As time has gone on, the awareness of cybersecurity threats has increased. By now, most people know someone who has had a brush with cybercriminals, or they too have been a victim of cybercrime. Unfortunately, this increase in cybersecurity awareness has been met with increased sophistication by cybercriminals. The attacks are now directed at groups of people, businesses, and individuals; they are targeted and compromised by teams of professionals. One of the most effective means to compromise individuals is through social engineering, which is the psychological manipulation of people to perform actions to divulge confidential information. No longer is the internet blanketed with the pleas of wrongfully accused, honest officials from Nigeria, modestly requesting help and providing you a fair share of forgotten and misplaced millions.
The FBI lists Business Email Compromise / Email Account Compromise (BEC/EAC) as the largest class of criminal cyberattack by dollar amount; in 2021, that was $2.4 Billion. Just as it is titled, these attacks begin with email. It is important to realize that criminal internet fraud has become an industry. It is labor intensive; it requires victim research, a well-rehearsed script, follow-up by team members, and often fake documentation convincing you to transfer money or to do something, not in your best interest.
LinkedIn, the business or working professional social media site, has become fertile ground for this kind of fraud. LinkedIn has committed considerable resources to combat fraud and is actively using tools to monitor and remove malicious actors. Nevertheless, it has proven to be an efficient means of reaching out to victims by criminal networks. The two most common scams are employment and investment scams.
There is a common chain of events for these attacks. The first is the introduction; for an investment scam, someone approaches an individual with a shared interest through a friend or contact request. The reality is that this may be a real person whose identity has been hijacked. If it is an employment scam, someone signifies they are looking for work, and they are then contacted by a company looking for someone with their skills. This company may also be real but has had its identity stolen as well. The advantage of LinkedIn is the assumption of trust, and often the attacker is conducting the attack behind real identities.
Second is the connection in the form of email correspondence. In each case, the attacker strikes up a conversation and builds familiarity and trust over time. For employment scams, this begins with praise over the resume, how qualified the individual is, and how desperate the company needs help. For investment scams, it’s a longer process of slowly building trust over shared interests over time.
The third is the theater; all scams rely on a bit of theater or make-believe. The employment scams rely on fake employment applications, counseling sessions, interviews, etc. The goal is to extract personal information, driver’s license, SSN, date of birth, etc., and collect a fee. The investment scam will rely on examples of investments that make lots of money; cryptocurrency is the current favorite. Most people know nothing about cryptocurrency. This scam takes a lesson from Bernie Madoff and provides the victim with fake investment returns and profit statements.
The last step is the payday; the attacker’s goal is to get paid. In the employment scam, the applicant is asked to give their personally identifiable information, which is used to apply for credit cards, gift cards, their systems are hacked, bank accounts emptied, etc. In addition, they are asked to pay a fee to the agency to get the non-existent job. In the investment scam, the victim is convinced to move their investments into one controlled by the criminal. This one may go on a while; as the investor continues to receive the fraudulent investment reports, they add more to the account. At some point, the investment is closed, and the victim is left with nothing.
The question is, what can a company or individual do to identify and avoid these scams. The first would be to follow the recommendations outlined by LinkedIn; listed are suggestions to combat fraud. Most importantly what you can also do is be cynical. Do not fill out employment applications with your personal information until you are in the hiring process; if on the interview you cannot see anyone, the background is strange, there is no command of good English, they want money, these are called warning signs. Before you invest money, get a second opinion; if there is urgency, you will miss out, or your friend turns aggressive; these too are warning signs. If there is an incident, the recommendation is to report the fraud to the FBI IC3 and the FBI Recovery Asset Team.
LinkedIn is combating this fraud and reported that in 2021 it stopped 96% of all fake accounts, which included 11.9 million stopped at registration, 4.4 million proactively restricted, and 127,000 fake profiles reported by members. However, no matter what LinkedIn, the FBI, Microsoft, Apple, Google, etc., do, individual user behavior is the most important factor. In general, if something seems too good to be true, it is. That supermodel that just befriended you, the one that really understands you. Well, they are really not all that into you.