Scams

How to prevent, detect and react to Cyber-Scams

Online scams are growing every year. But they become more sophisticated over time. The secret of cyber-scammers' success is to target vulnerable groups. Their lack of knowledge of the digital world coupled with sometimes lack of language skills, loneliness, social isolation and/or a lower cultural level make them easy victims of this type of crime.

As in other online crimes. Anonymity and the very structure of the Internet make it extremely difficult to track down the perpetrators.

Online scams can be as diverse as the imagination of criminals allows. However, most of them coincide in their modus operandi, which makes it possible to analyse the most commonly used ones.

What is what?

• Phishing is a type of fraud carried out by telematic means that consists in the impersonation, by the criminal, of the digital identity of a company, organization or administration in order to obtain the victim's passwords that allow access to his or her bank account.

  Although it has already undergone numerous variations, phishing typically involves the criminal sending an email, sms or even using messaging applications such as Whatsapp to impersonate your bank. In the message, the criminal notifies that there is a problem related to the victim's account: it is overdrawn, there is a bill that could not be processed… the message is always pressing and urgent. It urges the victim to click on a link quickly to solve a problem that may cost him money or even legal problems.

  The link in question leads to a fake page (also an imitation of the website of the impersonated bank or organization) where the victim will be asked to enter his secret online banking identification data (login, password, pin) or card data (card number, security pin, expiration date, etc.). Once these data are entered on the fake page, the criminal will use them to enter the victim's online banking data and steal the money from the victim's bank account or card.

  Phishing is the easiest type of cyber-threat to carry out, as it requires the least technical knowledge on the part of the criminal. The criminal does not need to do anything sophisticated. He/she only has to create a web page similar to the original one and send mails to many people. Although many will notice, others will fall into the trap.

• Vishing is the same type of scam conducted over the telephone. This makes seniors the preferred victims. Seniors tend to be wary of online banking and Internet shopping, but they are much more accustomed to completing transactions over the phone, especially when they have mobility problems or chronic illnesses that prevent them from moving around.

  Again, the identity of a company, organization or trusted person is impersonated in order to obtain personal and sensitive information from the victim with the aim of stealing, in this case through a phone call.

• Smishing: The same scam but via sms, which includes a link that leads to a fraudulent page or a premium rate telephone number.

• Quid pro quo: Through email, sms, whatsapp or social networks, the scammer promises gifts, cash, access to services as Netflix, incredible offers or big discount coupons. To get them, the victim has to fill in a form asking for personal data and, usually, bank or card details.

• Addline phising: It consists of accessing the victim's device (computer, phone or tablet) with the intention of stealing the information stored on it from personal accounts (email, bank accounts, payment systems, Amazon, ...), using malicious free Wifi networks. This stolen information will allow fraudulent operations to be carried out using their passwords and thus impersonating the victim.

• Catphishing: The criminal creates a fake profile on a social network (or several) and uses that profile to establish a virtual relationship with the victim. The objective is a (fake) love relationship, which is why it is a common crime on Tinder-like dating platforms. However, it also occurs on general social networks.

  A strategy similar to grooming is used, as the criminal pretends to be someone he is not, usually for months. This does not mean that the criminal in question necessarily refrains from using his/her real voice or from letting him/herself be seen on video-call. Often they “happen to live in another country”, or “in a place far away” from the victim, which delays the live meeting.

  When the victim is (or thinks he/she is) in love, the moment of the meeting arrives. It is at that moment when the criminal appears with some “problem,” family or health, which prevents him/her from meeting the victim if he/she does not get a certain amount of money. The objective is to get the victim to contribute that amount. After doing so, the criminal disappears.

Detection and reaction

There are some characteristics particular to phishing scams that help us to identify this type of attack:

• They adopt the names and image of real companies
• The sender's name is either the name of the company or an actual employee of the company
• They include web sites that visually look like those of real companies
• They hook users by offering gifts and prizes or by making them believe they are in danger of suffering imminent serious problems such as the loss of an account, a power outage, a penalty, etc.
• The sender's address will try to imitate the real address of the bank, but if we look closely we can detect the error:

​ Real email adress: m.garcia@deutsche-bank.es

​ Fake email adress: m.garcia@deutchshe-bank.es

​ Fake email adress: m.garcia@deutschebank.eu

• If we click on the link, the fake web site visually looks like that of the real company but there will be also differences:
  • The fake web site does not start with https:// but with http:// (without 's')For an address to be secure, it must begin with https:// and have a drawing of a lock on the left.
  • For example: https://www.cgd.pt. If it starts with http:// ( the ‘s’ is missing) the alarm bells should ring.
  • The fake web site has a little difference on the URL (like in the email)

​ Real URL: https://deutsche-bank.es

​ Fake URL: https://deutchshe-bank.es

​ Fake URL: https://deutschebank.eu

• They usually ask us to click on a link to solve the mentioned problem. In the same email or on the page to which the link takes us, we will be asked to make a payment, provide bank and/or personal information to solve the problem.
• Sometimes criminals do not bother to translate messages. If we receive a message from our bank in another language, we should be suspicious.
• Sometimes criminals do translate messages, but they do it badly, with an automatic translator and without checking the text. If the text has syntax errors or uses unusual words, we should be suspicious.
• The most common phishing is an email, sms or whatsapp message from a bank, payment service, post office, courier or electricity company but they can be disguised as all kinds of senders, even our contacts, who could have been hacked.

The most important: Our bank (or our gas company o TV company...) will NEVER ask us for passwords by mail, phone or message

Prevention

• If it is an email, we should check the sender's address. If there is a URL in the message, check that URL. We must look to see if:
  • It contains the official name of the website, but it is not the official address.
  • It uses the name of the official site with some letter or symbol added.
  • They have a spelling mistake like "paypa1" instead of "paypal".
  • It does not use a secure protocol, i.e. the URL does not begin with https://.
  • If we receive an email or message (sms, app) that asks for personal or financial information, we should never respond. Any company, for security reasons, will never ask for this type of information by email.
  • If that email or message contains links or attachments, never click on the links or download the files.
  • If we noticed it late and clicked on the link or downloaded the file, it is recommended that we consult a technician so that he/she can examine the device for viruses.
  • If you have doubts about whether an e-mail or message is legitimate or not, call the sender (bank, electric company, post office) or go in person to an office and ask.

Other scams

Online scams mainly take advantage of the lack of physical presence to deceive victims in a different way, but in essence they have not changed that much compared to pre-internet scams. Fraudsters play on people's hopes and desires.

Apart from phishing and its derivatives, the main online scams are:

• Fake prize from abroad:

  • This is a derivative of the so-called "Nigerian lottery". The victim receives an email announcing that he or she has won a large cash prize. In one case, the prize was awarded by the (fake) Google Foundation.
  • After several email exchanges to collect as much information as possible from the victim and to arrange the delivery of the prize, bureaucratic problems start to arise due to the complication of collecting a prize awarded by a foreign country.
  • To solve these problems, the victim will have to send a transfer of money to pay the fees, taxes, paperwork, lawyers, etc. necessary to collect the prize. Necessary to collect the prize.

• False job offer:

  • The victim receives (or finds while surfing the Internet) a good job offer online.
  • They conduct an interview, usually by email, and are "hired" for the job.
  • Before starting work, and again because of a bureaucratic problem, the victim has to advance the money for the materials needed to do the job.
  • The materials can only be purchased from a single supplier, which is either the scammer himself or his accomplice.
  • The employer promises that he will get the money back with his first salary, which obviously will not happen because the job never existed.

• False purchase opportunity

  • If Nike trainers cost 150 at the most expensive shop in town and 100 at the cheapest, if you find an offer for 20, be wary. At the very least, they are fake.

• Fake official documents

  • If you buy a forged official document (e.g. a vaccination certificate) you are committing a criminal offence.
  • Therefore, if the forgery is not good or the document simply does not arrive, we will not be able to report it to the police. The forger knows this and plays on this to deceive us.

• False request for help from a friend or relative

  • The victim receives an email or Whatsapp message from someone who identifies themselves as a friend or family member in trouble.
  • The fake person will start by saying that their mobile or computer has been stolen, lost or hacked, that's why he is not writing from his usual email address or account

• The fake person will then explain a fake problem for which they need urgent money sent.

Tips

• On offers (of jobs, flat to rent, computer to buy...) that are too good. Check first. Ask for help if you are not able to verify on your own.
• On email or whatsapp requests for money from friends or family who claim to be in an emergency and have lost their phone: Call them to check and don't do anything until you speak to them.
• When you win a prize or get a job, there must be official documents to prove it. In any case, if they are legitimate, you will never be asked to advance money.
• When you buy for the first time from an unfamiliar online shop:
  • Look for their company details (company name, cif, physical address...) They are usually at the bottom of the page.
  • Search the Internet for reviews or references of that shop.