2023 August Cyber Bytes

Social Engineering Red Flags

Knowbe4.com

Social engineering is one of the primary strategies criminals use in their attempts to attack our systems. From an information security perspective, social engineering is the use of manipulative psychological tactics and deception to commit fraud. The goal of these tactics is to establish some level of trust in order to convince the unsuspecting victim to hand over sensitive or confidential information. In the graphic below, you will find several tips for identifying the red flags that often accompany social engineering scams.

Social Engineering Red Flags

Your voice could be your biggest vulnerability

AI technology is fueling a rise in online voice scams, with just three seconds of audio required to clone a person’s voice, according to McAfee.

Helpnet Security, May 8, 2023

McAfee surveyed 7,054 people from seven countries and found that a quarter of adults had previously experienced some kind of AI voice scam, with 1 in 10 targeted personally and 15% saying it happened to someone they know. 77% of victims said they had lost money as a result.

In addition, McAfee Labs security researchers have revealed their insights and analysis from an in-depth study of AI voice-cloning technology and cybercriminal use.

Scammers are using AI technology to clone voices

Everybody’s voice is unique, the spoken equivalent of a biometric fingerprint, which is why hearing somebody speak is such a widely accepted way of establishing trust.

But with 53% of adults sharing their voice data online at least once a week (via social media, voice notes, and more.) and 49% doing so up to 10 times a week, cloning how somebody sounds is now a powerful tool in the arsenal of a cybercriminal.

With the rise in popularity and adoption of artificial intelligence tools, it is easier than ever to manipulate images, videos, and, perhaps most disturbingly, the voices of friends and family members.

McAfee’s research reveals scammers are using AI technology to clone voices and then send a fake voicemail or call the victim’s contacts pretending to be in distress – and with 70% of adults not confident that they could identify the cloned version from the real thing, it’s no surprise that this technique is gaining momentum.

45% of the respondents said they would reply to a voicemail or voice note purporting to be from a friend or loved one in need of money, particularly if they thought the request had come from their partner or spouse (40%), parent (31%), or child (20%).

The cost of falling for an AI voice scam

For parents aged 50 or over, this group is most likely to respond to a child at 41%. Messages most likely to elicit a response were those claiming that the sender had been involved in a car incident (48%), been robbed (47%), lost their phone or wallet (43%), or needed help while traveling abroad (41%).

But the cost of falling for an AI voice scam can be significant, with more than a third of people who’d lost money saying it had cost them over $1,000, while 7% were duped out of between $5,000 and $15,000.

The survey also found that the rise of deepfakes and disinformation has led to people being more wary of what they see online, with 32% of adults saying they’re now less trusting of social media than ever before.

“Artificial intelligence brings incredible opportunities, but with any technology there is always the potential for it to be used maliciously in the wrong hands. This is what we’re seeing today with the access and ease of use of AI tools helping cybercriminals to scale their efforts in increasingly convincing ways,” said Steve Grobman, McAfee CTO.

Voice cloning made easy

As part of McAfee’s review and assessment of this new trend, McAfee researchers spent three weeks investigating the accessibility, ease of use, and efficacy of AI voice-cloning tools, with the team finding more than a dozen freely available on the internet.

Both free and paid tools are available, with many requiring only a basic level of experience and expertise to use. In one instance, just three seconds of audio was enough to produce an 85% match, but with more investment and effort, it’s possible to increase the accuracy.

By training the data models, McAfee researchers were able to achieve a 95% voice match based on just a small number of audio files.

The more accurate the clone, the better chance a cybercriminal has of duping somebody into handing over their money or taking other requested action. With these hoaxes based on exploiting the emotional vulnerabilities inherent in close relationships, a scammer could net thousands of dollars in just a few hours.

The evolution of voice cloning technology

“Advanced artificial intelligence tools are changing the game for cybercriminals. Now, with very little effort, they can clone a person’s voice and deceive a close contact into sending money,” said Grobman.

“It’s important to remain vigilant and to take proactive steps to keep you and your loved ones safe. Should you receive a call from your spouse or a family member in distress and asking for money, verify the caller – use a previously agreed codeword, or ask a question only they would know. Identity and privacy protection services will also help limit the digital footprint of personal information that a criminal can use to develop a compelling narrative when creating a voice clone,” concluded Grobman.

Using the cloning tools they found, McAfee’s researchers discovered that they had no trouble replicating accents from around the world, whether they were from the US, UK, India, or Australia, but more distinctive voices were more challenging to copy.

For example, the voice of a person who speaks with an unusual pace, rhythm or style requires more effort to clone accurately and is less likely to be targeted as a result.

The overriding feeling among the research team, though, was that artificial intelligence has already changed the game for cybercriminals. The barrier to entry has never been lower, which means it has never been easier to commit cybercrime.

AI voice cloning protection

Set a verbal ‘codeword’ with kids, family members or trusted close friends that only they could know. Make a plan to always ask for it if they call, text or email to ask for help, particularly if they’re older or more vulnerable.

Always question the source. If it’s a call, text or email from an unknown sender, or even if it’s from a number you recognize, stop, pause and think. Does that really sound like them? Would they ask this of you? Hang up and call the person directly or try to verify the information before responding and certainly before sending money.

Think before you click and share. Who is in your social media network? Do you really know and trust them? Be thoughtful about the friends and connections you have online. The wider your connections and the more you share, the more risk you may be opening yourself up to in having your identity cloned for malicious purposes.

Identity monitoring services can help make sure your personally identifiable information is not accessible or notify you if your private information makes its way to the Dark Web. Take control of your personal data to avoid a cybercriminal being able to pose as you.

Securing Your Financial Accounts

SANS OUCH! Newsletter by Lynn Dohm, June 7, 2023

Overview

Your financial accounts are a primary target for cyber-criminals. You have money, and they will do anything to steal it. By financial accounts, we mean not only your checking or savings accounts, but also investments, retirement, and online payment accounts like PayPal. Fortunately, with some simple, fundamental steps, you can protect yourself.

How They Attack?

Banks invest a huge amount of money in securing their systems, making it extremely difficult for a cyber- criminal to hack into them. This is why cyber-criminals target you and your accounts instead. They know you don’t have your own security team to protect you, so it's much easier to hack you than a bank. Here are the two most common ways they will target you and attempt to steal your money:

Passwords: Each of your financial accounts is protected by a password. If a cyber-criminal can guess or compromise any of those passwords, they can log in as you and then transfer your money to bank accounts that they control. There are numerous ways they will try to get your password. One common method is infecting your computer with malware. Once your computer is infected, they can capture your username and password when you access your bank’s website. Another common method is sending phishing emails that pretend to come from your bank. When you click on the link in the email, you think you are logging into your bank’s website, but in reality, you are logging into a fake website that the criminals control. This allows them to once again harvest your username and password, which they can then use to log in as you.

Asking: Cyber criminals can simply ask you for your password or for you to transfer the money to them. Such social engineering attacks often start by getting you on the phone. Cyber-criminals know that once they get you talking, it's much easier for them to use emotion to get you to make a mistake. This is why you are starting to see more phishing emails, voice mail, and browser pop-ups creating a sense of urgency by telling you that you have to call a phone number to resolve an issue or to take advantage of an amazing opportunity before it expires. Once you call the phone number, the criminals create a tremendous sense of pressure to either give them access to your accounts or to move your money to different accounts for them. For example, they may tell you they are from tech support or the government, claiming that your computer is infected and that if you don’t act now, you will lose all your money.

Protecting Yourself

Fortunately, securing your bank accounts is simpler than you may think. Here are three simple steps to protect yourself.

Be Suspicious: First and foremost, you are your own best defense. If you get an email, text message, voicemail, or browser pop-up that seems odd or suspicious, it may be an attack. The greater the sense of urgency, and the more you are being pressured to act NOW, the more likely it is an attack.

Use Strong Passwords / MFA: Protect each of your financial and personal email accounts with a long, unique password. Can’t remember all of those unique passwords? Consider using a password manager to securely remember and store them all for you. The best way to protect each of your financial accounts is to enable a feature called multi-factor authentication (MFA) on each account.

Monitor: Finally, monitor all your financial accounts. You can set up automated alerts that will email or text you any time money is moved into or out of your accounts. This way you can quickly detect any unauthorized or suspicious transaction. The sooner you detect something wrong and report it to your bank, the more likely you will be able to recover your money.

Tricks of the trade: How a cybercrime ring operated a multi-level fraud scheme

A peek under the hood of a cybercrime operation and what you can do to avoid being an easy target for similar ploys

Welivesecurity.com by Roman Cuprik, May 30, 2023

They hacked into corporate emails, stole money from people and businesses, and tricked others into transferring the loot. Nigerian nationals Solomon Ekunke Okpe and Johnson Uke Obogo ran a sophisticated fraud scheme that caused up to US$1 million in losses to victims. A US court recently sentenced the duo to four years and one year behind bars, respectively.

Their criminal operation engaged in a variety of fraudulent schemes – including business email compromise (BEC), work-from-home fraud, check fraud and credit card scams – that targeted unsuspecting victims worldwide for more than five years.

Here’s how they pulled out the cons and, even more importantly, how you can avoid becoming a victim of similar ploys.

Step 1 – hacking into email accounts

In order to get access into victims’ email accounts, Okpe and co-conspirators launched email phishing attacks that collected thousands of email addresses and passwords. Additionally, they amassed large amounts of credit card information and personally identifiable information of the unsuspecting individuals.

Generally, the most common variety of phishing involves sending out emails that pose as official messages that have a sense of urgency and come from reputable institutions such as banks, email providers, and employers. Using false pretenses and evoking a sense of urgency, these communications attempt to dupe users into handing over their money, login credentials, credit card information or other valuable data.

Another technique to break into one’s account is simply overcoming a weak password – think a password that is either too short or made up too simple a set of characters and scammers can easily crack it with the help of automated tools, i.e. “brute-force” it.

For example, if your password is eight characters long and consists only of lower-case characters, an automated tool can guess it in a couple of seconds. A password that is complex but is made up of only six characters can be cracked just as quickly.

Hackers also often take advantage of people’s penchant for creating passwords that are extremely easy to guess without help from dedicated tools. According to a 3TB database of passwords spilled in security incidents, the most popular password across 30 countries was, you guessed it, “password”. Second came “123456”, followed by the slightly longer (but not really much better) “123456789.” Rounding out the top five were “guest” and “qwerty.” Most of those logins can be cracked in less than a second.

The takeaway? Always use long, complex, and unique passwords or passphrases to avoid having your access credentials easily guessed or brute-forced.

Step 2 – attacking business partners

After gaining access to victims’ accounts, Okpe and his team would send emails to employees of companies that did business with the victim, directing the targets to transfer money to bank accounts controlled by the criminals, their co-conspirators or “money mules”. These emails were made to looked like they were coming from the victim, but were instructions for unauthorized money transfers from Okpe and his co-conspirators.

These attacks, called business email compromise attacks, are a form of spearphishing. While regular phishing attacks involve casting the net wide and target unknown victims, spearphishing takes aim at a specific person or group of people. Bad actors study every piece of information available about a targeted person online and tailor their emails accordingly.

This obviously makes such emails harder to recognize, but there are some obvious giveaways. For example, these messages often come out of the blue, evoke a sense of urgency or use other pressure tactics, and contain attachments or (shortened) URLs leading to dubious sites.

If a spearphishing campaign aims to steal your credentials, two-factor authentication (2FA) can go a long way towards keeping you safe. It requires you to provide two or more identity verification factors to access an account. The most popular option involves authentication codes via SMS messages, but dedicated 2FA apps and physical keys provide a higher level of security.

If you as an employee are asked to wire any money, especially under a tight deadline, doublecheck that the request is genuine.

Step 3 – tricking people into transferring stolen money

In the “work-from-home” scams, the gang falsely posed as online employers and posted ads on job websites and forums under a variety of fictitious online personas. They pretended to hire large numbers of individuals from around the United States for work-from-home positions.

Although the positions were marketed as legitimate, the scammers directed the workers to perform tasks that facilitated the group’s scams. Thus, victims were unknowingly helping scammers with creating bank and payment processing accounts, transferring or withdrawing money from accounts, and cashing or depositing counterfeit checks.

To avoid falling for a work-from-home scam, do your research. Look up the company’s name, email address, and phone number and check whether there are some complaints about the company’s behavior and practices. Indeed, when looking for a job online, start with legit job sites and other trustworthy sources.

There’s more

Additionally, Okpe and co-conspirators conducted romance scams. They created fictitious identities on dating websites, feigning interest in romantic relationships with love-seeking people. After gaining victims’ trust, Okpe and others used them as money mules to transfer money overseas and receive cash from fraudulent wire transfers.

Many romance scammers borrow from the same playbook, which makes it easier to recognize and stay safe from their tricks. Watch out for online suitors who:

  • Ask victims lots of personal questions but are evasive when asked questions about their lives
  • Profess their love quickly
  • Move the conversation quickly off the dating site to a private chat
  • Make convoluted excuses for not meeting in person or joining a video call
  • Pretend to live or work abroad
  • Have picture-perfect profile photos
  • Tell sob stories about why they need money, including to pay for travel or medical expenses, visas and travel documents
  • Be scam-smart – exercise caution especially with unsolicited online communications and watch out for the tell-tale signs of online fraud.

Be on high alert if you use this popular reservation app

More than your dinner plans could be ruined by this scam targeting OpenTable users

CyberGuy Report Fox News, by Kurt Knutsson, on June 21, 2023 | Updated June 22, 2023

The restaurant industry is currently grappling with a new scam specifically targeted at people looking to make online reservations. Hackers have set their sights on exploiting OpenTable, a widely used service that includes nearly 60,000 restaurants around the globe. The scammers are using OpenTable to illicitly obtain information from those who use the service.

What is OpenTable?

OpenTable is an online restaurant reservation service that allows you to search for and book reservations at various restaurants online without having to call the restaurant directly. You can use the filters to adjust the date, time, and number of people included in your reservation, as well as any other specific filters included with the restaurant you're attending, such as if you prefer to have a table inside or outside.

The service is accessible through the OpenTable website and the OpenTable mobile app, which is available for download on iOS and Android devices. You can browse restaurants, view menus, read reviews, and make reservations directly through the platform.

What information does OpenTable ask for?

Once you've completed all the details for your reservation, the website will ask you for some personal information like your name, email address, and phone number. This information is only asked so that the restaurant has a way to contact you should something change with your reservation. However, depending on the restaurant's policies, it will typically not ask you to give over credit card details to finalize the reservation. This is where the scammers come in.

How does the OpenTable scam work?

Scammers have been calling people and pretending to be from the restaurant where a reservation has been made to "confirm" the details. And with that confirmation, the scammer will also tell the victim that it is required for them to give over their credit card details to keep their reservation spot.

Once they have the card details, they will then call again and pretend to be from your bank. They'll tell the victim that there has been "unusual activity" with their credit card that can only be stopped by authorizing a purchase from your bank's mobile app. Many victims will panic and authorize the transaction before they realize it's a scam, and now the criminal has full access to use your card.

How do the scammers get your information in the first place?

Scammers get this information by calling restaurants pretending to work for OpenTable and asking for their login credentials. Then, they use those credentials to access the restaurant’s account and call customers with reservations pretending to be from the restaurant. They ask for their credit card details to take or refund a deposit for their bookings and then use those details to make unauthorized transactions. 

What should I do to avoid this reservation service scam?

There are a few steps you can take to avoid falling for this scam, even if you're someone who uses online reservation services often. Here are some of my tips for avoiding this scam.

Hang up on suspicious calls

If you receive a call from someone claiming to be from the restaurant you made a reservation at or from your bank and they're asking for credit card information, hang up the phone. There is no reason for a restaurant to have your credit card information unless they have a policy about charging people for last-minute cancellations. Even so, you should hang up and call the restaurant back yourself using their official phone number to confirm if this is a real policy or not.

Keep a close eye on your bank

You should never authorize any purchases to be made through your banking app or credit card that you did not make yourself. If you see any suspicious transactions come up, call your bank or credit card company immediately and have them walk you through the steps to fix it.

Report the scammers immediately

OpenTable has sent out a mass alert to all its users to warn them about these scams that have been going around. They urge people to notify them via email at phishing@opentable.com in case they receive any suspicious phone calls claiming to be from restaurants.

Use identity theft protection 

Since many people's personal information was exposed from this data breach with reservation websites, it's best for you to know how to protect yourself should your information ever get exposed. Identity Theft protection companies can monitor personal information like your Home title, Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

One of the best parts of using some services is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a U.S.-based case manager helps you recover any losses.

Kurt's key takeaways

Making reservations at local restaurants should be a hassle-free experience However, the unfortunate reality is that even something as simple as reserving a table now requires an additional concern. It's important to remain vigilant when using online reservation services like OpenTable to safeguard against scams. Remember to heed my advice, stay alert, and maintain a cautious mindset throughout the process, regardless of how straightforward it may seem.

8 common work-from-home scams to avoid

That ‘employer’ you’re speaking to may in reality be after your personal information, your money or your help with their illegal activities

Welivesecurity.com by Phil Muncaster, July 20 2023

The pandemic has radically reshaped the workplace. For many it normalized working from home (WFH). For others, it offered an opportunity to reevaluate whether their current career was the right fit for them. A “Great Resignation” ensued. Today, most of us expect our employers to give us the option to work remotely. Over half (53%) of remote-capable US workers have a hybrid work arrangement, for example.

With the cost of living hitting many countries, we’re also increasingly on the lookout for new ways to make some extra money. But scammers are as always primed and ready to take advantage. Nearly 93,000 Americans reported fraud related to business and job opportunities last year, according to the FTC. They suffered median losses of $2,000 – more than any other fraud type except investment scams. Separately, cases of employment fraud reported to the FBI last year resulted in losses of over $47 million.

It’s more important than ever to be on guard against job offers that look too good to be true. That ‘employer’ you’re speaking to may in reality be after your personal information, your money or your help with their illegal activities.

Eight WFH scams to look out for

WFH scams usually start with an online ad, perhaps on social media or even on even abuse legitimate career sites such as LinkedIn other platforms where job seekers look for new opportunities. Here are some of the main ones to watch out for:

Reshipping

The victim is hired to receive packages, potentially ‘inspect’ the items and then send them on to another destination. These may be advertised as “package handler,” “package processing assistant” or even “warehouse distribution coordinator.” In fact, the victim is receiving stolen goods purchased using compromised financial details, and is effectively helping the criminal to cover their tracks to hide the original crime.

Fake mystery shopper

The victim is hired to purchase products and report on the shopping experience. However, the check they’re given to pay for the purchases and/or upfront training and other expenses will bounce. Some scams may impersonate the Mystery Shopping Professionals Association (MSPA) to add legitimacy.

Personal assistant

The victim is hired as a PA and asked to make some purchases for their employer, who sends a check to cover the expenses. They may ask for some of the money to be returned via wire transfer or digital app. Of course, the original check will bounce, leaving the victim in the red.

Start your own business

A scam company claims to offer resources to help the victim become an entrepreneur. Usually they charge a premium for these course materials, which turn out to be useless. The “get rich quick” promises are soon revealed to be built on sand.

Medical billing

Medical billing is a key part of the healthcare supply chain. It can take many months of training to get up to speed with this kind of work. However, scammers will often offer medical billing roles requiring no training. The course materials and/or certifications they include to get the victim up and running will cost a premium.

Fraudulent job listings

Sometimes scammers upload listings for jobs that don’t exist. The end goal is to get the applicant to send over personal information like Social Security numbers and other details which can be used to commit subsequent identity fraud in their name.

Home assembly

Victims are told they will be paid to assemble toys or crafts and send them back to their employer. However, they must pay up front for a starter kit. Once they pay, they soon realize there is no job.

MLM scams

Some multi-level marketing (MLM) opportunities are simply scams where fake companies promise that those who sign up will be paid a handsome commission to recruit others. They will also be forced to buy products from the ‘employer’ to sell to would-be customers.

How to stay safe

Follow this list of best practice advice to stay safe from WFH scams:

- Search for the company offering the job to check for any negative online reviews. In the US the Better Business Bureau is also a useful resource

- Ask the employer plenty of questions, such as: what the total cost of the program is; and when they will be paid, by whom and how

- Don’t assume the job ad is legitimate just because it appeared on a legitimate site

- Don’t apply for any job where earnings are dependent on recruiting others to the company

- Don’t believe information on the company’s website, including testimonials from other recruits, as this can all be faked

- Don’t respond to any unsolicited contact or click on links in unsolicited comms like emails or texts

- If you want to follow up an out-of-the-blue job offer, do some background research on the company rather than replying to the initial email

- The popularity of WFH scams reflects both a worsening economic backdrop and our increasing preference to work remotely. There are jobs out there. Just be extra cautious in following up leads.