New Social Engineering Scams

0
(0)

New Social Engineering Scams

The Old Ones Are Still Active But Fraudsters Are Now Adding More Tools To Their Bag Of Tricks

A SCARS Insight

According To Industry Sources, Cyber-Enabled Criminals Are Constantly Inventing New Attack Types

As scammers apply more institutional knowledge of the internet and online user’s behaviors they adapt their tactics. They are not giving up on the old techniques, but expanding to find more ways to scam victims – both individuals and corporations – from their money.

Here are the latest types of socially engineered scams running worldwide:

Social Engineering Against All Users

1: Browser Notification Hijack

Web sites have for several years asked visitors to approve “notifications” from the site. We do that on this website, but we use a reliable and secure partner to manage that (specifically OneSignal – an industry leader). Not all websites do use reliable partners – those that try to do it themselves can be vulnerable.

What was once a useful way to engage with readers and keep them up to date can be compromised and turned into a social engineering tool.

These are called push notifications, and they are valuable, but they can be weaponized on poorly managed websites. The problem is that many users blindly click ‘yes’ to allow these notifications. While many users have learned some level of caution with web browsers, the notifications appear more like system messages from the device itself, rather than the browser.

In our case, we offer that choice, but we also allow you to subscribe to our newsletter so you don’t have to use the push notifications- this is a safer alternative for most websites – unless they know what they are doing.

Once the cybercriminal has a user’s consent, they start inundating them with alert messages – and the messages are usually phishing schemes or scam notifications that contain malware.

Rule of thumb: if you receive more than a couple of alerts a day – you probably do not want their alerts anyway.

2: Deepfake Recordings

Social engineers are now using deepfakes – very realistic recordings that use artificial intelligence to simulate a specific person’s appearance or voice – to trick victims into divulging information or performing an action that benefits the scammer.

This means they can send better fake videos to victims of romance scams, etc. It also means they can fabricate fake adult intimate videos and photos for sextortion purposes with ease.

Audio deepfakes – in which the cybercriminal uses a “cloned” voice that is nearly indistinguishable from a real person’s voice to create a scam audio recording – are a real growing concern.

One of the earliest successful examples came in 2019, when a fake recording of a CEO’s voice was used to instruct an employee to immediately transfer money to an international account. The recording was left as a voicemail to the subordinate, who obeyed the fraudulent instructions and sent $243,000 to the attackers.

We are seeing criminals use deepfake recordings to company manipulate staff into sending money or offering up private information – only audio recordings so far, but Gerchow believes video deepfakes are just a matter of time. But these are also being used in other kinds of scams, such as romance scams.

Everyone needs to become much smarter and more knowledgeable fast.

3: Malicious QR Codes

QR code-related phishing fraud has become common in the last year.

QR codes – those machine-readable, black-and-white matrix codes arranged in a square – have become an increasingly popular way for companies to engage with consumers and deliver services in the midst of COVID-19. For example, many restaurants have ditched paper menus, and instead, allow patrons to scan a QR code with their smartphone. Similarly, many Girl Scouts posted QR codes for no-contact ordering and delivery of cookies this spring.

Here is the problem – you cannot see what web address the QR Code contains just by looking at it!

Many of the websites that QR codes send people to are operated by third-party vendors. When scanned, a malicious QR code can connect phones to a malicious destination – just like clicking on a bad link. Same concept; new wrapper.

QR Codes that appear on ads or other marketing material can offer everything from a menu, to access to a website, to a chance of winning an Xbox. Always look for a real web address and always be cautious. Only trust reliable sources.

4: Text fraud

Text messages have been a conduit for social engineering scams for a while, but texting tactics becoming very common and frequent.

A large portion of the population prefers communicating via text messages as opposed to the phone.  People are now extremely used to communicating very confidential types of information via text and it comes with risks.

Because grocery and food delivery has grown in the last year, delivery-related scam texts are up.  Other common lures include texts that promise information about COVID stimulus checks that link victims back to a website that looks like the IRS site and asks for sensitive personal information, such as a birth date and social security number.

If you get a questionable text, look at the sending number – have you seen it before? Do a quick search online and see what shows.

As with QR codes, victims simply have not developed the level of awareness and caution needed.

5: Typo-squatting or Lookalike Domains

This is actually not new but has become more sinister in the last year.

A Typo Domain uses common misspellings of a domain name that many people would naturally make. Mostly these have been used to gain ad exposures from people carelessly typing a web address. But increasingly they are used to fool victims in email addresses, or in directing unsuspecting victims to fake or malicious websites.

For example: think Gooogle instead of Google,  or by adding a different top-level domain (.uk instead of .co.uk). Unlike the often sloppy versions from earlier days, today these sites may feature sophisticated designs, carefully detailed mimicry of legitimate sites, and sophisticated functionality.

Lookalike domains – are often served up in a business email compromise (BEC) attack. Fraudsters impersonate legitimate domains in order to fool victims into thinking they are in a safe location or that an email is legitimate.

We saw an example of this from a scammer in Australia that used the name of a government anti-scam agency called “ScamWatch” in a domain name to fool scam victims into believing they were dealing with the government investigators. They were asked to pay an investigation fee. SCARS has it shut down in 2019, but criminals persist in creating fake businesses.

A perfect example – can you see what is wrong in this web address?

Typo-Domains - A Kind of Social Engineering Attack

Typo-Domains – A Kind of Social Engineering Attack

Social engineering victims are usually tricked into either feeling psychological safety by their choice or into seeking psychological safety in a way that will play into a criminal’s hands.

Criminals set up these sites not only to deliver malware but also to capture credit card information or other sensitive data through fake login fields or other fake forms.

Social Engineering Against Businesses

1: Supply Chain Partner Impersonation

Attacks that exploit parts of an organization’s supply chain are now a big problem. This is basically a variation of BEC scams, but scammers now have more than enough money to understand real business processes.

It’s not easy to defend what you can’t see, and you are only as strong as the weakest link. For example, there have been many targeted emails coming in that look like they are from your trusted partners but are in fact bad actors posing as employees you may know within your network.

Always verify, verify, verify. Create a new email from the address in your contact list, or through your connection on LinkedIn. Do not just reply to a message you receive.

These attacks have become even more detailed and sophisticated over time. They will look and sound good.

We see these long, sophisticated attempts to build trust or relationships with a company’s outbound-facing teams whose entire job is to help.

By establishing these trusted relationships, the criminals’ ultimate goal is to make standard social engineering tactics more effective, eliciting help in bypassing security controls, or sending malware or gaining information that will compromise the target company’s systems.

The SolarWinds attack is an example of a supply chain attack – in that case, a specific version called a vendor email compromise attack (VEC) was used. As SolarWinds officials noted, an email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.

2: Collaboration Scams

With this social engineering tactic, cybercriminals target professionals in collaborative fields, including designers, developers, and even security researchers. The lure is an invitation that asks them to collaborate on work via an app or website.

Recent pandemic lockdowns and expanded work-from-home increased people’s comfort with remote collaboration, so this tactic fit the times well.

The cybercriminal sends over a Visual Studio Project containing malicious code. The user runs the program, and their device is infected pretty quickly. This attack essentially exploits the desire or need to assist or help others with passion projects.

Obviously, you should never accept or open an email or other attachments from people that you do not know! And never run anything that can be executed on your computer.

These attacks are often well-crafted, showing great attention to detail – but especially for people that live on the web – they should know better!

Criminals posed as active researchers and built social proof documents – with apparent third parties validating their research – using a blog including articles from industry sources as ‘guest posts,’ Twitter accounts, YouTube videos, LinkedIn, Discord, and more, A suspicious victim may be put at ease by this seemingly wide social footprint. But like all things online, don’t trust anyone!

If someone wants to participate in research then do it through a known channel such as RsearchGate.

PLEASE SHARE SO OTHERS WILL KNOW

SCARS Publishing Self-Help Recovery Books Available At shop.AgainstScams.org

Scam Victim Self-Help Do-It-Yourself Recovery Books

SCARS Printed Books For Every Scam Survivor From SCARS Publishing

Visit shop.AgainstScams.org

Each is based on our SCARS Team’s 32-plus years of experience.

SCARS Website Visitors receive an Extra 10% Discount
Use Discount Code “romanacescamsnow” at Checkout

Legal Disclaimer:

The content provided on this platform regarding psychological topics is intended solely for educational and entertainment purposes. The publisher makes no representations or warranties regarding the accuracy or completeness of the information presented. The content is designed to raise awareness about various psychological subjects, and readers are strongly encouraged to conduct their own research and verify information independently.

The information presented does not constitute professional advice, diagnosis, or treatment of any psychological disorder or disease. It is not a substitute for professional medical or mental health advice, diagnosis, or treatment. Readers are advised to seek the guidance of a licensed medical professional for any questions or concerns related to their mental health.

The publisher disclaims any responsibility for actions taken or not taken based on the content provided. The treatment of psychological issues is a serious matter, and readers should consult with qualified professionals to address their specific circumstances. The content on this platform is not intended to create, and receipt of it does not constitute, a therapist-client relationship.

Interpretation and Definitions

Definitions

For the purposes of this Disclaimer:

  • Company (referred to as either “the Company”, “We”, “Us” or “Our” in this Disclaimer) refers to Society of Citizens Against Relationship Scams Inc. (registered d.b.a. “SCARS”,) 9561 Fountainbleau Blvd., Suit 602, Miami FL 33172.
  • Service refers to the Website.
  • You means the individual accessing this website, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
  • Website refers to RomanceScamsNOW.com, accessible from https://romancescamsnow.com

Website Disclaimer

The information contained on this website is for general information purposes only.

The Company assumes no responsibility for errors or omissions in the contents of the Service.

In no event shall the Company be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Service or the contents of the Service. The Company reserves the right to make additions, deletions, or modifications to the contents on the Service at any time without prior notice.

The Company does not warrant this website in any way.

External Links Disclaimer

This website may contain links to external websites that are not provided or maintained by or in any way affiliated with the Company.

Please note that the Company does not guarantee the accuracy, relevance, timeliness, or completeness of any information on these external websites.

Errors and Omissions Disclaimer

The information given by SCARS is for general guidance on matters of interest only. Even if the Company takes every precaution to ensure that the content of this website is both current and accurate, errors can occur. Plus, given the changing nature of laws, rules, and regulations, there may be delays, omissions, or inaccuracies in the information contained on this website.

SCARS is not responsible for any errors or omissions, or for the results obtained from the use of this information.

Fair Use Disclaimer

SCARS may use copyrighted material that has not always been specifically authorized by the copyright owner. The Company is making such material available for criticism, comment, news reporting, teaching, scholarship, or research.

The Company believes this constitutes a “fair use” of any such copyrighted material as provided for in section 107 of the United States Copyright law.

If You wish to use copyrighted material from this website for your own purposes that go beyond fair use, You must obtain permission from the copyright owner.

Views Expressed Disclaimer

The Service may contain views and opinions which are those of the authors and do not necessarily reflect the official policy or position of any other author, agency, organization, employer, or company, including SCARS.

Comments published by users are their sole responsibility and the users will take full responsibility, liability, and blame for any libel or litigation that results from something written in or as a direct result of something written in a comment. The Company is not liable for any comment published by users and reserves the right to delete any comment for any reason whatsoever.

No Responsibility Disclaimer

The information on the Service is provided with the understanding that the Company is not herein engaged in rendering legal, accounting, tax, medical or mental health, or other professional advice and services. As such, it should not be used as a substitute for consultation with professional accounting, tax, legal, medical or mental health, or other competent advisers.

In no event shall the Company, its team, board of directors, volunteers, or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever arising out of or in connection with your access or use or inability to access or use the Service.

“Use at Your Own Risk” Disclaimer

All information on this website is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability, and fitness for a particular purpose.

SCARS will not be liable to You or anyone else for any decision made or action taken in reliance on the information given by the Service or for any consequential, special, or similar damages, even if advised of the possibility of such damages.

Contact Us

If you have any questions about this Disclaimer, You can contact Us:

  • By email: contact@AgainstScams.org

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.

SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM.

IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES.

ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS.

A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX RELATED ISSUES AND INFORMATION.

SCARS IS NOT A PRIVATE INVESTIGATOR – WE DO NOT PROVIDE INVESTIGATIVE SERVICES FOR INDIVIDUALS OR BUSINESSES. ANY INVESTIGATIONS THAT SCARS MAY PERFORM IS NOT A SERVICE PROVIDED TO THIRD-PARTIES. INFORMATION REPORTED TO SCARS MAY BE FORWARDED TO LAW ENFORCEMENT AS SCARS SEE FIT AND APPROPRIATE.

This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use. 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at www.AgainstScams.org

View the claimed and or registered indicia, service marks, and trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the law firm for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org

Share This Information - Choose Your Social Media!

Leave A Comment

Your comments help the SCARS Institute better understand all scam victim/survivor experiences and improve our services and processes. Thank you


Thank you for your comment. You may receive an email to follow up. We never share your data with marketers.