Posted by: David Schneier
assessment, Audit, compliance, GLBA, hack, hacker, NCUA, phish, phishing, red flags, red flags identity theft, regulatory, Regulatory Compliance, scam, smish, smishing, vish, vishing
This is something akin to my annual public service announcement (PSA) for anyone who has cash-on-hand, a bank account, an investment account or perhaps even a piggy bank: As long as you have money there’s someone out there right now scheming to try and take it away from you.
I’m having that kind of month right now where I’ve been learned of one scheme after another to separate people I know personally from their hard earned money. And much to my chagrin, the schemers are enjoying some measure of success.
Last week I was regaled by a tale of how a senior citizen was stopped on her way to the bank to have a cashiers check drawn for $500. She needed it because someone contacted her with an offer that was impossible to ignore or turn down. If she paid for the modest bank fees for a large international wire transfer she could keep a small percentage as a “thank you” gift, a mere $2M (yeah, that’s two million). The people who contacted her did so because she was recommended as a trusting resource who would be flexible and work with them. And so the combination of the compliment and the chance to net a nifty seven-figure profit for a simple enough favor was just good enough to make her want to do it. Fortunately she ran into a friend who happened to ask her where she was off to and when she answered honestly was more or less forcibly snapped back to reality.
Now to be honest with you I was stunned to learn that this scam ever works. I’ve long advocated to friends and family that they should respond to electronic offers exactly the same way as if though they received it in the mail. But while we throw out junk mail automatically we’ll read sometimes very cleverly worded emails because they look authentic. But if you filter all electronic email through the same logic that has taught us to toss mass marketing materials you can cut out much of the clutter. But what if that email finds someone who is perhaps a little lonely or a little desperate? What if that email finds someone who is willing to roll the dice that just once what appears to be a scam might be the real thing? I wouldn’t have thought it possible until last week but sometimes it works. And when you think about it just a little bit more it’s the perfect scam. Once a senior citizen falls prey to the trap and comes to realize they’ve been had many will keep it to themselves both because they’re embarrassed and as I’ve come to learn more recently, out of fear that they’ll be labeled as losing their facilities. And while not all seniors are wealthy a sizable enough percentage have access to $500 easily enough.
Then this week a story was shared with me about how someones identify was stolen but with a twist. They didn’t try and completely take over the identity but rather borrow it. The man-in-the-middle attack worked as such: Person A routinely communicates with Person B via email and instant messenger because they’re on opposite sides of the world with a language barrier and about twelve hours separating them. The electronic communications reduces the impact of the language barriers and allows them to keep in touch outside of the boundaries of a shared work day. This has proven successful for both Person A and Person B for several years. Recently Person B asked for special handling of a payment that while unusual within the designs of their business relationship was not otherwise out of the ordinary when dealing with others in the same country – Person A agreed to the request. After several back-and-forth communications to arrange for the payment which spanned several days Person A sent an email asking Person B to confirm that they finally received the payment. Person B responded by asking “what payment?”.
Someone had hacked into Person B’s account and was intercepting emails and instant messages and assuming that identity. They still allowed most communications to pass through but successfully filtered out anything having to do with the payment from Person A. So Person B had no idea there was something amiss and Person A saw very little outside of normal communications. But apparently that one time the hacker must have been off their game and not paying attention and so the two legitimate parties were made aware of the situation. A long painful phone call ensued and some amateur detective work confirmed their suspicions. And so a new version of phishing comes into play, one in which the scam is not so apparent or easy to detect.
That’s the thing, while there may be rules to how the scams are being run today those rules are ever changing. You can’t simply look for one telltale sign that something is amiss because once a trend emerges the hackers change things up. And while financial institutions and a multitude of agencies are always trying to educate the masses about the perils lurking about it seldom penetrates into peoples way of thinking. The popular adage about suckers has never been truer only now there are two to the power of X ready to take them. There are increasing measures available to counter attack some of these scams (e.g. Red Flags – Identity Theft) but by and large they go undetected or unreported.
So here’s the sum total of my PSA: If it seems too good to be true it is. And if any financial dealing is presented where something is out of the ordinary apply the old audit mantra – trust but verify.