Cheaters do, however, very much ‘beat’ in the modern digital version of the scam. The Federal Trade Commission (FTC) in the USA, dealt with over 1.4 million fraud reports in 2018. Over 25% of the cases of consumer fraud involved financial losses, totaling around $1.48 billion, an increase of 38% over 2017.
A similar picture is found in the UK where, in 2017, national anti-fraud organization, CIFAS dealt with 305,564 cases, a record number of scam reports.
Consumers and businesses alike are being inundated by scams. They come in many forms. Often, they have both a psychological aspect to them as well as a technical one. In this short report, I’ll look at some of the prevalent scams in 2019 that you may come across.
Types of Scams in 2019 You Need to be Aware of
One thing that you can be sure of, is that fraudsters will use every trick and scam type in the book and beyond.
If there is a way that a cybercriminal can extort something out of someone, they will find it and use it.
Some methods, however, are still the best way to carry out a scam, and so become the ‘go-to’ scam tool of the cybercrime fraternity. For example, phishing is still extremely successful. But in 99% of cases, phishing emails rely on a human being clicking on a link. This means the fraudster has to take extra steps to make sure you click.
This is where social engineering comes in. Tricks to get you to click include:
- Making the email look like it is from a trusted brand, like Apple or PayPal. If you think it’s real you are more likely to click;
- Using a sense of urgency. Having a time limit on an offer, “click now or miss out”;
- Fear, Uncertainty, and Doubt (FUD). Playing on people’s worries and fear, for example, stating that an account has been hacked and you must click the link to fix the issue.
In our list of 15 scams, the first ten are consumer-focused and the final five are mainly enterprise scams.
However, even consumer scams can end up sitting in a business email inbox or mobile device, so it is worth knowing about all scam types – forewarned is forearmed.
Scam 1: Sextortion
Fraudsters love to extort cash out of us, and sextortion is the lowest form of this. Research shows that one in ten phishing emails are sextortion scams.
The sextortion scam typically goes along these lines. An email is received which says that you have been caught in a ‘compromising position’ (I’ll leave that to your imagination) watching porn. The fraudster goes on to say that they have previously infected your machine with malware and now have an embarrassing video of you.
The sting in the email is this. If you do not pay a specified amount in bitcoin to a given crypto-wallet address in X time this video will be released to everyone on your contact list. In a recent twist, the sextortion emails contain a legitimate password you will have used at some point.
These passwords are from data breaches and have been bought for the purpose of adding an element of FUD into the sextortion attempt.
Use this password checking tool to see if any of your passwords have been exposed in a data breach: Password Checking Tool. If they have, change them.
Scam 2: SCA scam
Another trick that fraudsters use is to piggyback off legitimate email campaigns. When the General Data Protection Regulation (GDPR) came into force in 2018, there was a rush of emails asking people to confirm consent. Back then, cybercriminals took full advantage of this situation and sent out similar campaigns which exploited brands to attempt to get recipients to click a malicious link.
In September 2019, the financial services regulation PSD2 caused another flood of emails from banks and similar, sending out emails to inform customers about “Strong Customer Authentication” (SCA). Again, cybercriminals have used this as an excuse to send out phishing emails,
Scam 3: Shopping coupon scam
This scam is based on supermarket chain brands and coupons for use at the shop. The scam email uses the rouse of free stuff – “click on this link to activate a coupon for free goods”. Sometimes there is also a sense of urgency built in such as a time-limited offer.
Clicking this link takes the recipient to a spoof site where they are asked to enter personal details, and/or log in credentials which are then stolen.
Scam 4: Holiday and airline scams
Holiday time always brings out the scammers. Known airline brands are used to create spoof emails. The email is based on a supposed booking. As these emails tend to be seen at certain times a year, the fraudsters are hoping to catch unsuspecting individuals who have booked a flight with the airline.
Typically, the emails will say something like, “Thank you for booking with name of airline. We have received your booking, ref: 7912-278”. The email may contain an attachment or a phishing link. The attachment will be infected with malware and if opened may infect the computer. The link, like our previous scam 3, will go to a spoof website.
Scam 5: WhatsApp Scam
This is another scam that uses a well-known brand, like a supermarket. This time the fraudulent message is received in WhatsApp.
The message will contain an offer for vouchers. A link will take the recipient to a spoof site where any personal details or financial data entered, are sent directly to fraudsters.
Scam 6: Amazon Prime scam
Everyone loves a bargain, but this scam only results in the loss of your hard-earned cash. Fraudsters often focus a scam on a holiday period, tax season, event or activity.
Amazon Prime Day is one such event that fraudsters love. Amazon legitimately sends out Prime Day emails showing bargains available on a certain day. The email is branded just like Amazon. Fraudsters use a ‘phishing kit’ to create the email which is available for rent from the darknet.
These ‘DIY’ phishing kits are easy to use and cybercriminals all over the world use them around the time of Amazon Prime Day. The malicious links that apparently take you to an amazing bargain, go to a spoof site which is used to steal log-in credentials to your Amazon account or to obtain your financial information directly.
Scam 7: AppleID scam
Kaspersky is predicting 16 million AppleID attacks by the end of 2019. The AppleID scam is a regular visitor to email accounts the world over.
Recipients receive a phishing email that looks exactly like an Apple Inc., email. The email uses wording such as “your account has had an unauthorized change”, “If you did not make these changes, or if you believe an unauthorized person has accessed your account, you should change your password as soon as possible from your Apple ID account page.”
The link goes to a webpage where you are asked to enter personal details, which are then subsequently sent to the fraudster behind the scam.
Scam 8: FedEx or UPS parcel scam
Similar to the AppleID scam, the FedEx scam is a traditional phishing email, sent out en masse in the hope that someone will be tricked into clicking the malicious link.
FedEx is a well-known brand and so is a favorite of fraudsters. Vade Secure builds every quarter showing the favorite brands used by fraudsters. Microsoft, Amazon, and Netflix are also loved by scammers.
The FedEx scam, like the other phishing emails in our list, either uses malicious links or an infected attachment. The spoof FedEx email will invariably use a sense of urgency or concern to trick the recipient.
Scam 9: Bank SMSishing
SMSishing is the mobile phone version of email phishing. An SMS is received that is fraudulent, attempting to get the recipient to click a link. Text messages are very successful vectors for phishing with an open rate of around 98%; the rate for an email open is around 20%.
Bank SMiShing is used in an attempt to install malware, such as a banking trojan onto the mobile device.
Now onto some business-specific scams
Scam 10: Business Email Compromise (BEC)
BEC costs U.S. companies around $300 million per month according to a report by the U.S. Treasury Department. Business Email Compromise (BEC) uses a mix of social engineering, phishing emails, and surveillance of a company and its employees.
The ultimate outcome is the loss of often hundreds of thousands if not millions of dollars.
Scam 11: Deepfake scams
Recently, a CEO of a British company transferred $243,000 to a cybercriminal thinking it was going to a legitimate supplier. The CEO had been tricked by a cleverly disguised call which utilized Artificial Intelligence to make the caller sound like the head of the parent company – the CEO’s boss.
Deepfakes in the form of audio and visual are expected to be increasingly used to scam both consumers and businesses.
Scam 12: Office 365 scam
Microsoft Office 365 is widely used across organizations of all sizes. But a report by VadeSecure showed that Office 365 was the number one brand spoofed and used to steal login credentials.
The Office 365 scam is a traditional phishing email that uses malicious links that go to a spoof Microsoft Office 365 login page. If the recipient enters their login credentials they will be stolen and used to login to the real Office 365 account.
Scam 13: Spear phishing scams
Spear phishing is like mass-mail phishing using the same types of tricks. However, spear phishing targets specific people in a company.
Over 71% of cyber-attacks start with a spear-phishing email according to Symantec. The typical targets of these campaigns are those who have access to sensitive files, documents, and databases. The emails attempt to steal the login credentials to these valuable resources in the same way a normal phishing email does, using malicious links or infected attachments.
However, they are much more convincing as they chose their target and write the email specifically to fool them.
Scam 14: Google calendar scam
Many businesses use a Google Calendar to set up and record events. A Google calendar phishing scam was discovered by Kaspersky recently.
The scam uses a Google Calendar option to place event invites in another user’s calendar. When the event opens on the day/time, an offer to take a survey and claim a cash reward appears containing a link.
This link takes the user to a website where users are encouraged to enter financial and personal details.
Scam 15: Slack scams
Slack is a highly popular collaboration portal for businesses. The Slack messaging app was used as a conduit for crypto-based phishing scams in 2018 and their success means that this is conduit will be used again.
However, as crypto-prices have plunged, the next misuse of the Slack app will likely be for more traditional data harvesting such as financial or personal data.
I’d love to write that scams are easy to spot and can be eradicated. But you have to be very vigilant to keep on top of the tsunami of fraudulent emails, messages, texts, and Deepfakes.
Taking steps these steps can help:
- Using two-factor authentication;
- Ensuring computers have up to date security patches installed.
But the best way to stay secure is to know what you are up against, be cybersecurity aware, and to be vigilant.
Encountered a specific scam and would like us to look at it for you? Drop us a line in the comments below!