The “creativity” behind internet scams continues to mature into one of the leading forms of crime. (It is the fastest growing crime in the United States.) Scams like ransomware and catfishing seem old hat by now, even though people are still swindled out of money. Emerging schemes like virtual kidnapping and smshing (a type of phishing via text messages) are just emboldened scammers taking advantage of the latest and most popular.
According to the Federal Trade Commission, Impostor Scams (catfishing, virtual kidnapping, elder fraud) was the top fraud in the United States, with over 350,000 reports in 2017. An estimated $328 million was stolen — and this is just what was reported. Cybercrime in general is the fastest growing crime nationally and it is estimated that by 2021, it could cost $6 billion internationally.
Many impostor scams that were popular prior to the online boom have become more prevalent and easier to pull off because of the increased access to personal information on the web. Scams that were once done over the phone can now be done via an e-mail message or more recently, a text message.
During our research, we found that there are over 70 classifications of internet-based fraud, which according to the Internet Crime Complaint Center (IC3) is defined as “the use of internet services software with internet access to defraud victims or to otherwise take advantage of them.” Seems pretty straight forward, but we put together a list of the most common internet scams that you may or may not be aware of — and some helpful tips to help you steer clear of the constant waves of opportunistic tricksters.
Through an Electronic Message
Most of us are familiar with phishing — when a scammer attempts to gain critical information like a username or password to “break into” a personal account. Scammers have used all sorts of phishing schemes, including one where a scammer used a bank’s logo and created a fake email address very similar to the bank’s name. In the email, the scammer included a fraudulent link to gain access to the victim’s personal information (i.e. “fill out this form to activate your new bank card”).
There are a couple different versions:
- Spear phishing is when the scammer targets a specific person, organization or business. Famously, the chairman of Hillary Clinton’s presidential campaign was spear phished in an email saying someone in the Ukraine was trying to log into his Gmail account. He clicked the link, entered his username and password, and his account was breached.
- Whaling targets businesses or high-level executives, or the email seems to come from a high-level executive, providing the scammer access to an account. Employees receive an email that appears to be from the CEO, like in 2016 when Snapchat’s CEO was used by a scammer, who emailed the company’s payroll department. The scammer was able to gain access to personal information of current and former Snapchat employees.
- Smshing targets victims through an SMS (text) message that includes a link to a fake bank account or some kind of financial institution. The victim is prompted to fill out a form when they click on the link in the text message, duped into a simple phishing attack. This spring, some Canadians were tricked into thinking they were receiving a tax return from the Canada Revenue Agency via a popular online money transfer service.
Too Good to be True
Then there are the scams that seem too good to be true — but victims still fall for them, either because they are very convincing or because there seems to be no way they can lose in the scenario.
- Nigerian scams (aka Nigerian 419) are the scams that most people are familiar with. They involve someone overseas offering a share of money or a payment if you help them to transfer money out of their country to a bank account in the United States. (They are basically asking the victim to “hold it for them.”) The scammer — often from Nigeria, sometimes claiming to be a prince — promises they’ll provide a small holding fee for you if you give them your account information for the massive deposit. In providing all of this information, the scammers now have access to your account. As easy as it would be to make a deposit, it would be as easy to make a withdrawl from your account. Victims are contacted via email, social media, text message, etc. and relayed an elaborate story of why they need help. The scams aren't necessarily centered around depositing money from a different country. They can involve catfishing, fake lottery winners, and even selling college textbooks or prepaid credit cards and immediately returning them before they can be sent to the customer (the victim). In June, a major arrest saw 74 people taken into custody, including 29 in Nigeria. The scam involved going through SEC filings, spoofing emails and doing extensive research in order to reach their targets: CEOs, CFOs and controllers. Some emails had malware attached as well, maybe in a link that would enable a victim to directly wire money to them.
- Becoming a secret shopper is another way scammers are able to steal from their victims, who answer an ad they found online. Seems like a good gig: you’ll be sent a check to cover expenses you incur purchasing the products you’re asked to review (or in some cases, the services you review, like purchasing money orders or gift cards.) Victims are then asked to send photos of the items or proof of purchase. Days later, the bank realizes the check was fake and the victim is on the hook for the entire amount.
- Bitcoin and cryptocurrency are really popular, but still a mystery to a lot of people, which doesn’t stop them from trying to “get in on the ground floor.” A victim makes an initial investment and establishes their “digital wallet,” which can be hacked or compromised while making an investment or purchasing a fake ICO (initial coin offering). Victims are also open to the “pump and dump” scam where they are fooled into investing in alternative coin that is cheap, but high risk. Once that certain cryptocurrency is “pumped” up, skyrocketing its value, the scammers cash out and “dump” their cryptocurrency onto the uninformed investors who bought into it thinking it was the next big thing. These scams are successful because many people just aren’t savvy enough to understand the concept, or the market itself isn’t regulated the way it should be.
- Rental Scams have hit a variety of targets: college students and those looking for affordable housing, senior citizens looking for their retirement home, travelers looking for a great vacation spot. Scammers will create fake online ads for homes, apartments, condos, etc. and either ask for a down payment, an application fee, etc. — sight unseen, no visit to the actual location. Victims are just going off what they see on a website like Trulia, Craigslist, eBay, etc. and after making the initial payment, they then show up to the location where the scammer is nowhere to be found and often times, the property wasn’t even available to begin with. (Sometimes these ads are a mishmash of photos collected off Pinterest or home design sites and magazines — a completely fabricated property.)
- There are several kinds of buyer scams, which simply are a misrepresentation of the advertised product. One item is advertised, and when you submit your payment, you either get an item of far less value and quality, or sometimes nothing at all. Tickets to concerts and sporting events are prime for this. This scam involves victims searching for tickets for an event on a website, finding their desired tickets, and purchasing them from the “original” ticket holder. They’re sent a virtual ticket via email or text message, but by the time they reach the venue on the day of the event, the actual ticket holder has used the physical ticket to enter the event, or the original ticket holder sells the physical ticket to someone else.
Sometimes, the customer is the scammer: the customer orders an item online and claims that it was never delivered (although it was), and either is refunded the cost of the item or issued another one.
- Astroturfing is abusing the power of customer reviews on sites like Yelp, Facebook, Amazon and others. Either a place of business will post rave reviews from fake customers about their product, or a business will post bad reviews about a competitor. In a landmark case, a man was sentenced to nine months in prison for posting fake TripAdvisor reviews in Italy.
- Continuity scam victims are subjected to hidden charges after an initial purchase or agreement, and the customer doesn’t read the fine print. Long terms of service are a great place to hide hidden fees, like a large monthly service charge, or an annual subscription fee. Customers will agree to a free sample and submit credit card information to cover the shipping and handling, but will be saddled with the subsequent, hidden charges. Trying to end the charges is difficult at times because “you agreed to the terms” or sometimes, can’t get a hold of customer service. A woman in Chicago was cheated out of $180 for a skin care product that she had ordered online as a free trial, expecting she was only covering the cost of shipping by providing her credit card number. Instead, she was tagged with an hidden monthly fee.
Like good old-fashioned extortion, victims are required to pay a ransom in order to regain something — control of databases, personal information, or the safe return of a loved one. Scammers have found multiple ways to extort victims, including:
- Debt relief scams that require a victim to send a fee along with loan information and power of attorney authorizing transactions on the client's behalf. A group in Arkansas swindled vulnerable victims — including the elderly – out of $2.4 million. Victims were told that they owed a tax debt and needed to pay by the end of the day, usually via a wire transfer, or they would face jail time or a larger fine. By sending their information which they are doing under the guise of working out their debt, they are handing over power to control their finances.
- Hitman/Virtual Kidnapping/Bomb threats — uses the internet and electronic messaging to deliver the threats and ransom payments. In the Hitman and Bomb Threat situations, victims receive electronic threats (email, text message) that either someone close to them will be killed (hitman) or there is a bomb planted that will be detonated unless money is wired to them. In the case of virtual kidnapping, a victim is profiled by the scammer online through social media. Specifics like the names of a loved one, where they go to school, etc. are collected from the information shared in social media posts and then used by the scammer during the ransom phone call. Wealthier families were the initial targets, but lately, families of foreign exchange students have been sought out and contacted, demanding ransom in exchange for the safety of their family member who is away in a foreign country.
- Scammers have also hijacked social media profiles and gained access to login information, demanding a ransom from the victims for the return of control of their account. Some scammers have posted controversial content on these accounts that in no way reflects the thoughts, feelings or beliefs of the account holder and misrepresents them. Recently, Instagram users have been targeted, having their accounts hacked.
- Malware and scareware is software intended to damage or disable computers, computer systems or other electronic devices. Victims unknowingly download the software to their computers, hidden in things like fake gift card offers or other harmful links in emails and on websites. Scammers can use the software to gain access to other accounts and to devices in general.
- When an attacker encrypts a victim’s files with the promise of only decrypting them in return for a fee, that is considered Ransomware. A Scottish brewery was locked out of its computer systems after an infected PDF, disguised as a resume, was opened. To recover the data, scammers demanded two bitcoin for the encryption keys. Petya malware targets Microsoft Windows-based systems and infects the hard drive, disabling the ability to boot Windows. Scammers in this scenario also demand a ransom of bitcoin from victims to regain access to their system.
- Sextortion is when a scammer lures a victim into an online romantic relationship and encourages the victim to take an explicit photo or record a sexual act on camera, either live or to send to the scammer. The scammer then threatens to release the footage unless a fee is paid. Another form, which was recently outlawed in Maryland, holds entering into a sexual relationship over the head of the victim with threats of publicly shaming or financial retaliation (i.e. sleep with your boss or lose your job).
Romance scams, commonly known as catfishing, is when a victim is lured into an online relationship by a person behind a fake identity. Sometimes, the victim’s swindled out of money by the scammer claiming they need to pay for travel, to cover bills, or have found themselves in a tricky situation overseas like a woman late last year. Some common fake personalities of catfishers have been members of the military.
Distributed Denial of Service (DDoS) attacks involve a business’ website being bombarded with a large volume of traffic from many sources. During that time, scammers will use the volume as a diversion to commit fraud, or test how vulnerable the system may be for a future attack of a different kind. It can also prevent customers from accessing the website to complete transactions, like banks or e commerce sites. The Mirai Botnet attacked several internet and telecom providers, including French telecom provider OVH and US tech company Dyn, affecting the internet as a whole, slowing and even stopping service. It was later discovered the attack was launched by several college students who were looking to gain an advantage playing the popular online game Minecraft.
What Can You Do?
It may seem nearly impossible to guard yourself from internet crime — other than maybe going completely offline — but there are a couple of things you can do to protect yourself.
- First and foremost, a good rule of thumb: if it sounds too good to be true, it probably is. No one will ever ask you for a bank account number or credit card information if you’ve won a prize; if they won’t send a check — which is a reasonable request — you don’t need the prize. Never give out personal information.
- Do not share your personal information with anyone before verifying their credentials.
- Only work through a secure financial setting, never directly give your bank account information. PayPal or Venmo are good alternatives.
- Make sure you have up-to-date anti-virus software and a firewall installed, and that your browser is set to the highest level of security notifications. Update your passwords from something stronger than a birthdate to something unique. And use different passwords for different accounts.
If you feel you may have been scammed, change all of your passwords, and if you can, delete any malware. Contact your bank or credit card provider immediately if there was a transaction that took place, and be sure to file a complaint with IC3. Be sure to have the following information ready to share in order to make your complaint more effective: contact information, any financial transaction information, and who the fraudsters were (any contact information, email headers if available, details about the scam and any other relevant information.)