Common Fraud Schemes
Malware and Ransomware
As its name suggests, malware is software with malicious intent. Malware can be made to spy on users, steal sensitive information like credit card numbers, track your location, or download harmful software without your knowledge. Ransomware encrypts the information on your device, rendering it inaccessible or threatening to block it until you pay the ransom.
Tips for keeping yourself safe:
-
Don’t click on email links or download email attachments unless you’re sure the emails are from a trusted source. Malicious code can be hidden in email attachments.
-
If you do click on a malicious link, seek IT support as soon as possible.
Sources: Techopedia “Malicious Software (Malware)” and Cybersecurity & Infrastructure Security Agency “Ransomware Guidance and Resources.”
An Overview of Phishing, SMSishing and Vishing
All three of these techniques are designed to trick you into handing over sensitive information such as passwords and bank account numbers to criminals. Criminals accomplish this by masquerading as trusted sources such as payment services, online merchants, and even government agencies. To further entice you to respond, criminals often add a sense of urgency to their messages. For instance: a problem with your payment information, suspicious activity on your account, or you’ve won a prize and need to claim it. Now, let’s examine the differences between phishing, SMSishing, and Vishing.
Phishing
Phishing attacks are delivered via email. At first glance, phishing emails might appear to come from legitimate companies and organizations. Email addresses, logos, and designs can all appear official, but they’re all part of schemes to encourage you to click on malicious links that send you to legitimate-looking webpages designed by criminals to capture your username, password and other details.
Tips for keeping yourself safe:
-
Closely inspect email addresses. On a desktop, usually you can mouse over or click on an email address to see if it’s really what you think it is. This is because scammers can program an email too look like it’s coming from Support@PayPal.com when it’s actually coming from PayPal123@PP.net, for instance.
-
Look for salutations such as “Hello dear” which respected companies wouldn’t use, and keep an eye out for bad spelling and grammar—both giveaways the email was written by a foreign scammer.
-
Never click a link unless you’re sure it’s from a legitimate email.
-
If you do click on a link, make sure it takes you to a legitimate website. For instance, Microsoft.com rather than Microsoft.com—scammers often buy domains that are off by a letter or two hoping people won’t notice.
SMSishing
SMSishing attacks are delivered via text message or SMS. Like phishing emails, they’re worded as if they’re from a trusted organization and they work by enticing you to click a link - often containing malicious software that can harvest your contacts, passwords, credit card details, and other valuable data on your phone.
Tips for keeping yourself safe:
-
Don’t click on a link in a text unless you know it’s from a trusted source, or you’ve specifically requested it from a service or merchant in real time (e.g. Receive package tracking info via text)
-
Beware of “out of the blue” messages with a sense of urgency.
-
Look out for messages that say “You won” or that you have to claim a prize.
Vishing
Vishing attacks are delivered via digital phone (VoIP). Commonly, these scams use automated voice messages to impersonate the IRS, banks, computer tech support, or even telemarketers selling extended auto warranties. Messages urge victims to call a toll-free number. When they do, automated menus ask customers to say or key in sensitive information in order to respond to an issue or take advantage of an offer.
Tips for keeping yourself safe:
-
Be suspicious of calls claiming to be from government agencies such as the IRS. Typically, the IRS sends formal letters via US Mail, rather than calling out of the blue.
-
Don’t answer calls from numbers you don’t know. And even if a caller leaves a message from a company you do business with, check their website to make sure it’s legitimate phone number.
Sources: Federal Trade Commission “How to Recognize and Avoid Phishing Scams,” Techopedia “Phishing,” Techopedia “SMS Phishing,” Techopedia “Vishing”
Social Engineering
With social engineering, criminals often combine psychological manipulation with techniques such as spear phishing (a hyper-targeted phishing email). Typically, criminals have more pieces of information about potential victims, which leads to schemes such as fraudulent work emails programmed to look as if they’ve come from your company’s leadership. Often, they’ll ask employees to log into a site, send sensitive information or complete a wire transfer to a phony supplier.
Tips for keeping yourself safe:
-
If an email purports to come from a superior on vacation, consult your coworkers to make sure that’s actually true and that their email hasn’t been hacked or spoofed.
-
If you do mistakenly click a malicious link or log in to a fraudulent site, alert your IT dept. ASAP.
Sources: Cybersecurity & Infrastructure Security Agency “Avoiding Social Engineering and Phishing Attacks,” Techopedia “Spear Phishing”
Travel Scams
Everyone loves going on vacation, which is what makes travel such an attractive target for thieves. From online ads for “free cruises” (after you pay taxes, port charges or other fees) to fraudulent vacation rental listings, criminals often use the excitement of travel get you to pay now for benefits that never materialize. A different type of travel scam occurs when a person’s email or social media account is hacked, allowing criminals to send desperate-sounding messages soliciting wire transfers designed to make you think your friend or contact needs the money to get home from a foreign country.
Tips for keeping yourself safe:
-
Beware of deals that seem too good to be true
-
Only book vacation rentals through reputable sites
-
If someone sends you a suspicious message from abroad, call or contact them directly
Sources: Federal Trade Commission “Travel Scams,” Florida Department of Agriculture and Consumer Services “Travel Scams,” Washington State Office of Attorney General “Wire Transfer Scams”