The Modern Con
By Paul Forni, Information Security Officer Email: [email protected]
Have you ever heard about games of chance called “The Old Shell Game” or “Three Card Monty”? These games are simple to understand. In “The Old Shell Game” there are three walnut shell halves and a pea. The pea is placed under one of the walnut shell halves, the shells are shuffled, and the object is to guess which shell the pea is under. “Three Card Monty” uses three cards from a standard deck of playing cards, usually two queens and an ace. The cards are placed face down, their positions are shuffled, and the object is to guess which card is the ace. Both of these games require you wager some money prior to selecting your shell or card. Sounds simple enough, after all, you have a one in three chance of selecting the right shell or card, or do you? Those of you familiar with these games know they were usually run by conmen (confidence men). If you did happen to win by betting on the right shell or card, the conman wanted you to win to build your confidence (hoping you would place a larger wager on the next round). These games are actually decided by the conman’s ability to manipulate the outcome and chance has nothing to do with it. Conmen are still out there, but they’ve upped their game. They no longer use antiquated games of chance to steal; they are using modern technology to help them steal from unsuspecting people. Instead of calling them conmen, we now refer to them as cyber-criminals. The techniques the cyber-criminal uses are called Social Engineering. In his book ‘Hacking the Human: Social Engineering Techniques and Security Countermeasures’ Ian Mann describes Social Engineering as “manipulating people, by deception, into giving out information or performing an action[1]”. By the year 2017 it is estimated that total global losses to cyber-crimes will top $120 Billion dollars[2]. While there are numerous Social Engineering techniques or scams if you prefer, you can see why it is very important you learn how to spot them. With the rest of this article we’ll take a look at some of the more popular Social Engineering scams cyber-criminals use and what you can do to protect yourself. Social Media (Facebook, LinkedIn, Myspace, Twitter, Instagram, Friendster, etc.) can be a great way to stay in touch with friends and family, but it’s also a great place for cyber-criminals to work. Criminals can pick up information about you or get you to unknowingly install malicious software on your computer! Be careful what you share and who you share it with. Also, don’t “friend” somebody on these sites unless you know the person, make sure your friends and family does the same. Popular Social Media Scams:
- I’ve been robbed, arrested, or in an accident scam. This scam could come in the form of a phone call or an instant message through a Social Media site. The cyber-criminal poses as a relative or a friend. Since the criminal has been watching your activity on Social Media, chances are they have some knowledge about you. They use this knowledge to gain your confidence.
Normally the criminal claims to be in a foreign country and this is an emergency. They’ve been robbed, arrested, or in an accident. They don’t have their passport and are in need of money. What comes next is the biggest warning sign this is a scam, they ask you to WIRE them money and please don’t tell anyone because this is very embarrassing for them.
- Fake Advertising and Rogue Links are another real threat on Social Media. Not all advertisements are real or genuine offers and clicking on them may expose your computer to malicious software, which in turn could allow a cyber-criminal direct access to your computer. Think before you click.
Vishing is when criminals use the telephone in an attempt to scam someone out of money or getting access to their computer. If you have caller ID on your phone, you can’t trust it. It is very easy for a criminal to “spoof” a phone number and they can make whatever telephone number they want appear on your caller id. Some popular Vishing scams include:
- “Hi, I’m calling from the IRS and you ow back taxes.” The IRS does not make phone calls, they send letters.
- “Hi, I’m calling from Microsoft and we’ve noticed a problem with your computer, if you allow us remote access, we’ll be able to fix that for you.” Microsoft does not monitor customers’ computers.
- “Hi, I’m calling from your Credit Card Company and I’d like to help you lower your current interest rate. Would you just please confirm your card number by reading it to me?” Your bank or Credit Card Company should never call you and ask you for your account number. If they are truly your bank or Credit Card Company, they should already know your account number.
As a rule of thumb, NEVER give out sensitive information like account numbers, social security numbers, etc. unless YOU have initiated the phone call and are 100% certain you know who you are talking to. The best defense for staying safe and to avoid becoming a victim, stay educated. There are a number of free resources you may access, like www.OnGuardOnline.gov ,that have a lot of great tips and advice. [1] Mann, Ian (2008). Hacking the Human: Social Engineering Techniques and Security Countermeasures. Gower Publishing Company. ISBN: 0566087731 [2] Symantec (2015). Internet Security Threat Report. Symantec Corporation World Headquarters.