By now, most people know someone who has had a brush with cybercriminals, or they too have been a victim of cybercrime. Unfortunately, the increase in cybersecurity awareness has been met with increased sophistication by cybercriminals. The attacks are now directed at groups of people, businesses, and individuals; they are targeted and compromised by teams of professionals.
One of the most effective means to compromise individuals is through social engineering, which is the psychological manipulation of people to perform actions to divulge confidential information. No longer is the internet blanketed with the pleas of wrongfully accused officials from Nigeria, modestly requesting help and providing you a fair share of forgotten and misplaced millions.
It is important to realize that criminal Internet fraud has become an industry. It is labor-intensive; it requires victim research, a well-rehearsed script, follow-up by team members, and often fake documentation convincing you to transfer money or to do something that is not in your best interest.
The FBI lists Business Email Compromise / Email Account Compromise (BEC/EAC) as the largest class of criminal cyberattack by dollar amount, totaling $2.4 billion in 2021. These attacks begin with email or a direct message on social media. LinkedIn, the business or working professional social media site, has become fertile ground for this kind of employment and investment scams. LinkedIn has committed considerable resources to combat fraud and is actively using tools to monitor and remove malicious actors. Nevertheless, it has proven to be an efficient means of reaching out to victims by criminal networks.
There is a common chain of events for these attacks. The first is the introduction; for an investment scam, someone approaches an individual with a shared interest through a friend or contact request. The reality is that this may be a real person whose identity has been hijacked. If it is an employment scam, someone signifies they are looking for work, and they are then contacted by a company looking for someone with their skills. This company may also be real but has had its identity stolen as well. The advantage of LinkedIn is the assumption of trust, and often the attacker is conducting the attack behind real identities.
The introduction is followed by connection via email correspondence. In each case, the attacker strikes up a conversation and builds familiarity and trust over time. For employment scams, this begins with praise over how qualified the individual is -- and comments about how desperate the company is for help. For investment scams, it's a longer process of slowly building trust over shared interests over time.
The third step is the theater; all scams rely on a bit of theater or make-believe. The employment scams rely on fake employment applications, counseling sessions, interviews, etc. The goal is to extract personal information and collect a fee. The investment scam will rely on examples of investments that make lots of money; cryptocurrency is the current favorite. This scam takes a lesson from Bernie Madoff and provides the victim with fake investment returns and profit statements.
The last step is the payday; the attacker's goal is to get paid. In the employment scam, the criminal asks the applicant to give their personally identifiable information, then uses it to apply for credit cards, hack systems, and empty bank accounts. In addition, they are often asked to pay a fee to the agency to get the nonexistent job. In the investment scam, the victim is convinced to move their investments into one controlled by the criminal. This one may go on for a while; as the investor continues to receive the fraudulent investment reports, they add more to the account. At some point, the investment is closed, and the victim is left with nothing.
The question is: What can a company or individual do to identify and avoid these scams? The first would be to follow the recommendations outlined by LinkedIn to combat fraud. Most importantly, be cynical. Do not fill out employment applications with your personal information until you are in the hiring process; if you cannot see anyone during the interview, or the background is strange, or there is no command of good English, or they want money, these are big warning signs. Before you invest money, get a second opinion; if there is urgency, you will miss out, or your friend turns aggressive, these too are warning signs. If there is an incident, the recommendation is to report the fraud to the FBI's Internet Crime Complaint Center (IC3).
LinkedIn is combating this fraud and reported that it stopped 96 percent of all fake accounts in 2021. However, no matter what LinkedIn, the FBI, Microsoft, Apple, and Google do, individual user behavior is the most important factor. In general, if something seems too good to be true, it is. That supermodel that just befriended you, the one that really understands you -- well, they are really not all that into you.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at email@example.com.