Ruslan Rakhmetov, Security Vision
Fraudsters and swindlers of all stripes are constantly adapting their methods of deception, so they have followed their potential victims to the Internet. The vast majority of the population now has smartphones, and the widespread introduction of various remote services - government, financial, insurance and others - allows criminals to deceive citizens remotely, without contacting their victims and often while being in another country. Today in the article we will discuss what Internet fraud (scam) is, what to be wary of and how to protect yourself from it.
Internet fraud, or scam (from the English scam), is usually implemented quite simply from a technical point of view, therefore scammers (Internet fraudsters, cyber fraudsters) are significantly inferior in competencies to classic hackers. Scammers do not use hacking information systems, but the peculiarities of human psychology - methods social engineering and psychological manipulation combined with some techniques phishing. Using an ordinary smartphone, free Internet services and manipulative techniques, Internet fraudsters lure huge sums from citizens - in 2024, the total amount of damage to Russian citizens from the actions of cyber fraudsters compiled 200 billion rubles. In addition to financial fraud, criminals can push people to unknowingly commit crimes, using them "in the dark" under the pretext of fighting crime or performing a task of national importance.
Fraudulent schemes and tricks are constantly being updated to match the current news agenda, for example:
· During the pandemic, a scam scheme involving alleged payments of benefits or allowances became widespread - to receive them, you "only" had to provide bank card details, from which the fraudsters then wrote off the funds;
· When mobile operators began to clean up their subscriber databases and update subscribers' personal data, scammers began calling people under the pretext of updating information, and to confirm ownership of a phone number, they demanded that they dictate a code from an SMS message (in fact, the code came from the victim's personal account on the State Services portal);
· The scammers also began to use the government's increased fight against data leaks in fraudulent schemes: they called victims and scared them with the discovery of the theft of personal information, and then led the victim to the need to "cooperate with the investigation" supposedly to identify the source of the leak, which resulted in citizens committing illegal actions or participating in the theft of money under the guise of couriers;
· The mass transition to new technologies, the launch of large state information systems can also be accompanied by a wave of fraud - using this information occasion, scammers can massively call citizens with a demand to install a new "protected" application via a link or register in a new "domestic service" with the provision of all personal data.
Thus, it is impossible to compile an exhaustive list of all potential fraudulent schemes, the effectiveness of which is constantly increasing due to the adaptation of scammers to the protection measures implemented by the state and private companies. In addition, as the awareness of potential victims increases, Internet scammers also begin to show miracles of ingenuity, changing the context, pretext, information reason for deceiving citizens. However, fraudulent schemes have a number of common features that depend on the ultimate goals of the scammers:
· Theft of property and funds, including borrowed funds, in cash or non-cash form;
· Stealing personal data and sensitive information, including photographs and voice samples, for the purpose of blackmail, resale, document processing, registration in online services or conducting further scam attacks;
· Gaining access to information resources, including public services and banking applications, in various ways, including infecting the device with a virus, installing software for covert remote access, extracting credentials and one-time codes to access the service;
· Theft of financial equivalents that can be converted into cash (bonus points, miles, in-game currency and "pumped up" characters, etc.);
· The performance by victims of actions in which the perpetrators are interested for various reasons, including the victim's participation in deceiving other citizens as a courier, making inscriptions, committing arson and other illegal actions.
Below are some examples of popular and unusual schemes used by Internet scammers:
1. A person receives a call from a supposed "local police officer" who warns him of a wave of fraud, asks him to write down his number and call if the victim is bothered by unknown people. After some time, such "unknowns" actually call with a classic pretext that is easy to recognize. The victim, happy with his vigilance, calls the "local police officer" and reports an attempted fraud; he, in turn, asks him to help law enforcement agencies and take part in an operational experiment - to hand over money to the courier of the fraudsters so that they can be caught red-handed. The victim gives the money (to be convincing, the fake police officer may even ask the victim to write down the numbers of all the bills) to the courier, who is an accomplice of both the "local police officer" and the fraudsters, who are supposedly about to be caught thanks to the victim's help.
2. Fraudsters stick fake QR codes in public places where either payment via QR or redirection to a website via a link from the QR is assumed. As a result, the user either gets to a phishing page with fields for entering bank card details (the funds from it will be stolen), or the user is informed about the need to enter personal data, a phone number and a one-time SMS code received (this could be a code for accessing State Services), or the victim will be asked to install an application with discounts (this will be a virus). Another type of fraud involves sticking fake QR codes in prominent places near residential buildings or stores - supposedly to enter a closed house chat or a group for discounted purchases in popular instant messengers. After scanning this code, the user's messenger authorizes a fake web session of the attackers, within which they will be able to access all correspondence and files of the user, disable the user's legitimate application and completely take over the account in the messenger.
3. Scammers enter the victim's phone number on the websites of various services and microfinance organizations, supposedly to register with them. As a result, the victim receives a lot of SMS messages with codes for initial registration from various organizations. At the same time, scammers call the citizen, introduce themselves as employees of non-existent organizations (for example, Rosfinnadzor or Rosplatezh) and report that someone is trying to access his accounts, take out a loan or steal money. To prevent this, you only need to provide the code from the new SMS message - the real one received from Gosuslugi. Fraudsters can obtain initial information about the victim either from data leaks, or find out the victim's first and middle names from online banking, by starting the procedure of transferring money by phone number. Having gained access to the victim's State Services, another group of the same scammers gets involved - they carefully study all the information on the State Services portal (including data on all bank accounts, real estate, family) and call the victim on behalf of representatives of the security forces, sending photos of fake "identities" and "resolutions" for credibility. Next, the victim is convinced that the first scammers have successfully stolen money from her and are going to finance an extremist community, so under the threat of a long prison sentence, the victim must hand over all the money and valuables allegedly for declaration to a courier "from the security forces", giving him a code word.
4. The most vile fraud scheme involves the victim's children or elderly relatives. They may be intimidated by phone with the initiation of a criminal case against the victim and convinced to hand over all the money and valuables from the house "for declaration". In the "false kidnapping" criminal scheme, the scammers call the victim's children or elderly relatives and convince them that the victim has gotten into a criminal story and that bandits-kidnappers have already left for them, so they need to hide urgently - for example, in another city or in the attic of a neighboring house, without taking a phone with them, by which they can allegedly be found. In the meantime, the victim is called and informed that their children or relatives have been kidnapped, and a ransom must be paid to return them. The victim, unable to get through to their relatives, begins to look for them, and the scammers begin to threaten and increase the ransom amount.
5. A person searches for a part-time job on the Internet and finds an offer to perform "simple tasks" for a certain reward. The tasks consist of writing reviews of products on various marketplaces. For the first few tasks, the victim actually receives a small payment, which creates a false sense of trust. However, after some time, the victim receives a new task - to buy a certain product, supposedly to raise its rating, while the money spent will be returned to the victim with a certain percentage on top. Payment is made as a money transfer to a third-party individual who is in collusion with the scammers, but then it turns out that a refund is impossible until a commission or fine is paid - all so that the user transfers more and more money to the scammers, hoping to get a refund for the "purchased product". Another scheme is related to fake websites that copy the interface of real marketplaces: victims are lured there with large payments, pushed to top up their balance with large amounts, even displaying them in the "personal account", but when trying to withdraw money, the victim is faced with the need to pay a commission or a fine, then - return the interest, etc. In both schemes, of course, the victim will not be able to get their money back - neither the initial "investment", nor the paid "commissions" or "fines".
6. Fraudsters can carry out a multi-stage attack not only on an individual, but also on an organization. For example, having collected samples of the voice and images of managers from public speeches, as well as information about employees from social networks and instant messengers, fraudsters can launch a phishing call to employees allegedly on behalf of a top manager. The manager, in his usual manner, will give the order to transfer money to a “new counterparty” or open a newly received encrypted file - to deceive sandboxes, the password for the archive can be sent in a private message via messenger.
7. Fraudsters do not forget about outdated technologies that may still be used in various government agencies - for example, scammers can send faxes with a demand to change the administrative password to the information system to the one specified in the document, allegedly to comply with the new government cybersecurity policy.
.jpg)
