I love scams. I love the improbable email, and the cunning SMS tricks, and the eternal optimism of the inexperienced con artist. There are few things in the world of technology, and the world of information security, that reveal so much humanity as scams.
There’s one simple technique to inoculate yourself against most scams:
If it sounds too good to be true, it probably is.
The thing about scams is that they appeal directly to our emotions. We want to win the prize, to meet the partner of our dreams, to become unexpectedly wealthy, to jump when the boss tells us to jump.
I’m sorry, but there really is no such thing as a free lunch. That diplomat in Kinshasa that wants to share a million dollars with you? That attractive stranger who wants to be your friend on line? That win in a lottery you never entered? That random draw from Sony that got you a brand new Play Station 5… enticing as it sounds, there ain’t no free lunch.
Some scams capture our imagination, and pass into folk lore. Serial con man George C Parker, in the late 19th and early 20th century, hit on the trick of selling various pieces of New York architecture — most famously the Brooklyn Bridge — that weren’t his to sell, sometimes over and over again. His first endeavours were selling General Grant’s tomb to entrepreneurs who thought they would get rich selling tickets. Sometimes he did not sell the bridges outright, but instead leased the right to erect tollbooths and collect tolls, much to the exasperation of the police who would have to explain to the enthusiastic gate builders that they had been conned. The next time you hear the phrase “and if you believe that, I’ve got a bridge to sell you”, raise your glass to George Parker.
The most prevalent form of scam is often referred to as the Nigerian Prince Scam, or 419 Scam, and is probably responsible for the overwhelming bulk of junk email you get. More properly it’s called an Advance-fee Scam, and has little to do with Nigeria — 77% of the scam attempts originate from the USA and UK combined. The form of the scam varies, but it usually takes the shape of “I have a large amount of money that I need to deal with, and you can have a share of it if you help me by sending your bank details and some small fee to release it”.
The FBI describes it in this way:
An advance fee scheme occurs when the victim pays money to someone in anticipation of receiving something of greater value — such as a loan, contract, investment or gift — and then received nothing in return.
For me the fascinating thing about this particular form of scam is that it pre-dates modern communication. Initially it was performed using letters, at least as far back as the 18th Century, then exploded in popularity when the first trans-continental telegraph system was set up across the USA. It successfully migrated to fax machines for a brief time, and reached unimaginable heights with email — as a medium, it’s the perfect home for this scam. The difficulty is that the cost of generating and sending tens of thousands, or millions, of email messages is next to nothing for the scammer, and the payoff from even one victim is almost pure profit.
And the Advance-fee scam pays very handsomely. It is estimated that for the US alone in 2019, criminals raked in over $US700,000, with victims on average losing over $US2,000. The Australian Competition and Consumer Commission provides a Scam Watch site that provides interesting figures — their estimate is that Australians lost over $AU1,000,000 to these scams in 2019.
Never, ever, ever send money, bank account details, or any other personal information to a stranger who has contacted you.
Be aware that these scams may also arrive by paper mail, social media contacts, or SMS, although the most likely route is by email.
Remember: if it sounds too good to be true, it’s almost definitely a scam. There’s no such thing as a free lunch.
Profitable as the advance-fee scams are, they pale in comparison to a much more sophisticated scam that primarily targets businesses — invoice fraud and “Business Email Compromise”. Individuals can be the targets of these kinds of fraud, and the solution is simple: if you ever receive a bill or invoice that you are not expecting, contact the company to verify it. Oh, and don’t use the contact details on the bill, because even though it says “Tesco” on the top, it’s almost definitely not going to be Tesco that picks up the phone — always go to the company’s website and find the contact details there.
In the simplest form of this scam, the criminals will send fake invoices, or invoices for goods your business never actually purchased. For a large company, a fake invoice for 400 staplers and 5,000 lever arch folders can easily be lost in the stream of other expenses and paid out. The total loss for companies can be quite extreme though — it’s estimated that the loss in the UK for 2018 was around £30,000,000, with the average loss per business around £28,000.
“Business Email Compromise” is more complex, but can be even more damaging to businesses. Through 2020 this type of attack has increased by more than 75%, as all of us have started working from home. This scam relies on the criminals impersonating someone in the company like a CEO, CFO or payroll employee to ask the victim to authorise or perform a payment. It’s rarer, because it’s a more targeted attack that has to be carefully crafted, but the losses to businesses can be very large indeed — in 2018 criminals stole €19,000,000 from the Pathé film company through this route.
So, if you get email or SMS at an unexpected time from your boss asking you to do something unusual with company money… ring them up to double check.
For both invoice fraud and BEC, the main protection for businesses is to have processes in place for dealing with payments, and to always follow the process. In the case of invoice fraud, simply requiring every payment to be matched to a purchase order can be sufficient protection.
Scams are not always about trying to get money from you directly.
Quite a lot of scam email that winds up in your junk folder is trying to either steal your identity and/or passwords, or to install something on your computer, tablet or phone to steal your identity and/or passwords. Very commonly these sorts of scams appeal not to greed but to lust, which is probably why they work so well.
To be delicate about it, those email messages coming in from attractive (usually) ladies who would like to be your friend and share some pictures with you… the aim is to harvest personal details, and if they are lucky, credit card details. These will either be used by the criminals directly, or more commonly sold in bulk on the black market.
Often the first pass at this kind of harvesting scam is to get you to click on a link — when you do, the scammers know they have a real email address with a real human attached to it:
I know you’ve heard it before, but seriously don’t click links in random mail coming in!
And more to the point: never open random attached files that show up in your email. I will write at more depth at some later time why that’s important, but for now… just assume if some random file shows up, it’s not likely to be friendly.
Increasingly these types of “harvesting” scams are not just through email — they are now showing up via random “friend” requests on services like Instagram, Facebook or even things like Fitbit. These don’t seem to be hugely effective and are mainly either trying to set up accounts with lots of followers that can then be sold, or else are avenues to push advertising or other scams to you.
I cannot emphasise it enough: cultivate a BS detector, aim for healthy scepticism, and never forget:
- if it sounds too good to be true, it probably is;
- there’s no such thing as a free lunch.