Scammer Sophistication
Friday, January 3, 2025
Scammer Sophistication
Consumer Reports featured an article a month ago about the increasing sophistication of phishing scams. The article tells the story of a retired municipal government employee, Cathy M.—someone reasonably knowledgeable as to the existence and practices of scammers—who ends up handing thousands from her savings to a (likely offshore) scam operator. Cathy’s story is used to illustrate the trickiness of modern scammers. Many work in teams of two or more to approach their victims, with at least one scammer keeping the victim busy and distracted, and another interacting with the victim’s bank while impersonating the victim.
For Cathy, it began with a fraudster calling her bank using her (falsified) identity under the pretense of stopping a scam against her savings account. It’s a hair-raising story, but the details illustrate what might become more common as time passes and the wealthiest population centers have been sufficiently hardened after significant losses.
From the article:
To help convince their victims they are real bank or government employees, cybercriminals are purchasing hacked or leaked customer data—Social Security numbers, bank account details, and purchase histories—for as little as a few cents per person. They are also pursuing specific targets as opposed to sending out emails en masse. For example, residents of Santa Clara County, Calif., where Cathy lives, filed the most phishing scheme reports of any county in the U.S. last year, and the FBI’s San Francisco field office has been inundated with similar kinds of fraud. The reason for cyber criminals focusing on California’s Bay Area? That’s where the money is, in terms of wealthy potential victims.
The whole thing is worth a read. (Previous posts on the subject from this blog here, here, here, here, and here. Some of the linked items mention AI use in scamming.)
As the standard practices and recommendations to prevent fraud have shifted, so have the fraudsters’ tactics. In this case, we learn that the defrauded money is quickly transferred to domestic and international accounts in succession and in smaller tranches, making it hard for law enforcement to recover it—or presumably not all of it in any given instance.
CR does a lot of public policy advocacy, and I’m not always in favor of their proposals. In this instance, they make a strong case for laws that would put more onus on the banks to protect their customers from harm by making the banks liable for at least a portion of the stolen funds. Other countries have put such regulations in place, and these have made banking customers’ accounts harder to crack.
Of course, any such changes are likely to frustrate ordinary banking customers, too, by adding more layers of multiple device authentication and verification procedures. Think of it this way: Every added security layer requires the normal, rule-following customer to remember access codes, passwords, the location of password-managing apps, security questions, multiple devices for multi-factor confirmations, and so on. Eventually, the process of accessing your own stuff becomes so burdensome as to be a significant barrier, or as to cause the customer to leave their account access open for as long as possible.
It has long been the case that many hostile countries intentionally foster organized financial crime networks that prey on western, industrialized countries’ citizens. We don’t seem to have much of a national defense strategy against them. But many also originate from friendly countries that are democratic, where local law enforcement appears to ignore their criminal activities for whatever reason, be it local corruption or incompetent policing: perhaps both.
For the scams originating abroad, how much of the liability for losses are more aptly attributed to failures of our nation’s national security systems rather than individual banks?
Thus, I don’t have any angry rants or other political complaints to lodge here. It’s just sharing information for the sake of making as many people as possible aware of the gambits.
Most of all, kudos to CR for its investigative report, and for keeping it accessible as a public service.
Today is J.R.R. Tolkien's birthday. Have a pint and a pipe, if that's your taste in celebrations. I'm going to go to Mass.
"The caller then read back to Cathy the last four digits of her Social Security number, a personal detail so closely held, in her view, that the caller had to be someone from her bank."
It would be good if everyone knew that is not true. There are myriad ways a criminal could know your social security number.