Security

The most popular online scams, and how to avoid falling for them

Hazel Burton
September 30, 2019

One of the oldest internet scams is the infamous “Nigerian Prince”. The internet version of this dates back to the mid 90s, and has even become immortalised in pop culture (see “The Office” season 2). It’s origins as an advance fee scam actually date back to the French revolution, but that’s another story…

The principle of an advance fee scam is relatively simple and involves no actual malware. Indeed, why invest lots on money into malware when you can simply convince someone off their guard?

The Nigerian Prince scam has hung around for decades because, well, it works. It has a very small success rate, but that’s still enough to make it worthwhile.

For this blog, here are some of the scam types that we see most often, which have moved on from the Nigerian Prince template in that they have more context, and are harder to spot. The aim of this article isn’t to scare anyone, or encourage anyone to live life henceforth in a cave. But to encourage you to take a few more seconds to consider if something sounds too good to be true, or is actually just a blatant lie.

1. PHISHING

The most prolific scam out there today. A phishing campaign is designed to ensure you hand over your usernames/passwords/ personal information to someone who has no business having them at all. They will likely have created a professional looking email, purporting to be from a trustworthy organisation.

For example, if you’re based in the UK, you may well have had an email from an organisation claiming to be the TV licencing company. They typically say that your direct debit didn’t go through, and will focus rather heavily on the fines you are about to endure if you don’t update your financial information.

There are a few signs to spot that this is fake – and these rules should be applied to any email that you receive from an organisation or person you don’t know.

Check the email address. Although the name of the sender might well be ‘TV licencing’, the email address will be something rather different.
A scammer tends not to refer to you by name – they will use your username from your email, or say ‘Dear Customer’…Most genuine organisations will address you directly, particularly when it comes to important matters like account information
Hover over the link it asks you to click on (without actually clicking it) – if it looks odd, it’s probably fake…and going to that website and entering your credit card info will unfortunately only fund cyber criminals, not your TV licence renewal.
Numerous spelling and grammatical errors or blurry logos. If the email appears to have been carelessly crafted, it may not be legitimate.
Sense of urgency. If an email asks you to take immediate action, if it has a sense of urgency, or piques your curiosity – be very suspicious.
Request for personal or sensitive information. Never reply to an unsolicited email asking you for personal, financial, or sensitive information.
Unrecognized file type. In most professional capacities, only a few file types should ever be sent by email. If the file type looks strange, don’t open it.

2. PACKAGING AND INVOICE SPAM

“I don’t remember buying a subscription to this mobile app,” you say to yourself. That’s at least what the email implies: a lifetime subscription to, say, a movie club. Hold on, the location listed in the invoice says it was purchased in Sri Lanka. And you don’t even live in Sri Lanka. “There must be some mistake,” you say to yourself as you quickly open the attached PDF to investigate.

Unfortunately, that PDF contained an exploit, which ultimately downloaded Emotet onto your device.

The scam varies but usually centres around a package you didn’t order, an invoice for something you didn’t purchase, or a monthly payment for a subscription or service you didn’t enroll in. This can lead to any number of malicious results, from stolen banking credentials to cryptomining.

Here, it’s important to pay close attention to banner warnings about extensions or macros needing to be enabled. Rarely, if ever, are these necessary, so if you’ve received a warning about them, go no further!

3. ONLINE TICKET FRAUD

Online ticketing scams are on the rise. This is when consumers are tricked into buying fake tickets for sporting events or concerts (usually of a high profile nature, to increase the success ratio).

The fake tickets will tend to be a duplicate, or have a forged bar code that won’t allow entry, or there might be no ticket issued at all.

Here are some tips to help protect against online ticket fraud:

Buy only from organisations that you know and trust. In any cases where this isn’t possible, perform an online search for them, perhaps with the word ‘Scam’ in front of the organisation’s name so you will stumble across any online forums where complaints/reviews have been submitted.
Look for a lock symbol to verify that the website is secure
Beware of the rise of malvertising (fake adverts that link to you malicious websites). As before, search for the vendor and verify their authenticity before you make any purchases.

4. DIGITAL EXTORTION

Digital extortion campaigns will leverage threats against your reputation, your relationships, and sometimes even your life. Unlike the Nigerian Prince scam which offers wealth and romance, here we see a transition from carrot to stick…

Let’s say for example that you received an email with the subject line containing both your user name and password. Surprising as this would be, it’s the body of email that really gets your attention.

Whoever this is, claims to have compromised a pornographic website and that you visited it. The scammer says he or she took control of your monitor and webcam, recorded both you and the pornographic material, and then synced the two video streams up.

As if this wasn’t disconcerting enough, the scammer claims to have gathered all of your contacts from Messenger, Facebook, and email. Finally, the scammer insinuates that it sure would be embarrassing if the video were to be sent to all of these contacts.

Now the scammer claims that he or she isn’t a monster and could easily erase this material. In fact, they’re willing to make it all go away for the paltry sum of a thousand dollars worth of Bitcoins.

If this sounds like extortion, that’s because it is. It’s also a bluff. Much like advance-fee scams, in these “sextortion” scams the malicious actors prey upon a vulnerable segment of users. Through the use of mass-mailing phishing campaigns, they’re expecting a portion of the recipients will think that they may have, at some point, performed said task in front of a device with a camera. They’re counting on the fact that a subset of those recipients would be subjected to intense enough shame and embarrassment that they will pay money to avoid it, true or not.

First and foremost, there is no truth to these emails. This is another series of phishing campaigns sent out in bulk, hoping to trick just enough recipients to make the scammer’s efforts profitable. The lion’s share of these emails have been distributed through the Necurs botnet, putting their legitimacy on par with pump and dump scams, ransomware, and other malicious activities the botnet has come to be known for.

These emails are also full of more than their fair share of techno-babble. That’s not to say it’s impossible to view your desktop or webcam remotely, it’s just highly improbable given the way the scammer describes it. But the scammers are likely counting on these emails reaching users who wouldn’t know this. Just as with vulnerable recipients likely to overlook spelling and grammatical errors in advance-fee scams, so too do the victims in these cases either overlook or don’t understand the technical details enough to realise the unlikelihood of such a hack.

5. FAKE CROWDFUNDING

This perhaps the most disturbing of all the scams, because it preys on people’s willingness to help others in need.

The bad guys, at their most creative, will make up some story about how they need help because they are homeless/parents kicked them out/need costly medical assistance. They will try to utilise existing crowd funding websites such as GoFundMe for these tales.

Whilst I would never want to discourage anyone from giving to others in need, here are a few pointers to help you spot the fake stories, from the ones who truly need your support

Has a donation been requested? If so is there a charity directly involved (with their logo on the page) or are you paying an individual? If you don’t know the individual, try to verify their campaign first
You can do this by searching for the campaign in question – it may well have made headlines for all the right or wrong reasons
The page should be very clear about how the money will be spent. If there’s no mention of that, this could be a potential clue.
Don’t accept friend/ contact requests on social media from people you don’t know. They may well be trying to involve in such a campaign.

The last thing to mention is that most online scams prey on a user’s sympathy, fear, or greed. They want you to make decisions in a hurry by targeting one of those things. We would encourage you to take a few seconds to verify, so that you don’t become either out of pocket, or another statistic of online fraud.

Tags: