The FBI warns of hackers stealing payroll direct deposit information via social engineering. Also, the top 3 scams in magnitude of losses in 2022.
Yet another scathing report from the FBI. Hackers are now stealing people’s payroll direct deposit information and diverting it to their accounts. How does this happen? Better question, why does it continue to happen?
I think that companies are not properly training their employees to thwart a potential social engineering attack. What does this look like? A person pretending to be from the IT department calls, has a lot of pertinent information about the system and they sound like they are just doing their job. They ask for your password to resolve some issue and before you know it, you just gave them the keys to the kingdom.
Social engineering is incredibly powerful and sneaky since the people that practice it can be very skilled. It’s like buying a car, you may purchase one every few years but the salesman sells them every day and is used to every type of objection or scenario. The same happens with hackers that do social engineering, they do it all day long and know the emotional triggers that make people spew out information.
In the case of this attack, once they can log in to your payroll provider, they change the direct deposit information and turn off notifications so you don’t know this is happening.
According to the FBI, here is the list of the top 3 scams in magnitude of losses from highest to lowest last year.
Let’s go over the list to understand what all the crimes are and how we can help prevent them.
Normally, this can apply to businesses doing transactions internationally, but they don’t stop there. Once they get a hold of your e-mail, they can use it to verify other accounts and impersonate you in several types of transactions including unauthorized transfers of funds. E-mail confirmation is at the very heart of our identity on the internet and having it compromised can be catastrophic for your business or personally.
The easiest way to protect against this is by having strong passwords and using two-factor authentication. This means that every device you use to access your e-mail needs to be “cleared” before you can use it to login to your e-mail account. This can be done with a simple code sent to you via text or more securely, by using an authenticator app such as, Google Authenticator.
These are one of the oldest tricks in the book that now get amplified by social media and all the available communication channels the explosion of the web has brought about. The bad guys create a trust relationship with the victim, that may take weeks or even months to develop. A recent case involved a fake social media profile for a celebrity where the person thought they were having a conversation with the celebrity. This led to the “celebrity” asking for money because of a difficult situation and the person complying and losing a great deal of savings.
These scams are way older than the internet but with the availability of social media and online dating services, many people become unsuspecting victims. They are lured into relationships by people that seem to be a perfect match and that slowly develop the victim’s confidence and even love. Once trust is gained, eventually, the victims are presented with a difficult situation by their “lover” where help is required, and many people comply by sending money or valuables. The perpetrators often try to move the relationships away from the sites where they met their victims, that’s why they ask for e-mail addresses and phone numbers to send texts and pictures.
These types of romance scams are not that easy to protect against. When you are vulnerable and are looking for human connection, it’s easy to become a victim of the confirmation bias where you don’t see the incongruencies and choose to believe the situations that the scammers create. A simple method that might help is to do an image search with the profile picture of the person you are talking to. You’d be surprised what it may yield, especially if it’s a fake profile. You might find the photo attached to someone else’s name. It may sound overly simplified, but avoiding sending personal information or money/valuables to people you have not met and vetted in “real life” is also the way to go.
When selling or buying online, it’s amazing all the ways that scammers have figured out how to get people and small businesses to ship merchandise without sending payment. How can this happen? There are many ways, for example, they may send you a spoofed e-mail that seems to be coming from the payment provider that says the funds are now in your account. Trusting this is the case, you don’t log in to verify and just ship the merchandise.
Non-delivery schemes are many times perpetrated in online auction sites, such as Ebay or Craigslist. The products are listed as if they were real, the bad guys receive the payment and fail to deliver the goods. This doesn’t just apply to small merchandise or electronics, it’s been done with every item imaginable, even cars. Many times, the items are listed several times and at significantly lower than average prices.
It’s hard to verify the seller 100% but there are some steps you can take like researching the company doing the listing, actually calling any phone numbers they may have listed. Don’t trust them just because they have a website, since it’s pretty easy to have a nice-looking fake site these days. Always use a credit card for any type of online transaction, as the charge can be disputed in case something goes wrong.
The internet has thrown a monkey wrench toward the safety and security of the general public and not enough is being done to prevent and combat cybercrime. Remember that there are no national borders on the web and the people trying to attack you can be living in any part of the world, where they can do pretty much anything against you online without facing any consequences. It’s up to you to be alert and aware against cybercrime and do your homework. If a person or price point seems too good to be true, it probably is.
Here is a recent appearance in Despierta America on Univision where I explained the Chef how to protect his accounts after his recent hacking incident.