This week is a busy week for our Forensic team. Not only is it Privacy Week this week, it is also Fraud Week, not to mention the cyber attacks.
To kick this off properly, the ACCC has released its Targeting Scams report, which provides a wealth of information on the latest scams Australians have reported through channels like the ACORN website. This reporting seems to be going well as there was a record 47 percent increase in reports from 2015, which is a great result. ‘WannaCry’ will no doubt assist in boosting the numbers even further.
From the ACCC’s report, it clearly stands out that the trend in the past year was to scam people via social media. The report states that $9.5 million was lost through social media scams in 2016 compared to $3.8 million in 2015. There appear to be three frequent modus operandi.
- Dating and romance scam victims are in pole position, with nearly one third of the attacks coming through social media channels.
- Threat based scams are in second place, with criminals impersonating government agencies as the leading way to extort victims into paying money.
- Fake trading scams are in third place, which is where “too good to be true” deals are offered. After payment the goods are never received but the money is gone.
As scammers are becoming more sophisticated, they are progressing from the impersonal email inbox into the more casual social media zone; an inevitable development.
It does appear that the people who report scams are in the ‘middle age and over’ bracket, with 45 percent of the reports coming from age group 55+. Questions can be raised if these trending scams are connected specifically to that age group and we can speculate about the reasons; however, it is important for everyone, no matter what age you are, to stay vigilant regarding social media contacts. Further, you should remain mindful of the information you share publicly that could assist a scammer in attacking you or your friends.
People appear to have an inherent drive to publish and show accomplishments, without giving much thought to the associated risks. Compared to the business world we service as a provider of forensic services, the pattern is not too dissimilar. Businesses sit in a different place in the value chain for criminals. Instead of the romantic scam, an attacker is likely to push your emotional buttons in a way that leads to you sharing your credentials with them. With these credentials you could be the fake trading company they impersonate through your social channels.
Here are some of the things we see in our business:
Generally it is your corporate accounts or those of your execs that are spammed, taken over or imitated.
The objectives of criminals vary, from:
- inflicting reputational damage by causing adverse publicity
- imitation of social media accounts
- stealing funds through financial transfers by executive order – the so called ‘CEO email scam’ (we have seen this happen through social media as well)
- trying to disrupt your business processes by spamming your website or customer service hotline with traffic.
So what can you do?
We cannot over-emphasise this, but the best defence you have available is your people. Take-overs happen mostly because people are lured into sharing their account details online through fake websites, or even over the telephone if the attacker is well trained in social engineering techniques.
Don’t underestimate this threat just because you have heard it before.
Don’t assume that because a contact has mutual friends, or similar, that they are a legitimate person. This is a self-fulfilling prophecy and neglects the important fact that scammers deliberately target whole business communities.
If someone you are already contacted with on social media reaches out to you with a new account, seek them out offline to clarify if and why they have a new account.
Aware employees will be able to recognise most criminal’s attempts and smart employees in your social media teams will be able to pick up imitation or spamming attacks before they get too much coverage and appropriate counter measures can be taken.
So be alert so you are not alarmed.