It Is Always Scam Season!

With the holiday season now behind us, we here in the northeast are fully entrenched in winter and I find myself looking forward already to the warm weather that comes with spring and summer. As these seasons come and go, we have learned that scam season is always here, and it is not going away – ever!

I have been working in IT and cybersecurity for 24 years now. Scams were around long before that and continue to grow in their sophistication and creativity. So, what do we do? We stay vigilant!

In the past few months, I have seen many new scams. Here are just a few of them:

Masquerading as Geek Squad

An individual received the above in an email. When this person thought they were being charged $341.99 for something they shouldn’t be charged for, they called the number listed in the email. The polite support agent (the bad actor) who answered the call understood, apologized for the mistake, and asked for the individual’s banking information to initiate a refund. Once the refund had been sent by the agent, the individual checked their bank account and could see there was refund pending. However, the pending bank refund was for $34,199. It seemed like this support agent had accidentally sent the wrong refund amount and just misplaced the decimal point. There was a pending refund in the individual’s bank account, so it did seem legitimate. The individual brought this to the support agent’s attention and the agent immediately acknowledged the mistake and asked them to refund the over $33K over payment. However, as you might expect, that $34,199 pending refund never cleared. Thankfully the individual’s bank was able to step in and halt the $33K transfer before it could be accessed by the bad actor. This scam was nearly a success because the individual went solely off the word of the initial fraudulent email without verifying whether they were actually charged via bank account or credit card. Even with banking information provided, the bad actor still needed the individual to wire the money over as they did not have the needed access to make such a large withdrawal without showing identification. Reading this, I am sure it seems obvious that it was a scam. Hindsight is always 20/20. When you are on the other end and thinking that money is wrongfully being charged against your account, you react a little more impulsively.

Urgent Vendor Invoice

In another recent scam, I witnessed a bad actor impersonating (via email and phone) the point of contact for one of an organization’s vendors. The bad actor sent the victim organization an invoice that needed to be paid. The invoice had numerous components that appeared legitimate, which makes sense as a lot of research goes into these scams. There are criminals who do this work full-time. The victim employee even had a call with this bad actor to verify the charges, and in the same call this bad actor updated their vendor account information too (which should stand out as a red flag). In the end, an ACH payment was initiated for over $1 million. It was not learned that a scam had taken place until the actual vendor reached out for payment and it was too late. This incident led to many process improvements within the victim organization, including new rules that any ACH transaction would now require two levels of approval, and any account changes would now need to be escalated for executive approval.

Dog Deposit

The expansion of social media over the past two decades has allowed local sellers of various goods and services to reach a much wider national (and global) audience. This also includes the world of dog breeders. Many families have very specific needs or desires when it comes to selecting their new “fur babies”. In a particular incident I recently witnessed, a couple was in search for a puppy that was of a specific breed, and most importantly, hypoallergenic as both of them had allergies to most dog breeds. They were struggling to find the perfect puppy in their local area, so they expanded their search radius with the help of social media. They found a Facebook group that helped connect dog breeders across the United States with families looking to buy a dog. This page appeared extremely trustworthy, as it held a vast community of conversations, thousands of members, and a dedicated section listing who they referred to as trusted and verified breeders. The couple got connected with a breeder on this trusted list and began conversations. They negotiated a price, received several seemingly legitimate and matching photos of the dog they would be receiving, and were provided with an address several states away where the dogs were supposedly living. The address looked like a normal home on Google maps – nothing out of the ordinary. The seller required a deposit be made via a non-refundable method (think Venmo or PayPal transactions for friends and family) to secure the dog ahead of time. The deposit was made, and the couple traveled to the address only to find that the family living there had no involvement in the scheme and had several other buyers also arrive recently, sent by the same bad actor. All communication from the bad actor ceased, and the couple was left without any means to recover their deposit. While it remains a mystery how the bad actor managed to get listed as a trusted seller on what appeared to be a legitimate community page, there will always be a level of risk associated with sending any payment through these friends and family options.

These bad actors and fraudulent attempts are not going away. Training and education becomes even more important as we look to keep our employees, customers, family members, friends, and anyone who will listen informed and aware. Having a focus on security is an around-the-clock need for all companies; not just when it is convenient or as a reaction to an event. We all need to be proactive! Here are some of the steps organizations should take to proactively meet these evolving threats:

Regular Security Awareness Training

The standard requirement is to complete security awareness training upon hire as well as annually for all employees. This is something that should be outlined in your information security policies. This should also be accompanied by your executive leadership’s endorsement, with an emphasis on every employee’s attention to it. I like to use the term muscle memory with this kind of recurring training. The more you see it, the more aware you will be when that bad actor or scam attempt comes knocking.

Simulated Phishing Tests

I have certainly put a greater emphasis on completing phishing tests for all employees. This is not just a once-a-year test either. Conducting these tests regularly will significantly increase your employees’ awareness to phishing attempts from actual bad actors. No one wants to fail a test, and if they know that you are going to be testing them, they will be extra cautious when an actual malicious phishing attempt shows up in their inbox.

Share Your Experiences

This is exactly what I am doing here! When you work in this industry and have been a part of situations as I have explained above, it is your responsibility to share these experiences. Any one of us can get scammed. I attended a conference where a social engineering expert and author of eight books on social engineering explained that he was at one point successfully scammed too. That made me realize it can happen to anyone! I administer numerous in-person training sessions to companies all over the country. I use these real-life experiences and stories in all my training presentations. The good news for me is I always have fresh material. The bad news is that new material typically comes at the cost of a business or an individual being scammed.