At the beginning of this year, countless reports were spreading in newspapers and WhatsApp groups with lists of numbers. All of these numbers had one thing in common; if you get a call from one, do not answer! These numbers are operated by social engineers and are part of a worldwide social engineering effort. Fraudsters, scammers, and lowlifes who prey on the naivety of others.
Social engineers, or scammers, are people who manipulate others to simply hand over confidential information, personal information or to gain access to areas they should not have access to, like your laptop or phone, or your place of work. They can do this in many ways: through e-mails (phishing), text messages (smishing) or phone calls (vishing/voice phishing).
You may think that you are smarter than these social engineers, or that you will not be fooled, but they are taking advantage of thousands of people every year who fall for them. According to CIFAS – the largest fraud protection agency in England that is not part of the government – there were 84,463 cases of identity fraud in the first 6 months of 2018. It is better to be prepared and ready to defend yourself against an attack than to fall for one.
419 Scams
The 419 scam, more commonly known as the Nigerian scam is one of the most famous scams. It gains its name from the section of the Nigerian Criminal Code dealing with this type of fraud. Although it is known as the 419 scam or the Nigerian scam, its real name is the Advance-fee scam. It usually entails promising the victim a large payment in exchange for a small upfront sum. The Nigerian Prince in the Airport scam is the typical 419 scam. They all follow the same premise. There is a prince stuck in an airport. He asks you to send some money to allow him to purchase a flight home. In exchange, he promises to send you a small fortune when he arrives home to thank you. If you send the “Nigerian Prince” some money, you typically never hear from them again.
However, this is only the simplest form of this scam. Due to its overuse, you rarely find a scam using this layout anymore. They usually have a more complex storyline. Although the Nigerian Prince scam is usually sent by email, not all 419 scams are sent this way. Here are the 3 most common forms in which the 419 scams are sent out.
Phishing
Phishing is usually the most used form for dispersing the scam. This involves sending out an email to a large group of people and waiting for someone to fall for the scam. You can be caught by phishing if you receive one of these emails, and either reply or click on a link.
Due to the fact phishing involves sending out a group email, it is the least expensive and least time-consuming form of the 419 scam. Many scammers may have multiple victims at one time. As sending emails is free, it costs the scammer basically nothing to run this scam. To send out the scam, scammers may send out emails to random addresses, hoping that they send out an email to a real address, or they may have a list of emails that have been passed around. Your email can leak anywhere, either from it being mentioned publicly online, websites getting hacked or your data getting sold.
One way to avoid your email being sold; research any company or website before you provide your email address, and be especially cautious when providing credit card details. One recommendation I have heard is to add “+website” to your email. For example, if your email was “example@gmail.com” when providing your email to website A, type “example+A@gmail.com”. When sending the email, the webmail site will ignore anything after the +. That way, when your receive scam emails, you can tell where they got your email from. But remember, prevention is better than cure, so only provide your email to places you can trust. This trick also only works with personal Gmail accounts. You can not use this with a work email provided by Google either.
Vishing
One thing to remember is that most scams are quite similar. Vishing is short for Voice Phishing. The difference between vishing and phishing is that while phishing is done through email, vishing is done through phone calls. In the introduction of this article, we talked about lists of numbers that were used by scammers. These scammers were using phishing to gain an advantage over their victims.
Vishing is more expensive than phishing as network companies will charge you for the number of calls you make. If these scammers are in a different country, the scammer will also have to deal with the international rates. However, to lower the price, scammers will purchase Voice over Internet Protocol (VoIP) deals. VoIPs are used by sales companies as well as scammers. The idea behind VoIP is people can make a phone call on the internet where there are no international rates.
Like phishing, vishing scammers sometimes use cold calling by sending out a call to a randomly generated number and hope that is it a real number. Other scammers will purchase lists of working telephone numbers to call in order to cut out wasted time by calling inactive numbers.
Another way scammers take advantage of you through vishing is by getting you to call them. They do this by purchasing a pop-up advertisement to appear online. They usually try to disguise these popups as coming from legitimate sources like Microsoft. These popups will often state that your computer is infected by a virus and ask you to call a certain number to fix this issue. Legitimate companies don’t use these popups, so don’t call the number. When in doubt, Google the company and use the phone number provided on their site to confirm the legitimacy of these popups.
Smishing
The final method of spreading a scam is smishing. This is a lot like phishing but is done through text, or SMS, instead of email. This allows for website links to be sent like phishing but also costs more like vishing.
Scammers can collect your number just like they collected it for vishing. The extra danger with smishing is that fraudsters can register a name to their messages so you receive a message from a name instead of a number. This can be especially effective as their message can pretend to be from an acquaintance and comes off as more authentic.
Protection against social engineering attempts & best practices
There are many more ways Social Engineers will attempt to take advantage of you and scam you. In some cases, if they get your bank account details, this may lead to the victim losing their entire life savings. However, this is unlikely due to the amount financial institutions invest in anti-fraud divisions and methods, as you will see below. But however unlikely it is, the possibility remains. We have barely scratched the surface of the numbers of scams that are out there. For the 3 types of scams we looked at below, each has multiple sub-types of its own. Stay aware and take precautions.
For a Business
Many businesses have a dedicated department for scam protection, both internal and external. Businesses wish to protect themselves as well as their customers. Most businesses attempt to remove fraudulent content using their name as it tends to damage their brand identity. Their brand name is also sullied if they themselves were to succumb to scams. Therefore, it is in their best interests to have complete protection against scam artists, however, even the most comprehensive business can fail to see a threat before it’s too late.
In cases like this, companies can hire third-party companies to investigate their business. Integrity360 is one such company, founded in Ireland in 2005.
Security partners provide multiple services to businesses. They usually consist of educating employees, testing the business, and improving the businesses security. In the case of Integrity 360, they have 5 services.
- Vulnerability assessment Focusing on the companies network. This is a quick assessment to find major security issues.
- Penetration testing Performing a regular assessment of the companies security. This is more rigorous than the last test.
- Red team assessment This is a full-on assault of the company, consisting of both virtual and physical means. This is the main area where Social Engineering is used, as they attempt to enter the premises without authorisation. These 3 tests are all about attempting to gain access to a section, or more, of a business.
- Build review This is typically done after one of the previous three. This is where they sit down with the business and look at improving the companies defences.
- User awareness testing This is focused on the employees of a business, rather than the business itself. Here they use Social Engineering again but aim at employees from a separate location. They sometimes use phishing or the other social engineering attacks we looked at earlier.
These processes are not exclusive to Integrity360, however, they are an example we looked at.
The final way a business can protect itself is by teaching its staff. This will protect the business against the User Awareness test above. The ways employees are taught to protect the business is the same way an individual can protect themselves.
For an Individual
Every day, people are bombarded with scams and advertisements, however, it is sometimes difficult to tell them apart. The questions that are being asked, again and again, is, how do I protect myself? There are various methods you can use.
Firstly, you should be careful who you give your personal information to. If you receive any form of communication, take some time to research the company contacting you. Make sure they are trustworthy and that the people communicating with you are truly who they say they are. If in doubt, do your own research.
This goes along with advertisements. You cannot believe all of the advertisements you see on TV or on social media sites. Just a few weeks ago, The Journal released an article on scammers operating on Facebook and Instagram advertisements. According to the article, scammers were posing as 2 different legitimate companies, where one victim lost €68, and if it wasn’t for their bank’s anti-fraud measures, they would have lost €136 to a single scam. If you wish to read the full article, it is available here.
You should always be aware and understand that people out there are trying to scam you. Ignorance is the most dangerous trait in my opinion, as it is allowing somebody to take advantage of you. Learn what you can about social engineering and their methods to be better prepared for an attack.
Brian Brushwood, a YouTube content creator and social engineer hosted a TV show alongside National Geographic called Hacking the System. This show illustrated various means of Social Engineering, both as a force for good as well as evil. He focuses on how to use it legally to “get ahead in life”. His show includes the proper way to ask for a raise or promotion down to how criminals choose a house to break into and the methodologies they use. He even got people on the street handing him hundreds of dollars in cash.
I am not informing you of this show for you to go out to perform these fraudulent activities. I am hoping that you will teach yourself and learn so you don’t end up in a sticky situation.
419 Eater
While Brian Brushwood tackles scammers by teaching you their methods, there are some people who purposely “fall” for scams and social engineering attempts. These are professionals in their fields with multiple forms of personal protection and fallbacks, so please do not attempt what these people, dubbed “419 Eaters“, do.
419 Eaters look for scams and start them off. The aim of their game is to waste the scammer’s time so they are not scamming another helpless victim, and some reverse the scam and collect data on the malicious social engineers to pass onto the authorities. While doing this, however, they usually have some fun and share their results on the 419 Eater forums.
There is also the YouTube content creator, Jim Browning. He triggers tech support scams and gives fraudsters remote access to his laptop. He will then commence downloading information from them without them realizing before contacting the police and victims to inform them of their situation.
The final resource I will provide on Social Engineering are videos by James Veitch. He does two TED Talks, however, they will not be in the linked playlist. He answers phishers and wastes their time by annoying them until they finally give up and move somewhere else. His videos are a lot lighter than some of the other resources in this article and will give you a good laugh. However, the scammers he is communicating with are real and are not to be joked about.
Please use these links to learn more. You always have something to learn and scams (especially social engineering attempts) are becoming more complicated and easier to fall to every day.
