In a recent article
, I discussed how HDDCryptor
, and eight other families dominated the ransomware
scene in 2016. It was a good year for ransomware authors. But they weren't the only ones who closed out 2016 in the black. Scammers also made a killing off unsuspecting users. They did so partly because 2016 saw such a dramatic spike in scams.
Back in February, the United States Internal Revenue Service (IRS) issued an alert revealing tax-related email scams had grown by 400 percent
from 2015 and 2016. It was only seven months later that the Financial Fraud Action UK (FFA UK) launched a national campaign
to combat scams. The campaign responded to a 53 percent increase of fraud in the UK payments industry.
Users came across lots of different ruses over the past 12 months. Even so, some ploys saw more success than others. Here are the top five types of scams that tricked users in 2016.
Social Media Scams
Scammers commonly target users on Twitter
, and LinkedIn
. But in 2016, security researchers documented some particularly interesting schemes. For example, fraudsters used Promoted Tweets to convince users they could help get their Twitter accounts verified
, but in actuality, they were just after people's account details and payment card information. Meanwhile, scammers targeted French users in Facebook private messages to distribute Eko malware
, and bad actors used a Dropbox page
as a fake account authentication service to obtain LinkedIn members' financial information, login credentials, and photo identification.
Business Email Compromise (BEC) Scams
Business email compromise (BEC) scams are exactly what they sound like. They're when an attacker gains unauthorized access to a staff member's business email account. Most of the time, these actors use spear-phishing (or whaling
) attacks to access their target's email. If they compromise an executive's account, they can abuse that access to impersonate the executive and authorize fraudulent wire transfers. Plenty of organizations, including wire and cable manufacturer Leoni AG
as well as an unnamed American corporation
, have lost tens of millions of dollars to business email compromise scams. It's therefore no surprise the FBI found in April 2016 that BEC scams have cost organizations 2.3 million USD since October 2013
Scammers will do anything to try to steal people's money. Sometimes they'll come up with schemes that trick people into making fake investments. For example, in August 2016, the United States Securities and Exchange Commission launched an investigation
into Providence Financial Investments for peddling "ongoing fraudulent and unregistered" securities. The mini-bonds lured in investors with a promised interest rate of 8.25 percent. But as mini-bonds are outside of the official compensation scheme, people risk losing all their money. It's believed the scheme cheated more than 800 investors out of £8 million.
It's not just mini-bonds, either. Remember Joshua Samuel Aaron
? He's the individual who along with two Israeli citizens commissioned a hacker to infiltrate JPMorgan Chase and several other U.S. financial institutions. They did so to obtain contacts for their "pump-and-dump" scheme by which they bought up penny stock, sent out misleading emails urging others to purchase stocks, and sold their shares to make a profit.
Fraudsters invest lots of time trying to snag victims via email or one social media. But the digital realm isn't their only playground. Scammers also use phone calls to trick users into surrendering their money. Perhaps none of these ruses is better known than the Grandma scam
. The ploy begins when someone posing as a grandchild calls up an older individual. They say they drank too much, got into an accident, broke their nose (hence the unfamiliar voice), and entered police custody for a DUI charge. The fraudster then asks the target for their payment card information so that they can post bail. There's lots of variations of this scam. All of them try to prey on users who don't know better.
Tech Support Scams
Phone scammers don't always pretend they're a grandchild in need. Sometimes they'll call a victim and impersonate a representative of a well-known software company's technical support team. Using social engineering
techniques, they'll tell the person on the other end that their computer is infected with malware and that they need remote control of their machine to investigate further. Once in control, the scammer will use a series of tricks to make the victim believe their computer is infected with malware. They'll then tell the user they need to purchase some piece of software to clean their computers. These solutions don't do anything to protect a user's machine in the best case, and they quietly infect the computer with malware in the worst case. Such is the course of an ordinary tech support scam
Scams come in all shapes and sizes. Even so, there are several steps users can take to defend against a large swath of them. These recommendations are as follows:
- Approach Social Media Carefully: Websites like Facebook or Twitter are in some ways analogous to a real social gathering. There's friends and acquaintances with whom users want to share details of their lives, but there's other people who they don't want to know that information. Users should treat social media the same way. They can do so by configuring their privacy settings to share information with only certain groups of people. They should also be careful approving connections/friend requests and clicking on links sent to them from people they don't know.
- Touch Base Another Way: If users doubt who they're talking to is who they say they are, they should confirm their identity by contacting that individual via another medium. If someone sends them a suspicious email, users can call them to verify they sent it. If a loved one calls them with an unfamiliar voice, they can pop over to their home to see if it was them with whom they spoke. This logic doesn't just apply to consumers, either. Organizations can also use multiple modes of contact to approve money transfers and thereby defend against wire fraud.
- Exercise Common Sense: Users should never give their payment information to ANYONE over the phone or through email, especially if they didn't initiate the conversation. Additionally, when making investment decisions, users should work with respected financial advisers who can steer them away from fraudulent schemes.