TMD Blog

Personal blog on security, technology and more.

Scams are too good to not be true!

I would like to spend some time to reiterate the importance of being aware at all times when communicating using technology as a medium. Communicating comes in all forms. This can be through your social media platforms, using the web browser to browse the internet or even a simple phone call. The main point is: always stay alert, especially if you are communicating with it for the first time.

Scams are sometimes, if not, often easy to tell. They can be the most unbelievable thing you have been told, and you instinctively know it is a scam. The classical inheritance email from a far away rich relative sounds sketchy and false, but it only takes a bit of belief, hope, or even despair to hook you in. The moment they have you convinced, they become the best psychological manipulators, and your initial scam alert senses all go down the drain.

Even if you realise something might be wrong, you find all excuses to believe it is true and set yourself on a deadly cycle. When you finally snap out of it… After you have regain consciousness of reality… The damage is done… You have lost more than what you gained.

The hook

I will admit, this almost happened to me and my family, and honestly I almost believed it. Whilst I was not the first one to take the call, at least it ended with me. The scammer was posing to be from the bank and initiated the contact by calling the company line. They were urgent with their request to speak to the owner to assist and rectify an issue with a supposed loan applied under the company’s name by an unknown person in another state. The person on the line believed it and contacted the owner. The owner also believed it. They were not present in the office and was rushing back.

The scammer stayed on the call for the duration of the trip with the owner rushing back in the office. The phone was passed to me after a few minutes. Being the tech guy, I knew a thing or two about computers. This whole panic and urgency from the owner and the scammer seemed absurd to me. I was calm and cool when the phone came to me. Probably for the nth time the scammer repeated the same scenario they perfected two times previously to me. A faudulent and unauthorised business loan was applied. He was going to help us because he’s from the bank.

I hear this and was slightly confused. Why? I can see the phone number they’re calling from. It’s a mobile number. Will a bank personnel ever contact us through mobile? Maybe, since it’s the weekend. Aren’t contact numbers meant to be hidden or private? Dunno but you’re asking too many questions. I ask if they could confirm their identity, and they say quite confidently they’re from the bank. Am I fully convinced? Not really, but maybe a bit.

Confusion

The scammer tells me to perform a few things on my computer. They specifically ask me to type a URL to a website that is not from my bank. Now I know some of you might have already realised the red flags. You will immediately hit that red hang up button, but I was hooked. I convinced myself this was normal. Why? Well the URL to the website had the bank name contained in the domain plus some convincing words like support and the loaded page looked exactly like the bank’s website. I was convinced. This was real. Thinking back I should have realised already. I believed them fully. They tell me to hit his LiveChat button, and so I did. It downloaded a file called AnyDesk.exe.

If you are not familiar with it, AnyDesk is a remove desktop software similar to TeamViewer. Scammers often use remote desktop software to view your screen. Scammers take control of your desktop once all systems are unlocked. In my scenario it was the bank. For others, it could be your social media, your health details or some form of personal data you would not reveal to any stranger.

Caught

Once I saw the download complete with name of AnyDesk.exe, I completely snapped out of it. Suddenly all the suspicions I had previously made so much sense. This was not a call from the bank and nor was the person on the phone a representative from the bank. This website is fake! It looks like the bank, but I can’t click any other links except for the LiveChat button! Also, why would anyone from the bank call on the weekend! This time, I definitely hit the end call button.

Now you might be thinking, hold on, why was the call transferred to me in the first place? Does the owner really trust me with going into their finances? Well that’s because it’s a family business, and I am the most tech-savvy of them all. After realising this was a scam, it really made me wonder how someone can prevent themselves from falling victim to it once your initial scam defences are down?

I fell into the trap myself, and it was only when I saw an application downloaded into my ‘Downloads’ folder did I snap out of it. The targets aren’t people who know a thing or two about computers but for users who are less technical. Those who quickly trust whoever is calling and aren’t the best technically literate.

What are some signs it might be a scam?

The telltale signs of a being a target of a scam are subtle but can be detected easily. The below is not an exhaustive list but can be used to determine if that phone call is suspicious, that free giftcard really is free or other non-suspecting too good to be true really is malicious. Let’s dig in.

Unexpected contact to you

Perhaps the initial vector of contact seems off. They managed to find you, but how did they initially find you? Did they go through many hoops and layers before they contacted you? In a broader sense, do they sound vague? Vagueness gives the scammer the advantage to sound important, but it also allows the scammer to find the right person to contact.

If it is a call from the bank or anywhere requiring some form of identity verification, you can always call them back. Don’t call back on the number they called from but call from the direct line from the legitimate company’s website. Organisations have some form of case management software to enable quick location of your data and view your current case. If it is legitimate the organisation will have a record of it, and they can continue the task from their end.

They give you a sense of pressure or urgency

They make it sound like this is the most critical task you have to do right now. Nothing has priority over it. It could be something drastic such as my scenario, your personal details have been leaked, or something that is both personal and significant to you. Most of the time it will predominantly fall into the three targets of personal information, financial or to claim a free item like a giftcard. A sense of pressure and urgency is created so you have to do it now, or else.

Take a step back and think through it. Scammers love to create pressure and urgency. They this so it renders you unable to analyse and think thoroughly. Suddenly your brain is fixated on the current issue and has no capacity to think critically. Why is this happening to me? The number one thing you should do is to note down the issue and contact the relevant organisation the scammers are impersonating. Double-check the information from a trusted line is better than trusting what your current line of communication. You don’t want to dismiss it as a scam entirely because sometimes it could be legitimate.

They want your money or information

The scammers want something out from you. They won’t go into details of what they need but once they have it, they will target it. Some things to immediately say no to are to give financial information such as your credit card or your login details to your bank. Passwords should never be given out freely. No one calling will ever ask you for it. Credit card information should only be given if you know there is a payment you need to make, or it is from a source you can trust. If they want some personal information out of you, always say no.

Any information they can obtain will be used against you at a later date such as impersonating you whilst it is not you.

Take my scenario. The scenario they posed to us is someone applying for a loan under the company’s name. If they obtained more details from us, they really would be that someone applying for a loan under the company’s name. This time however, it would go through and be processed normally. The banking system will not detect anything out of the ordinary. Be careful of your digital twin once your information is out on the web.

Too good to be true

As the name suggests, sometimes things are too good to be true. As unfortunate as it sounds, things that are free are never really free. Even Newton’s third law tells us for every action, there is an equal and opposite direction. Nothing is free. There are always strings attached to it, even if it is.

On the flip side, if someone tells you this is the next best thing to earn money quick, take caution. Similar rules apply, and they may not be as good as you think it is. In the next moment, it may become your worst nightmare instead.

Line quality or language fluency is suboptimal

This one might sound funky but if the connection or line the scammer is coming from is ancient slow or very unstable, it might be a sign this isn’t legitimate. Organisations pride in quality and having a decent connection is minimal at best. Not having this may suggest otherwise.

Another thing to consider but if the scammer is communicating to you and doesn’t sound fluent at all, it’s probably the signs of a scam. Professionalism means you need to communicate effectively. If that isn’t present then you might reconsider. Obviously this has a high false positive rate but if you combine it with a bad line then it might sound plausible it’s a scam.

This unfortunately can become much harder to detect nowadays when you add artificial intelligence to the mix. Perhaps over-fluency becomes the next new sign it’s a scam?!

You need to click a link or attachment

I say if this there are any massive big red flags for anyone this is the one. I think I may have contradicted myself here because I downloaded the executable in my scenario but… forgive me for I skill issued hard on this. At least the file was not opened, which is the next best thing given my scenario.

If you are unsure about the link, always hove your mouse over the link and wait for the link text to pop up on your screen. Check if the link on the page will redirect to the same entity, or it has a completely different domain. If you are still unsure if it is right, you can always search the domain to check the validity of it. Sometimes organisations use a domain shortening service to share links.

If you ever see a suspicious file, I will highly recommend you to never open it. If your gut feeling is telling you to not click the file, it’s probably right. A lot of computer hacks start by downloading malicious files or links that redirect to download a file onto their device. Once downloaded, the file will execute and establish persistence on the system whilst also evading detection from signature based scanning tools.

This is a common method of compromise and at that stage it’s game over for you if you don’t quarantine or remove the malware fast enough. It is not limited to just your computer. It extends to all devices you may use. These include phones, tablets, smart TVs and other devices or peripherals connected to the internet.

The payment address is… strange…

Are they telling you to pay via direct debit, PayPal or maybe through cryptocurrency? These are possible signs it might be a scam. The scammers will attempt to use methods that make money recovery harder or if not almost impossible. Using such methods allows for the scammer to make one way transactions into their accounts. If you see a payment, always use secured methods of transactions that allow buyer protection. You want to be sure the person you’re sending money to is for a legitimate transaction and not a transfer and run person.

They are from ABC representing XYZ

Scammers who impose themselves to be from said organisation ABC as said position XYZ often gives us a sense of reassurance. Scammers easily manipulate it to make it sound legitimate. Whilst sometimes they are indeed real, you want to distinguish from what is real and what is fake. Make sure you can identify them such as name and perhaps their employee number. This allows traceability as someone might be imposing to be an actual employee whilst not being them, and you’re playing a game of poker face.

Don’t give into the urgency the scammers have created and think logically. Ask their identity checks throughout the session to see if they still remember it and not faking it. If all else fails you can always hang up first and call the organisation through their hotline to see if it really was real, or it was fake.

Conclusion

These are just some steps you can take to identify it is a scam. Sometimes we become so attuned to trying to see if said event was a scam we become fatigued by it. It only takes one error from you to make the whole operation successful to the scammer. Unfortunately we will continually be the defenders to all of this.

It’s hard to fight with a rapid AOE attack. They come in doves to damage you with minimal HP losses. Over time, your boss like HP will decrease until it either becomes 0 or you use buffs and potions to regenerate your HP. Hopefully this article is your potion, if not at least a buff to slow down the attacks from scammers. Good luck everyone!