I recently read an article about a bright, sophisticated woman who fell victim to an unbelievable scam. By unbelievable, I mean most people reading or hearing about it could not believe it was successful.
A group posing as an Amazon employee and various U.S. law enforcement agencies were able to convince a woman to take $50,000 out of her bank account in cash and hand it off to a complete stranger in the streets. It is a wild story and most of us would not be tricked into doing what happened to her.
I think most people cannot believe she did it and many think she is either dumb or overly naïve. This is not true.
Intelligence and “street smarts” have little to do with whether you are ultimately scammable or not. I do think being smart and “street smart” can make you less likely to be scammed in many situations, possibly most scenarios. But doctors, lawyers, engineers, successful business owners, rocket scientists, and even Nobel Physics prize winners have been successfully scammed. Many people who thought they were super street smart and unscammable have been scammed.
The truth is anyone can be scammed. Anyone can be phished. Anyone is susceptible to the “right” scam in the right conditions. And if you think you are unscammable or cannot be phished, that attitude could be harmful to your own self-interests in the long run.
It might take a very sophisticated, multi-channel scam or it might simply be the right conditions and circumstances. I know some very bright and knowledgeable people who got tricked into clicking on a rogue link simply because they were very busy and trying to do 10 things at the same time. They were not being mindful and focused, and it cost them.
Sometimes it is simply that the scam came with particular attributes right at the exact minute the person was dealing with a similar situation. I know of a person who just reported a negative Uber experience that then got an email from “Uber”, clicked the included link, and ended up with malware on his phone. Another person shared with me that they got a request from their ex-wife’s email address for three gift cards just before Christmas and they just happened to be raising three kids. It seemed like a plausible request.
Whatever the reason, we are all susceptible to scams and phishing attacks. And if you think you are not, you might be eating humble pie one day.
Some Realistic Scam Examples
Let me give you some examples of unique scams and phishing events that can lead to unwanted compromises against anyone, given the right circumstances.
Fake Customer Support
Once after not getting satisfaction regarding a new expensive refrigerator I bought, in frustration, I posted my complaint on the vendor’s Facebook page. Within minutes, someone using a very valid-looking email address related to the vendor’s domain, emailed me to say they had read my complaint. It was something like customerservice@GEresolutiondesk.com.
They apologized and offered to immediately send me a replacement refrigerator. All I had to do was give them my credit card information so they could charge me if I failed to send back the old refrigerator as promised. I almost fell for the scam. It was only by accident that I called the vendor’s legitimate 1-800 number that I had already been dealing with for months to get more information that I learned that the email I had received was a complete scam.
Fake Conference Invite
I get invited to speak at conferences on a daily basis. Once, I received a request to speak at a foreign conference, all expenses paid, and the vendor said they would pay for my wife’s and I’s visit and take us around the country to various tourist sites. They said many of my industry friends were also going. Although I do not get this type of offer all the time, it has happened a few times in the past.
Who does not want basically a free trip to a foreign country in trade for giving a quick presentation? I responded that I would be happy to accept the request. They sent me an email containing a website registration link. I clicked on the link and it took me to the conference’s website. That website asked me to create an account or login using any list of common shared (OAuth) logins, such as using my Google, LinkedIn, or Apple account. I had been doing a lot of research around OAuth at the time and decided to look at the underlying code.
It was not OAuth at all. Anyone clicking those links would be sharing their OAuth login names and passwords with the foreign website. I quickly backed out. It was all a scam. Here is an example of that sort of attack.
Bad Water Main
I have a lot of people tell me that they cannot be scammed. When I am annoyed enough, I ask if they will be willing to bet $1,000 that I cannot scam them? By that I mean, can I create a fake scam experience that they engage with, that if it was a real-world scam, would have resulted in their exploitation? Many have accepted my bet. I have always been successful in scamming them.
A common ploy I use is to research what their current mailing address is, along with phone number, and some personal email address or service that they use (e.g., Google, Hotmail, their bank, their stock investment broker, etc.). I comb through their past postings on blog sites to learn any information I can about them, and then use it in my scam.
For example, I will send them a fake text message appearing as a phone number in their local area code, appear to be from their local county’s water or sanitation service. I will text them something like, “Monroe County Water & Sanitation Warning! There has been a major water main break impacting your residence located at 500 Lorelane Place, Key Largo, FL. Please do not drink or use county water until further notice. Do you wish to be notified when the water main is repaired and it is safe to drink the water again (Y/N)?”
They always reply, yes.
Then I send them another message stating, “You will be sent a 6-digit confirmation code from another number to confirm your enrollment for proactive status updates. Please retype this code in response to this message to confirm your enrollment.” Then I go to their private email service (say Google Gmail), their bank (say Morgan Stanley), or stock account (say Fidelity Investments) and tell that service that I have lost my password or MFA token.
This puts the account in Account Recovery mode. The service will almost always send a confirmation code to the user’s valid phone number. So, the victim gets the 6-digit confirmation code they were expecting, and types it back in response to my previous prompting. Once they type in the code (they always do), I reveal that it was me sending the messages, and if I had been a bad actor, I could have taken over their personal account.
New Highway Coming Through
Another test ploy I use is to have an adult female call the victim and say the following, “This is Bintner’s Survey and Engineering. I want to confirm that we have your permission to be in your yard at 500 Lorelane Place, Key Largo, to take survey measurements tomorrow morning!” The victim always says something like, “What? What are you talking about?”
The caller replies, “We were hired by the county to conduct a survey for the widening of the road in your area. They are going to use the county setbacks on your property to widen the road. I just need your permission for my guys to be in your yard tomorrow. It should only take 15 minutes and will not impact your property. We need to confirm that you approve us being on your property that any dangerous pets will not be out during the hours of 11AM-1PM?”
The victim always replies with another, “What? What are you talking about?” My caller is trained to say, “I apologize. The county should have sent you a letter about the project and letting you know about the required surveying. I apologize for you having not received the information. Would you like me to email you information about the pending project?”
They always say yes and give me their email address (which I already have). Then I send them a booby-trapped document. As soon as they open the file, I have won the bet. My fake scenario depends on where they live. Sometimes my call appears to be from the HOA management company (if they have an HOA) or the NOAA flood division (if they live near water).
Fake Credit Card Charges
This is a common real-world scam. Someone calls you with a number that appears to be from the back of your credit card. They greet you with a professional hello including your full name. Then they say something similar to, “Mr. Grimes, we are from [insert credit card vendor name here]. We think we have detected someone using your credit card fraudulently. Did you buy two tickets from Dallas, TX, to Nigeria this morning?”
When you say, “No.” they continue. “We did not think you did. You are a valuable customer and we apologize for the inconvenience. Be assured that you will not be responsible for any fraudulent transactions. We will send you a replacement credit card overnight. Does [your spouse’s name] need a replacement card as well?”
Victim says, “Yes.” They continue, “We apologize again for the inconvenience. Before we continue, we need to confirm your address. You live at [mailing address]? Your phone is [phone number]? Your email address is [your email address]? The last four digits of your social security number are [last four digits of your social security number]? After you confirm this information, they will say, “Thank you for confirming your identity.”
They continue, “We are seeing $55,000 in transactions over the last two days. We need to confirm which transactions you created that we should pay and determine which ones are fraudulent that you will not be responsible for. Before we continue, what is your login name?” Victim responds with their login name.
Then the caller says, “We are going to send you a 6-digit code to confirm we are speaking with the valid account holder. Please tell us that 6-digit code.”
Unbeknownst to the victim, the scammer has just reset their password or MFA setting on their credit card account and the legitimate vendor is now sending the victim a confirmation code to complete the requested account. The 6-digit code comes from the victim’s credit card vendor, which they see and then repeat to the person on the phone. That is it, the scam is done. Now they are being robbed. The scammer will keep them on the phone for another 10 minutes as they use the victim’s account to make fraudulent purchases.
Revealing Your Password NT Hash
Windows computer users’ passwords are always converted to NT password hashes for storage and system use. A lot of people do not realize that I can send you an email message and if you open that message and/or click on the link inside, I can remotely capture your NT hash, which I then crack back to its plaintext equivalent password (if your password is not strong enough). This can be done in a bunch of different ways.
I first wrote about this in 2019 and it is still a problem today. It requires an unpatched bug to be used, often involving Microsoft or third-party software, but these types of bugs have consistently happened once or twice a year for decades. Here is the latest iteration from a few months ago.
The end result is that I can send you an email and all you did was open the email to see what it said (or you might have to be tricked into clicking on a link). But you see nothing. You are not asked to open a file, to run content, or anything else. But unbeknownst to the victim, their browser is being asked to send integrated Windows Authentication to log into a website hosting the involved linked content, and from there, the attacker can get your NT password hash, and if your password is not strong enough (12-characters or longer), likely get your plaintext password. This trick usually works with any operating system or browser that supports integrated Windows Authentication (which is common on iOS, Google Chrome, Linux, etc.).
Hobby Friend
Hackers often befriend people in their hobby forums. Say you like flying, dogs, or sculpting. Many people who have hobbies join hobby-related websites and blogs. Attackers often befriend potential victims, telling them how much they admire their interest in said hobby, and become online “friends”. The hacker will spend months cultivating the relationship, to gain the victim’s trust. Oftentimes, the hacker’s personae will be a great-looking version of the opposite sex, who includes flirty statements. Then at some later date, send an email with a link that contains malicious content. Happens all the time. Too many victims give too much trust to people they have never met. CISA warns about this type of attack here.
Fake Job Offers
I have covered this many other times before including here, but many victims became victims because of “GREAT” fake job offers. They either get approached after placing a resume on a legitimate job site or the fake company approaches them. They claim to have the “perfect job”. It has full benefits, overpays you, unlimited vacation, and you can choose if you work in the office or completely remote. Up to you.
They will “interview you,” let you speak, and from that conversation update the job offer to have any more things that appeal to you, like a luxury automobile, free childcare, or a childcare or parental guardian monthly stipend. They usually reach out from LinkedIn or some other site where they have set up a fake account that looks like it belongs to some other notable company in your field of interest. They use real names and pictures of real people who belong to the real company.
Many employees who were offered and accepted these fake jobs from fake companies have been personally victimized or ended up installing “needed” software that turns out to be a trojan horse program that attacks their current employer. It is very, very common.
Fake Hardware Replacement
Another hard to spot scam is when victims using particular hardware, usually hardware crypto wallet devices, are sent new “updated” fake crypto devices. These devices arrive in shipping boxes that are designed to look like the real boxes. The device is a real replacement device, except that it has been maliciously altered in some way. The replacement contains a letter with official-looking letterhead, from the CEO, telling the victim about some issue that can only be resolved by replacing their current hardware with the new hardware.
If the victim is tricked into using the replacement, then the hacker gains control of the victim’s usage and steals something (e.g., crypto, money, information, etc.). Usually, these hardware scams involve people buying and storing cryptocurrencies, but I have seen fake USB keys and fake software sent out as well. One victim I know about received an updated version of Microsoft Office on a (malicious) USB key, all branded to look as if it really came from Microsoft.
Here is an example of a real-world attack. In this case, the scammers sent the malicious replacement crypto hardware wallets to people who actually used the product, and who were aware of a compromise of that vendor a few months before. So, the victims were told by the legitimate company about the compromise and to be aware of possible uses of their information. The fake hardware came with a letter claiming to be from the CEO referencing the same previous attack as for the reason the replacement was required. So, it looked very legit. I am amazed some of the potential victims realized it was a scam. I think I could have easily fallen for this one.
All of these examples above are to demonstrate that not all scams are of the easy variety to spot. Many scams are very sophisticated and may take place over many months. And if you tell me that you would not have been caught by any of these scams, that is great. But I think that most people would have fallen for at least one of these example scams and I know anyone can be scammed. All it takes is the right scam scenario at the right time and in the right circumstances.
If you believe you are unscammable, you might be setting yourself up for future humble pie. I know dozens of people who thought they could never be scammed…ever…they learned differently.
It is better to have the mindset that you might be susceptible to a future scam…that no one is perfect. And remain vigilant, educated, and skeptical, to that end. If you think you could possibly be scammed, then you are likely to be more prepared than if you think you cannot be. It is as simple as that.