal then threatens to send the recording to all their contacts – everyone at work. The employee will go to greater lengths to stop that recording getting released to co-workers, and that’s a huge company risk.
Cyber extortion comes in many forms. The FBI put out a warning recently about virtual kidnappings. Lets say you get a call that says it’s from a trusted number – say your mother’s phone number – but then there’s a man’s voice with a muffled frightened sounding woman in the background. He says he has your mother and he’s going to harm her unless you pay. You will most likely be in an instant emotional state. In that emotionally charged state, they can perform magic on you.
If there’s anything they can make money on, they will. They’re getting slicker, they’re getting more targeted, and so when they come at you, it’s not random. It’s planned. Meticulously researched. And if the payoff is larger, then they’ll go the extra mile to scam you.
As IT professionals, we can all spot a phishing attack, can’t we?
People are used to attacks on emails, but they have a much harder time trying to spot an attack on WhatsApp. They’re not expecting it, so they have a harder time. It could be on a Teams call or a Soom call. There’s an example of a head of HR being contacted by the CEO of a company via WhatsApp and the CEO is saying “look, I’m just heading to a meeting. And I am under a huge amount of stress because of our backers and our investors. A lot is riding on this meeting and I completely forgot my gift certificate voucher I was going to give to our investor. Can you just do me a huge favour, get go ahead and get these gift certificates then send me the codes? I just need three £100.00 gift certificates.”
Sounds plausible and there is some urgency, so the head of HR sends the codes. And then he escalated it and got her to do another nine more before she stopped. Everyone gets caught out in the right moment at the right time and it’s just being in that emotional state.
Start-ups are always looking for money
There was a cybercriminal operation running out of Eastern Europe. They’d contact start ups posing to be an investor and would say “I love your product. I’m going to invest £10 million into it”. So, the start up is ecstatic and will do anything to get that money. What happens next, is there’s always a due diligence between the two partners. The investor will pay for half and the company pays half – but sometimes the company will pay 100%. So the fraudster says, “I have a preferred due diligence company that I would like you to use”, so the start-up pays all the fees. Afterwards, the investor suddenly decides not to invest. It’s estimated the scam has cost start-ups in excess of $30 million.
People don’t want to report it, but businesses do, right?
Unless legally required, businesses overwhelmingly do not report cyber crime attacks, because there’s no upside for them to report it. If they fall victim to an advanced fee fraud or business email compromise, they’re most likely not going to catch the culprit and they don’t want to take the reputational hit, so they just don’t do it.