Most of us like to think we're too clever to be caught out by internet fraudsters. In fact any of us can be caught out by these scroungers . Their tricks have gone far beyond the infamous fax from a "Nigerian prince" , "the 419" or variants of these - asking you for money.
Now frauds are increasingly sophisticated and you are much more likely to be contacted (email,sms or telephone) by someone you trust (seemingly). Fraudsters dupe their victims using a type of psychological manipulation known as "social engineering". It is essentially a confidence trick that influences a person to take action that may not be in their best interest. With many technical security defences in place to prevent large and medium size enterprises from being hacked directly, it is us humans that present the best medium and to a certain extent, the sweet spot for criminals to target. To explain how "social engineering" works here is an analogy - Children are little people we all loved. And they get us to do things which under normal circumstances we'd never thought of doing ever. The same psychological principles is what the scammers are applying . They build rapport, get us to like them, trust them, and often inject a sense of urgency into the scenario. This all releases certain chemicals in our brain that allow us to take actions we perhaps shouldn't take.Why is it growing? Social engineering fraud has been identified by the international police agency Interpol as one of the world's emerging fraud trends. In the last two years there has been a spike in this type of fraud, with reported losses in 2015 doubling to nearly $1bn (Â£675m)
It's a lucrative crime. You don't need a skilled programmer to do social engineering - just someone who's willing to talk to people or write emails. On top of this, the growth of the internet has played right into the criminal's hands. A key part of social engineering is having information on your target. Criminals can get this from buying hacked company data and studying their victim's social media profile online.
In June last year Emma Watson, a British businesswoman who was setting up a children's nursery, got a phone call from her bank's fraud team. They told her that they had stopped some unusual transactions on her account, but because it had been compromised she had to transfer her money into some other accounts they had set up in her name. "They were completely professional, it was a clear line, they knew my name, they called me on my landline, they used all the language," she says. "They were very reassuring, saying 'I know this is a distressing time for you and I'm going to help you'." In fact it wasn't her bank calling at all, but criminals fraudulently posing as her bank's fraud team. Emma ended up transferring Â£100,000 into the fraudsters' accounts online. Only a fraction of it has so far been traced and returned. This type of fraud is called "Vishing" where criminals persuade victims to hand over personal details or transfer money, over the telephone. They have a number of techniques at their disposal.
- Information: the criminals already have your name, address, phone number, bank details - essentially the kind of information you would expect a genuine caller to have
- Urgency: You are made to believe your money is in danger and have to act quickly - fear often leads people into acting without thinking
- Phone spoofing: The phone number appears as if it's coming from somewhere else, so when you pick up the phone you already believe the caller because the number is convincing
- Holding the line: In some cases, the criminals can hold your telephone line, so if you hang up to call back the bank, you can get put straight back to the fraudsters.
- Atmosphere: You hear a lot of background noise so it sounds like a call centre rather than a guy in a basement - they either do have a call centre, or are playing a sound effects CD.
Here is the advice: Don't ever give personal information like banking or credit cards over the phone to someone who has called you. If you get a call, hang up, and ring the number on the back of your credit card using a different phone from the one they called you on.
Phishing emails have risen in number and have got a lot more sophisticated. How they work? They play on your trust and they use a front, whether it's a bank, a friend's name, or someone you expect communications from, and they put urgency on you to respond immediately. Most of the phishing emails will looked very convincing - for example like one from Amazon if you recently made a purchase from them or from your bank. In case of the former, clicking a link would open up what look like a real Amazon log-in page. A closer look at the address bar in your browser might indicate a site in Russia, Ukraine, Romania etc. etc - it certainly wasn't Amazon.com. If the scammers hit the right emotional triggers at the right time, anyone can be a victim of phishing." Phishing emails can look very convincing - copying branding and 'spoofing' email addresses to make them look genuine. Here is a simple advice once you have opened the mail - "hover the mouse over the link and the URL details will come up and will show if it's valid, or taking you somewhere unrecognizable" If in doubt, never click on the link. If an email looks genuine then contact the sender through their official website. Never use telephone numbers or links provided in the email if you never requested or anticipated them.
Smishing is SMS phishing where text messages are sent trying to encourage people to pay money out or click on suspicious links. Sometimes attackers try to get victims on the phone by sending a text message asking them to call a number, in order to persuade them further. Unsolicited text messages from unknown numbers should raise alarm bells, but often banks do text their customers for a variety of reasons. In that case, you should call the bank using a number from a bank statement or a verified source, not a text message.
The Internet 2016 - don't be a victim surf wisely