Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Fraud. Show all posts
phishing
AI Deepfakes CERT Cyber Security Fraud phishing

How to Protect Your Small Business from Cyber Attacks

 


It so coincided that October was international cybersecurity awareness month, during which most small businesses throughout Australia were getting ready once again to defend themselves against such malicious campaigns. While all cyber crimes are growing both here and all around the world, one area remains to be targeted more often in these cases: the smaller ones. Below is some basic information any small businessman or woman should know before it can indeed fortify your position.

Protect yourself from Phishing and Scamming.

One of the most dangerous threats that small businesses are exposed to today is phishing. Here, attackers pose as trusted sources to dupe people into clicking on malicious links or sharing sensitive information. According to Mark Knowles, General Manager of Security Assurance at Xero, cyber criminals have different forms of phishing, including "vishing," which refers to voice calls, and "smishing," which refers to text messages. The tactics of deception encourage users to respond to these malicious messages, which brings about massive financial losses.

Counter-phishing may be achieved by taking some time to think before answering any unfamiliar message or link. Delaying and judging if the message appears suspicious would have averted the main negative outcome. Knowles further warns that just extra seconds to verify could have spared a business from an expensive error.

Prepare for Emerging AI-driven Threats Like Deepfakes

The emergence of AI has provided new complications to cybersecurity. Deepfakes, the fake audio and video produced using AI, make it increasingly difficult for people to distinguish between what is real and what is manipulated. It can cause critical problems as attackers can masquerade as trusted persons or even executives to get employees to transfer money.

Knowles shares a case, where the technology was implemented in Hong Kong to cheat a finance employee of $25 million. This case highlights the need to verify identities in this high-pressure situation; even dialling a phone can save one from becoming a victim of this highly sophisticated fraud.

Develop a Culture of Cybersecurity

Even a small team is a security-aware culture and an excellent line of defence. Small business owners will often hold regular sessions with teams to analyse examples of attempted phishing and discuss awareness about recognising threats. Such collective confidence and knowledge make everyone more alert and watchful.

Knowles further recommends that you network with other small business owners within your region and share your understanding of cyber threats. Having regular discussions on common attack patterns will help businesses learn from each other's experiences and build collective resilience against cybercrime.

Develop an Incident Response Plan for Cyber

Small businesses typically don't have dedicated IT departments. However, that does not mean they can't prepare for cyber incidents. A simple incident-response plan is crucial. This should include the contact details of support: trusted IT advisors or local authorities such as CERT Australia. If an attack locks down your systems, immediate access to these contacts can speed up recovery.

Besides, a "safe word" that will be used for communication purposes can help employees confirm each other's identities in such crucial moments where even digital impersonation may come into play.

Don't Let Shyness Get in Your Way

The embarrassment of such an ordeal by cyber crooks results in the likelihood that organisations are not revealing an attack as it can lead the cyber criminals again and again. Knowles encourages any organisation affected to report suspicions of the scam immediately to bankers, government, or experienced advisors in time to avoid possible future ramifications to the firm. Communicating the threat is very beneficial for mitigating damages, but if nothing was said, chances are slim to stop that firm further from getting another blow at that point of time in question.

Making use of the local networks is beneficial. Open communication adds differences in acting speedily and staying well-informed to build more resilient proactive approaches toward cybersecurity.


Read more »
Scam
Bengaluru Cyber crimes Fraud porter Scam

Delivery Partners Exploit App Loophole, Defraud Logistics Company in Bengaluru

 




This is a major fraud case whereby delivery partners exploited a weakness in the logistics app Porter, syphoning Rs 90 lakh from Bengaluru. The swindle was detected by a routine business audit conducted in July by Smart Shift Logistics Solutions Pvt Ltd, which runs Porter. After this, an official of the logistics company filed a complaint with the police. Insider involvement was ruled out through automated operations.

The authorities suspected it could be an inside job when the fraud was first detected, considering the scale of the crime. They looked at the backend operations of the company and found nothing internal as most processes were automated. This led to a deep probe with Sarah Fathima, the Deputy Commissioner of Police (Southeast), assigning a team to trace the refunds made by the company since January. This series of operations was headed by ACP Govardhan Gopal, along with inspector Eshwari from the Southeast Cybercrime, Economic Offences, and Narcotics (CEN) police station.


Understanding the Scam

The investigators soon came across several refunds credited to the same accounts, and a rather clear fraud pattern began to emerge. The police were following this chain of suspicious transactions when it led them to a Shreyas TL, a 29-year-old from Hassan's Hirisave. Based on confession questioning of Shreyas, the police managed to seize three others: Kaushik KS, aged 26, from Mandya, Ranganath PR, also 26, and Anand Kumar, 30, both from Mandya.

These were earlier cab drivers and food delivery partners for various online applications who chanced upon loopholes in the Porter app after dabbling in such scams in other delivery services. They eventually managed to pinpoint how to exploit the Porter system through trial and error for their financial gains.


How the scam was run

Porter has a system where the driver can get a part of the total bill through his wallet whenever he accepts the job. And if he rejects the delivery, he will have his money back automatically. The application does not allow abusing this system, and therefore it has a strict cancellation policy where it blacklists the drivers in case they cancel two deliveries consecutively.

The fraudsters bypassed the system. Geo-spoofing is an application of the technology, using which they manipulated the app so as to pose their locations at places where there are few available drivers. This way, they accepted the jobs using their fake delivery accounts. The amount of the bill was credited to their digital wallets. Then the amount was drawn from these wallets into bank accounts. They canceled the delivery, and customers canceled the order and received a refund.

The reason they did not get blacklisted was because of repeated cancellations, so to avoid that, the gang bought fake phone numbers from Telegram groups and created new accounts on the app with them. Additionally, the gang practiced geo-spoofing to change their location into neighbouring states, making it hard for the authorities to trace them.


A Perfected Scam

The operation of the gang was so sophisticated that they managed to make off with a total of Rs 90 lakh from the company. Taking advantage of loopholes in the automation of the app, they had syphoned off the amount without raising any suspicion in the beginning. But finally, after going through a detailed investigation, it was traced by the police, and the fraudsters were caught.

This case shines a light on the importance of secure and foolproof systems in online platforms, especially those handling financial transactions. It also highlights the need to frequently audit and monitor company automated processes to detect fraud before it gets out of hand.




Read more »
Trading
Apple cryptocurrency Cyber Fraud Cybersecurity Fake Apps Fraud Google investment phishing Scam Trading

Massive Global Fraud Campaign Exploits Fake Trading Apps on Apple and Google Platforms

 

A recent investigation by Group-IB revealed a large-scale fraud operation involving fake trading apps on the Apple App Store and Google Play Store, as well as phishing sites to deceive victims. The scheme is part of a wider investment scam known as "pig butchering," where fraudsters lure victims into investments by posing as romantic partners or financial advisors.

Victims are manipulated into losing funds, with scammers often requesting additional fees before disappearing with the money.

Group-IB, based in Singapore, noted that the campaign targets victims globally, with reports from regions like Asia-Pacific, Europe, the Middle East, and Africa. The fraudulent apps, created using the UniApp Framework, are labeled under "UniShadowTrade" and have been active since mid-2023, offering promises of quick financial gains.

One app, SBI-INT, even bypassed Apple’s App Store review process, giving it an illusion of legitimacy. The app disguised itself as a tool for algebraic formulas and 3D graphics calculations but was eventually removed from the marketplace.

The app used a technique that checked if the date was before July 22, 2024, and, if so, displayed a fake screen with mathematical formulas. After being taken down, scammers began distributing it via phishing websites for Android and iOS users.

For iOS, downloading the app involved installing a .plist file, requiring users to trust an Enterprise developer profile manually. Once done, the fraudulent app became operational, asking users for their phone number, password, and an invitation code.

After registration, victims went through a six-step process involving identity verification, providing personal details, and agreeing to terms for investments. Scammers then instructed them on which financial instruments to invest in, falsely promising high returns.

When victims tried to withdraw their funds, they were asked to pay additional fees to retrieve their investments, but the funds were instead stolen.

The malware also included a configuration with details about the URL hosting the login page, hidden within the app to avoid detection. One of these URLs was hosted by a legitimate service, TermsFeed, used for generating privacy policies and cookie consent banners.

Group-IB discovered another fake app on the Google Play Store called FINANS INSIGHTS, which had fewer than 5,000 downloads. A second app, FINANS TRADER6, was also linked to the same developer. Both apps targeted countries like Japan, South Korea, Cambodia, Thailand, and Cyprus.

Users are advised to be cautious with links, avoid messages from unknown sources, verify investment platforms, and review apps and their ratings before downloading.
Read more »
security threat
Cyber Attacks Cyber Scams CyberCrime CyberThreat Digital Detention Fraud security threat

Cybercriminals Impersonate Law Enforcement in New 'Digital Detention' Scam

 


As part of a collaboration between the Indian Cyber Coordination Centre (I4C) and Microsoft, an anti-cyber fraud agency has banned more than 1,000 Skype accounts that are believed to have been used to intimidate, blackmail, extort and digitally arrest citizens by cybercriminals posing as police officers, the Central Bureau of Investigation (CBI), the Narcotics Department, the RBI, or Enforcement Directorate. During the past few years, the Indian digital industry has grown at a rapid pace. 

It is increasingly necessary to rely on the Internet for everything from shopping and banking to travel and UPI. It is also important to note that because of this dependence on the digital space, threats such as scams are also present. The number of online scams has increased since a few months ago. Cybercriminals continue to find new ways to exploit technology to steal money from unsuspecting victims. It has been reported that a scam dubbed the 'Digital Arrest Scam' has been spreading rapidly over the past few days. 

Fraudsters are doing an increasingly good job of masquerading as law enforcement officers to trick unsuspecting victims with chillingly simple but extremely effective techniques. They pose as police officers or officers from the CBI or ED and launch online interrogations over platforms such as WhatsApp or Skype, where victims can be monitored over the camera while the fraudsters pose as officers from these agencies. 

As a result, the victims of these crimes are isolated, and forbidden from contacting anyone of importance, and the perpetrators threaten them in an attempt to extract money from them. As a result of "interrogation" a victim could be held in custody for anything from a few hours to a few days, and they would be told that they are locked up in a virtual prison. There was this new report about a 40-year-old doctor who was victimized by a scam called Digital Arrest Scam. 

The victim, a doctor in Noida, lost Rs 59.54 lakh as a result of cybercriminals. Fraudsters who posed as telecom officials called the victim on the phone and informed her that her name was associated with a case of money laundering and they wanted to expose her. After that, the phone was transferred to a supposed police officer from Mumbai's Tilak Nagar Police Station, who was later arrested. 

According to the "officer" the police informed the victim that an investigation had been opened into her sharing of pornographic videos, and an arrest warrant had been issued for her. Furthermore, the criminals claim that she had been implicated in a money laundering case involving Jet Airways founder Naresh Goyal and that the National Security Act of 1947 had been invoked against her to obtain her arrest. 

It was during this period that the victim was placed under digital arrest while the scammers asked for her details to steal money from her bank account between the 15th and 16th of July. As a first step in their scam strategy, scammers usually cast a wide net, calling individuals and claiming that drugs have been found inside their courier packages or that their personal information is being used to hide money. They are then subjected to a high-pressure interview process while being threatened with legal action or even arrest to obtain the details of the crime. 

An incident in which fraudsters informed the victim that his mobile number was discovered during an investigation of the criminal case against a former minister in the NCP, led to him believing that he had been targeted. Cybercriminals have developed elaborate setups that resemble police stations to enhance their credibility. These setups usually include men wearing uniforms and logos that appear to be officially licensed. 

In a disturbing case of cybercrime, scammers used a fake profile picture of a policeman on WhatsApp to deceive a businessman. The criminals accused the businessman of being involved in human trafficking, leveraging his fear and trust in authority to manipulate him. They sent him a fabricated arrest warrant and a seizure order via an online link, further escalating the pressure on the victim. In a brazen move, one of the scammers even impersonated a Supreme Court judge during a phone call with the businessman.

Through these deceptive tactics, the fraudsters convinced the businessman that he needed to undergo a "fund legalization process" and deposit his money into an account purportedly held by the Reserve Bank of India (RBI). The scam, which unfolded over a gruelling period of seven to eight hours, resulted in a significant financial loss of Rs 1.3 crore for the victim.

Despite the severity of such incidents, victims often find themselves without adequate support. While the government has publicized a cybercrime helpline number, 1930, it merely directs complainants to file their cases on the website www.cybercrime.gov.in. Even after a complaint is lodged, the responsibility to follow up and ensure action is taken largely falls on the victim.

This case highlights the broader issue of law enforcement agencies not playing a proactive role in assisting citizens who fall prey to online fraudsters. The lack of timely intervention and investigation into cybercrimes exacerbates the distress faced by victims. As cybercrime rates continue to rise, there is a pressing need for law enforcement to enhance their responsiveness and take on a more active role in protecting citizens from such sophisticated digital threats.

Read more »
Money Laundering
Bank Scam Bengaluru Cyber Crime Fraud Money Laundering

Digital Arrest Scam: Bengaluru Man Loses Rs 3.8 Crore to Scammers


A 73-year-old man recently lost Rs 3.8 crore due to the 'digital arrest' threat posed by fraudsters impersonating law enforcement officers. The fraudsters held him under 'digital arrest' from May 5 to 10, saying that he was under Mumbai police monitoring because a parcel shipped in his name to Taiwan contained drugs.

The Setup

It all started on May 5 at 10 a.m., when Rajkumar (name changed), an Indiranagar resident and retired MNC executive, got a call from 8861447031. The caller claimed as a 'FedEx' logistics executive and supplied Rajkumar's Aadhaar and mobile numbers. 

He said that a package shipped to Taiwan under Shankar's name contained five passports, a laptop, 3kg of clothing, and 150 grams of MDMA. He forwarded the phone to a "police officer" after claiming a case against him had been filed at Mumbai's Andheri East cyber police station.

The Deception

A man claimed to be Rajesh Pradhan, DCP (Cybercrime), Andheri and informed Shankar that he was under digital arrest until the inquiry was completed. They warned to arrest him if he left his residence and instructed him to isolate himself in a room. Later, they made a video call to him, and Shankar noticed a police station in the backdrop and assumed he was speaking with actual cops.

Pradhan informed Rajkumar that this was a high-profile and sensitive matter involving VIPs. He was told not to mention their call with anybody and threatened with arrest if he did not obey their instructions. 

The Money Transfer

The con artist added that they discovered a bank account opened in his name that was being used for money laundering. They allegedly examined the charges against him, which included money laundering, NDPS, and other criminal actions, before offering to assist him. 

To protect the account, he was ordered to move the full balance in his bank accounts to Reserve Bank of India (RBI) accounts.

The Aftermath

After promising to repay him after his transactions were verified, they convinced Shankar to send money to their accounts in several transactions. 

After transferring Rs 3.8 crore, Rajkumar was promised that the return would be in his account within 30 minutes of verification and the connection was discontinued. Rajkumar only realized he had been duped after the crooks went mute.

The digital arrest is fake: DCP

According to Kuldeep Kumar Jain, DCP (East), Shankar submitted a report on May 13, and they were able to freeze Rs 9 lakh within two days.

A case has been filed under the Information Technology Act and IPC section 420 (cheating and dishonestly inducing delivery of property).

According to Jain, such claims should not be taken seriously. The police force has no idea of digital arrests or online (virtual) investigations. If you receive such calls, simply disconnect and report them to your nearest police station or the 1930 cyber helpline. If you lose any money, you should contact the police right away. Delays in filing complaints will have an impact on recovery rates.

Read more »
RBI
Artifcial Intelligence Cyber Crime Cyber Laws Fraud RBI

Can Legal Measures Slow Down Cybercrimes?

 


Cybercrime has transpired as a serious threat in India, prompting calls for comprehensive reforms and collaborative efforts from various stakeholders. Experts and officials emphasise the pressing need to address the evolving nature of cyber threats and strengthen the country's legal and regulatory framework to combat this menace effectively.

Former IPS officer and cybersecurity expert Prof Triveni Singh identified the necessity for fundamental changes in India's legal infrastructure to align with the pervasive nature of cybercrime. He advocates for the establishment of a national-level cybercrime investigation bureau, augmented training for law enforcement personnel, and the integration of cyber forensic facilities at police stations across the country.

A critical challenge in combating cybercrime lies in the outdated procedures for reporting and investigating such offences. Currently, victims often encounter obstacles when filing complaints, particularly if they reside outside India. Moreover, the decentralised nature of law enforcement across states complicates multi-jurisdictional investigations, leading to inefficiencies and resource depletion.

To streamline the process, experts propose the implementation of an independent online court system to expedite judicial proceedings for cybercrime cases, thereby eliminating the need for physical hearings. Additionally, fostering enhanced cooperation between police forces of different states and countries is deemed essential to effectively tackle cross-border cybercrimes.

Acknowledging the imperative for centralised coordination, proposals for the establishment of a national cybercrime investigation agency have been put forward. Such an agency would serve as a central hub, providing support to state police forces and facilitating collaboration in complex cybercrime cases involving multiple jurisdictions.

Regulatory bodies, notably the Reserve Bank of India (RBI), also play a crucial role in combatting financial cybercrimes. Experts urge the RBI to strengthen oversight of banks and enhance Know Your Customer (KYC) norms to prevent the misuse of accounts by cyber criminals. They should aim to utilise technologies like Artificial Intelligence (AI) to detect anomalous transaction patterns and consolidate efforts to identify and thwart cybercrime activities.

There is a growing consensus on the necessity for a comprehensive national cybersecurity strategy and legislation in India. Such initiatives would furnish a robust framework for addressing the omnipresent nature of this threat and safeguarding the country's cyber sovereignty.

The bottom line is putting a stop to cybercrime demands a concerted effort involving lawmakers, regulators, law enforcement agencies, financial institutions, and internet service providers. By enacting comprehensive reforms and fostering greater cooperation, India can intensify its cyber resilience and ensure a safer online environment for all.



Read more »
Privacy
AI Systems Bank Accounts Data protection DWP Financial Security Fraud Privacy

UK Government’s New AI System to Monitor Bank Accounts

 



The UK’s Department for Work and Pensions (DWP) is gearing up to deploy an advanced AI system aimed at detecting fraud and overpayments in social security benefits. The system will scrutinise millions of bank accounts, including those receiving state pensions and Universal Credit. This move comes as part of a broader effort to crack down on individuals either mistakenly or intentionally receiving excessive benefits.

Despite the government's intentions to curb fraudulent activities, the proposed measures have sparked significant backlash. More than 40 organisations, including Age UK and Disability Rights UK, have voiced their concerns, labelling the initiative as "a step too far." These groups argue that the planned mass surveillance of bank accounts poses serious threats to privacy, data protection, and equality.

Under the proposed Data Protection and Digital Information Bill, banks would be mandated to monitor accounts and flag any suspicious activities indicative of fraud. However, critics contend that such measures could set a troubling precedent for intrusive financial surveillance, affecting around 40% of the population who rely on state benefits. Furthermore, these powers extend to scrutinising accounts linked to benefit claims, such as those of partners, parents, and landlords.

In regards to the mounting criticism, the DWP emphasised that the new system does not grant them direct access to individuals' bank accounts or allow monitoring of spending habits. Nevertheless, concerns persist regarding the broad scope of the surveillance, which would entail algorithmic scanning of bank and third-party accounts without prior suspicion of fraudulent behaviour.

The joint letter from advocacy groups highlights the disproportionate nature of the proposed powers and their potential impact on privacy rights. They argue that the sweeping surveillance measures could infringe upon individual liberties and exacerbate existing inequalities within the welfare system.

As the debate rages on, stakeholders are calling for greater transparency and safeguards to prevent misuse of the AI-powered monitoring system. Advocates stress the need for a balanced approach that addresses fraud while upholding fundamental rights to privacy and data protection.

While the DWP asserts that the measures are necessary to combat fraud, critics argue that they represent a disproportionate intrusion into individuals' financial privacy. As this discourse takes shape, the situation is pronouncing the importance of finding a balance between combating fraud and safeguarding civil liberties in the digital sphere. 


Read more »
Skype call
arrest Cyber Fraud CyberCrime digital scam Fraud Noida online deception Rs 3.7 lakh Skype call

Woman in Noida Swindled of Rs 3.7 Lakh During 7-Hour Skype Call in Recent 'Digital Arrest' Scam

 

A 32-year-old female IT engineer residing in Noida fell victim to cyber criminals who reportedly swindled Rs 3.75 lakh from her during a seven-hour Skype call, where they held her "hostage" and gradually siphoned money from her account.

According to reports, the fraudsters posed as police officers and accused the woman of involvement in drug trafficking, claiming to have intercepted a parcel purportedly sent from Mumbai to Taiwan containing illicit substances.

The victim's husband, Chirag Varshney, disclosed that the incident occurred on February 28. His wife received a Skype call around 10:30 am, during which the criminals coerced her into staying put while they manipulated her into transferring funds under the guise of clearing her of the alleged drug charges.

Varshney explained that despite his presence in the office and his father being at home, his wife was too intimidated to seek help, allowing the fraud to unfold uninterrupted in an adjacent room. The perpetrators allegedly instilled fear in her by threatening harm to family members if she didn't comply.

"After receiving a call from a courier company, my wife was deceived through a Skype call," Varshney stated, adding that the call transitioned to someone claiming to be a police officer who demanded her bank account and family information. The intimidation tactics compelled her to surrender the money.

Initially reporting the incident on a cybercrime portal yielded no results, prompting Varshney to escalate the matter to the police. An FIR has been lodged at the Sector 39 police station, citing sections 420 (cheating) and 506 (criminal intimidation) of the Indian Penal Code, along with section 66D of the Information Technology (Amendment) Act. Additional Deputy Commissioner of Police, Manish Kumar Mishra, confirmed that necessary legal measures are being pursued in response to the complaint lodged by a resident of Amrapali Sapphire in Sector 45, Noida.
Read more »
scam tactics
Cyber Criminals Cyber Fraud Cyber Scam Cyber Threats CyberCrime Delhi cybercrime rise Delhi Police digital house arrest forged letterheads Fraud Online fraud police alert scam tactics

Delhi Police Alerts Citizens to New Cyber Scam

 

Authorities in Delhi are cautioning residents to remain vigilant against a recent surge in cyber fraud cases known as ‘digital house arrest,’ with over 200 incidents reported monthly in the capital.

Described as a serious threat by senior officials, this tactic employed by cybercriminals aims to coerce victims into parting with their money once ensnared in their schemes.

In this scheme, scammers posing as law enforcement officers deceive victims into believing their bank accounts, SIM cards, Aadhaar cards, or other linked documents have been compromised. The victims are then virtually confined to their homes and pressured into paying the scammers.

According to a senior officer from the Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police, cases involving amounts exceeding Rs 50 lakh are investigated by their specialized team.

In a recent case, a man preparing for work received a call from someone claiming to be from the Mumbai Crime Branch. The caller accused the victim of involvement in drug trafficking using his Aadhaar card and instructed him not to leave his house during a prolonged interrogation session. The victim, fearing repercussions, complied. Eventually, the scammers gained remote access to his computer, drained his bank account, and vanished.

These fraudsters often employ forged police letterheads and use translation tools to enhance their communication. They specifically target vulnerable individuals, such as the elderly. Victims are urged to immediately report such incidents to the police helpline for assistance.

According to the National Crime Records Bureau (NCRB), cybercrime cases in Delhi nearly doubled in 2022, with reported incidents increasing from 345 to 685. This marks a significant rise from the 166 cases reported in 2020.
Read more »
Security
$10 billion 2023 Americans Cyber Fraud Fraud FTC record loss Safety Security

FTC Issues Alert: Americans' Fraud Losses Soar to $10 Billion in 2023

 

The U.S. Federal Trade Commission (FTC) has disclosed that in 2023, Americans fell victim to scammers, resulting in losses exceeding $10 billion, indicating a 14% surge compared to the preceding year.

In tandem, Chainalysis has reported that ransomware groups had a lucrative year, with ransom payments surpassing $1.1 billion in 2023.

Approximately 2.6 million consumers submitted fraud complaints to the FTC in the previous year, a figure mirroring that of 2022. Notably, imposter scams dominated the reported fraud cases, with noticeable increases in instances of business and government impersonation. Following closely were online shopping scams, trailed by reports related to prizes, sweepstakes, lotteries, investment scams, and business or job opportunity schemes.

According to the FTC, consumers reported the highest financial losses to investment scams, totaling over $4.6 billion in 2023, representing a 21% hike from 2022. Imposter scams accounted for the second-highest reported loss amount, nearing $2.7 billion. In 2023, consumers cited losing more money to bank transfers and cryptocurrency transactions than through all other methods combined.

The FTC added 5.4 million consumer reports to its secure online database, the Consumer Sentinel Network (Sentinel), in the previous year. Identity theft complaints, exceeding 1.1 million, were received through the agency's IdentityTheft.gov website.

Nevertheless, the FTC's data only scratches the surface of the extensive damage inflicted by scammers in 2023, as many fraud cases go unreported.

Victims of fraud are encouraged to report incidents on ReportFraud.ftc.gov or file identity theft reports on IdentityTheft.gov. These reports, upon inclusion in the FTC's Sentinel database, are accessible to approximately 2,800 law enforcement professionals, aiding in tracking down fraudsters, identifying trends, and raising public awareness to thwart scam attempts.

Samuel Levine, Director of the FTC's Bureau of Consumer Protection, emphasized the growing threat facilitated by digital tools, underscoring the importance of the released data in understanding and combating fraudulent activities targeting hard-working Americans.
Read more »
vishing scams prevention
Cyber Fraud Fraud Scams User Data User Safety User Security Vishing vishing scams prevention

Vishing Scams: Here's How to Spot & Defend Against Them

 

Vishing (voice or VoIP phishing) is a sort of cyber attack that uses voice and telephony technologies to deceive targeted persons into disclosing sensitive data to unauthorized entities. 

The information could be personal, such as a Social Security number or details about a financial account, or it could be tied to a commercial environment. For example, fraudsters may use vishing to entice an employee to provide network access information.

In 2022, "38% of the reports submitted to the FTC by consumers ages 80+ indicated phone calls as the initial contact method," according to Ally Armeson, executive program director of Cybercrime Support Network. (Calls were the most popular mode of contact for this age group.)"

"Vishing, also known as voice phishing," Aremson continues, "is a growing threat in the world of cybercrime, particularly targeting the elderly."  

The scam takes advantage of the fact that the elderly are more likely to trust phone contacts by impersonating false charities, appearing as relatives, or pretending to be trustworthy locations like government agencies. 

As a result, sharing credit card information, social security numbers, login credentials, or other valuable data is likely.

How to defend yourself?

  • Take the effort to confirm the caller's identification by visiting the organization's website.
  • Never give up personal or financial information over the phone. Legitimate organizations will never ask for credit card information, social security numbers, or passwords.
  • Do not be hesitant to call into question the legitimacy of unknown numbers. Legitimate organizations will never ask for credit card information, social security numbers, or passwords.
  • Don't be hesitant to question the legitimacy of unknown phone numbers, and be wary of providing important information over the phone without first verifying the caller's identity.
  • Since caller ID can be easily spoofed, don't rely on it alone to decide whether a call is real. I recommend remaining attentive and exercising caution while disclosing sensitive information.
  • Any unknown phone caller should be routed to voicemail so you can screen the call. Remember to notify the FTC of any unusual calls or suspected fraudulent activities at ReportFraud.ftc.gov.
  • In general, do not give any financial or Social Security information over the phone, by text, or via email.  
By following these tips, you can help protect yourself from vishing scams
Read more »
Tips
Authentication Cloud Defense Cyber Security Fraud MFA Multi-Factor Authentication (MFA) Online phishing Phishing Prevention Prevention Privacy Protection Scams Security Tips

Defend Against Phishing with Multi-Factor Authentication

 

Phishing has been a favored attack vector for threat actors for nearly three decades, and its utilization persists until it loses its effectiveness. The success of phishing largely hinges on exploiting the weakest link in an organization's cybersecurity chain—human behavior.

“Phishing is largely the same whether in the cloud or on-prem[ise], in that it’s exploiting human behavior more than it’s exploiting technology,” said Emily Phelps, director at Cyware.

These attacks primarily aim to pilfer credentials, granting threat actors unfettered access within an organization's infrastructure. Yet, successful cloud-based phishing assaults might be more intricate due to the nuanced ownership of the environment.

Phelps explained that in an on-premise scenario, a compromised ecosystem would be under the jurisdiction of an organization's security and IT team. However, in the cloud—like AWS or Azure—a breached environment is managed by respective organizations yet ultimately owned by Amazon or Microsoft.

Cloud Emerges as the Preferred Phishing Arena

As an increasing number of applications gravitate toward cloud computing, threat actors are unsurprisingly drawn to exploit this realm. Palo Alto Networks Unit 42's report unveiled a staggering 1100% surge in newly identified phishing URLs on legitimate SaaS platforms from June 2021 to June 2022.

The report delineated a tactic where visitors to legitimate web pages are enticed to click a link directing them to a credential-stealing site. By leveraging a legitimate webpage as the principal phishing site, attackers can modify the link to direct victims to a new malicious page, thereby sustaining the original campaign's efficacy.

Cloud applications provide an ideal launchpad for phishing assaults due to their ability to bypass conventional security systems. Cloud-based phishing is further facilitated by the ease of luring unsuspecting users into clicking malevolent email links. Beyond SaaS platforms, cloud applications such as video conferencing and workforce messaging are also being increasingly exploited for launching attacks.

The Role of Phishing-Resistant MFA

Among the most robust defenses against credential-stealing phishing attacks is multifactor authentication (MFA). This approach incorporates several security factors, including something known (like a password), something possessed (such as a phone or email for code reception), and/or something inherent (like a fingerprint). By requiring an additional code-sharing device or a biometric tool for authentication, MFA heightens the difficulty for attackers to breach these security layers.

In the event of a user falling prey to a phishing attack and credentials being compromised, MFA introduces an additional layer of verification inaccessible to threat actors. This may involve SMS verification, email confirmation, or an authenticator app, with the latter being recommended by Phelps.

However, as MFA proves effective against credential theft, threat actors have escalated their strategies to compromise MFA credentials. Phishing remains one of their favored methods, as cautioned by the Cybersecurity and Infrastructure Security Agency (CISA):

"In a widely used phishing technique, a threat actor sends an email to a target that convinces the user to visit a threat actor-controlled website that mimics a company’s legitimate login portal. The user submits their username, password, as well as the 6-digit code from their mobile phone’s authenticator app.”

To counter this, CISA endorses phishing-resistant MFA as a strategy to enhance overall cloud security against phishing attacks. Fast ID Online/WebAuthn authentication stands out as a popular option. It operates through separate physical tokens linked to USB or NFC devices or embedded authenticators within laptops and mobile devices.

An alternative approach, albeit less common, is PKI-based phishing-resistant MFA, employing security-chip embedded smart cards linked to both an organization and the individual user. While highly secure, this method necessitates mature security and identity management systems.

While any form of MFA contributes to safeguarding cloud data against phishing, relying solely on commonly used code-sharing methods falls short. Threat actors have devised ways to manipulate users into revealing these codes, often relying on users' inconsistent MFA setup practices. Adopting phishing-resistant MFA and incorporating multiple layers of authentication offers the utmost security against this prevalent cyber threat.
Read more »
Security
Crime Cyber Attacks Cyber Gangs Data Fraud Safety Scams Security

Surge in 'Call Center Gangs' Linked to Organized Crime and Human Trafficking

 

Online, robocall, and other call scams are well-coordinated and often operated by criminal organizations based overseas. These scams primarily target older Americans.

Biocatch, a biometric company, conducted a recent study revealing a significant surge of 200% in call scams between 2022 and 2023. These scams are conducted by "call center gangs" located in Southeast Asia, engaging in various illegal activities, including investment fraud and human trafficking.

“These organized cybercriminal entities conduct a variety of scams,” the Biocatch report found, “including tech support, romance, and investment frauds, often targeting victims internationally and exploiting legal jurisdictional complexities to evade consequences.”

“The disconcerting link between these scams and human trafficking is hard to ignore,” Biocatch warns. 

Further, it added, “Amid the COVID-19 lockdowns, unsuspecting victims lured with job offers are detained in these call centers. Criminal rings are shifting from sex trafficking to human trafficking for scam call centers, with a higher profit margin in cybercrime.”

The primary objective of these scams is to deceive individuals into providing them with money or personal information. It is advised to disregard any unsolicited calls, text messages, or emails received.
Read more »
Security
Cyber Fraud Data Data Safety Fraud Safety Scam Security

The Robotic Falcon Manufacturer Falls Victim to Cyber Criminals, Lost £100,000

 

John Donald, an entrepreneur who sells robotic falcons worldwide, has become a victim of cybercrime during the pandemic, despite his tech-savvy background. 

Donald, a 72-year-old grandfather, revealed that fraudsters targeted his family business when it faced a drastic 95% decline in turnover. Reluctantly, he succumbed to their demands and transferred nearly £100,000 to a fraudulent bank account. The incident caused immense stress for Donald and was described by him as an experience he wouldn't wish upon anyone.

Recent statistics released by Police Scotland indicate a concerning 68% rise in fraud cases since 2018, with a majority of them occurring online. 

Donald's company, Robop, which manufactures robot peregrine falcons for bird pest control, experienced significant setbacks due to the COVID-19 pandemic. It was on a Friday afternoon in December 2020, at around 16:30, when Donald received a call that initiated this distressing ordeal. The caller, speaking with an Edinburgh accent, claimed to be part of a joint banking task force and informed Donald about fraudulent activities in his account.

Initially skeptical, Donald probed the caller, but their extensive knowledge about him and his business convinced him of their credibility. Unable to reach his bank on another phone, Donald's suspicions grew stronger. 

The caller then intensified the pressure, citing a limited time window to resolve the issue due to discrepancies between their system and his. In the course of an hour-long conversation, the fraudsters persuaded Donald to transfer funds between his accounts, leaving him feeling foolish afterward but seeing no alternative at the time.

Fortunately, a friend directed Donald to the Cyber and Fraud Centre, where he sought assistance and Donald's bank refunded the stolen amount six weeks later.

Jude McCorry, the center's CEO, revealed that others had not been as fortunate. She added, "We've seen a recent fraud where there was £700,000 transferred on a property deal that went to the wrong account.

"That involved an individual rather than a company. It was huge and the investigation is still going on. Instead of always reacting to these crimes, we need to look at how we prevent it."

Police Scotland acknowledges that cybercrime is significantly underreported, with the published figures representing only a fraction of the actual problem. 

The detection rate for fraud has halved in recent years, standing at a mere 16% of cases. Assistant Chief Constable Andy Freeburn warned about the increasing involvement of Scottish crime groups in cybercrime and fraud. 

He added, "What we have seen over the last year is emerging serious and organised crime groups operating in that space, trying to exploit the Scottish public through cyber, through fraud, and we are now actively working against those gangs.

"This is something we are not going to arrest our way out of. There is a significant threat in Scotland.

"We are having successes in identifying people and recovering money in consultation with banking and financial partners.

"But we are also improving our prevention messaging, making it very clear to the public how they can help themselves by not giving out details, making sure their software is up to date on their computers and reporting anything suspicious to us."

To address this escalating threat, Police Scotland has allocated an additional £4.3 million to its cybercrime strategy, focusing on acquiring new equipment and providing training to operational officers. 

The force has also developed an ethical protocol for the use of emerging technologies. Meanwhile, John Donald urges the public to recognize the sophistication of cyber scams and recommends keeping the bank's fraud helpline on speed dial while emphasizing the importance of prompt responses from banks when people call these numbers. 
Read more »
Security
Cyber Fraud Data Email Scams Fraud Safety Security

Email Scams v/s Phishing: Here's All You Need to Know

 

Becoming a victim of any crime can be emotionally distressing, financially burdensome, and socially humiliating. While some scams are easily recognizable, others are cleverly disguised, making it difficult to detect that you are being exploited. Scams exist in various aspects of life, encompassing business, taxation, and even identity theft, all driven by fraudulent intentions to take advantage of individuals. The primary motive behind these scams appears to be financial gain. 

Email scams and text scams have become abundant, especially with the widespread use of cell phones in recent times. It is evident that every single one of these scams falls under the category of phishing schemes. 

Phishing tactics are intended to fool you into submitting personal information that the cybercriminal will then use to get access to your financial accounts, steal your identity, download malware, or otherwise cause havoc. These schemes appear and sound like valid requests from legitimate sources, making it difficult to identify them as harmful.

Messages from a credible source urging you to reset your password, a supervisor or colleague asking you to help them out by sending them money, or a merchant offering a fantastic bargain on an item you want are all examples of email phishing. Some fraudsters have grown inventive, sending scary messages that appear to be from a tax collection agency, such as the IRS, with a deadline.

Email is an efficient method for phishing techniques to be exploited, but it is not the only location where they may be found. SMS phishing is currently used by scammers to deceive you into clicking over to a website or form in order to acquire information. Because it is more difficult to determine whether a text message is real than an email message, many individuals get duped in this manner.

Social networking platforms can also be used to spread phishing schemes. They appear to be fantastic deals and offers for cool new goods or services in your neighborhood. If you click the ad, you might be taken to a very professional-looking website. However, once your contact information is disclosed, your identity is jeopardized.

One of the greatest methods to prevent being a victim of an email or phishing scam is to avoid clicking on links or responding to communications from people you don't know. Check the sender's email address to ensure it is real. It never hurts to double-check because professional scammers will establish email addresses that look identical to legitimate ones.

Instead of clicking on a social network link to learn more about a new product, conduct a search on a trusted online shop such as Amazon, Newegg, or Walmart. If the product is decent, it will most likely be sold through legitimate channels.

Similarly, if you read about a company's sale or new subscription opportunity, go to the company's website first before committing to buy. The same deal will very certainly be offered there as well, so you may still take advantage of it.

Because phishing and email schemes are classified as malware, most antivirus programs contain anti-phishing capabilities or enhanced email security. You may enable Bitdefender's capabilities within your email program, whether it's a Google or Outlook account. This will help prevent scam communications from reaching your inbox.

The same can be said with text message fraud. Anti-phishing capabilities in Android antivirus apps reduce the number of SMS-based schemes. Mobile antivirus, like desktop antivirus, will block malware and sites with risks on them, ensuring that your device is not infected with malware and that you are not duped into providing sensitive information to an unknown solicitor.

If you open on a faulty link, the finest antivirus software will prevent you from reaching a harmful page. Furthermore, antivirus software will stop any dangerous file connected to a faulty link, preventing your machine from becoming infected with a bot, worm, or ransomware.

Read more »
Security
Cyber Fraud Fraud Fraudsters Mobile Numbers Safety Scam Security

Police Blocked 20K+ Mobile Numbers Issued on Fake Papers

 

In accordance with a police officer, Haryana Police's cyber nodal unit has blocked 20,545 mobile phones issued on fraudulent and counterfeit paperwork. According to a Haryana police spokesman, the majority of the blocked SIM cards were issued in Andhra Pradesh, with West Bengal and Delhi following closely behind. 

Similarly, the police have detected and reported on the portal more than 34,000 cellphone numbers involved in cyber fraud operating across the state, including 40 hotspot villages in Nuh district. 

“At the same time, the remaining 14,000 mobile numbers involved in cyber fraud will also be blocked soon through the Department of Telecom, Government of India,” the police officials said.

A police official told reporters today that the state crime division is currently monitoring all mobile numbers implicated in cybercrime and is collecting reports from districts on a daily basis. He stated that 102 teams of 5000 Haryana Police officers recently stormed 14 cybercrime hotspot villages in the Nuh district.

“For this reason, at present, Haryana is at the top position in blocking mobile numbers used in cyber fraud. At present more attention is being given to such areas and villages from where cyber fraud incidents are being carried out. Recently, 102 teams of 5000 policemen of Haryana Police raided 14 cybercrime hotspots villages in Nuh district,” he added.

He further stated that Andhra Pradesh has issued the most cellphone numbers implicated in cybercrime, and that they are being used to commit cybercrime in the state.

“Currently, out of the total identified mobile numbers issued on Fake ID, a maximum of 12,822 mobile numbers have been issued from Andhra Pradesh, 4365 from West Bengal, 4338 from Delhi, 2322 from Assam, 2261 from North East states and 2490 from Haryana state. All the numbers are currently operating from different areas of Haryana and the same has been intimated to the Department of Telecom to block them,” he added.

OP Singh, Chief of the State Crime Branch and Additional Director General of Police, stated that the state crime branch, as the state nodal agency for cybercrime, has a team of 40 highly skilled cyber police personnel who have been deployed at helpline 1930 to quickly register reported incidents and collect relevant data.
Read more »
Security
Cyber Security Data Privacy Fraud Medical Recrds Safety Security

Concerns Over NHS Data Privacy After a 'Stalker' Doctor Shared a Woman's Private Details

 

The anonymity of NHS medical records has been called into question after a "stalker" hospital doctor obtained and communicated very sensitive information about a lady who had begun dating her ex-boyfriend regardless the fact that he wasn't involved in her care. The victim was left in "fear, shock, and horror" after learning that the doctor had exploited her hospital's medical records system to look at the woman's GP records and read - and share - private data about her and her children accessible only to a few others. 

“I felt violated when I learned that this woman, who I didn’t know, had managed to access on a number of occasions details of my life that I had shared with my GP and only my family and very closest friends. It was about something sensitive involving myself and my children, about a family tragedy,” the woman said.

The case has spurred worries that any doctor in England could misuse their privileged access to confidential medical records for purposes other than clinical.

Sam Smith, of the health data privacy group MedConfidential, said: “This is an utterly appalling case. It’s an individual problem that the doctor did this. But it’s a systemic problem that they could do it, and that flaws in the way the NHS’s data management systems work meant that any doctor can do something like this to any patient. If you’re registered with the NHS in England, this could happen to you.”

The victim and the doctor,  consultant at Addenbrooke's Hospital in Cambridge, have not been named by the Guardian. The woman was originally perplexed as to how the doctor had obtained very intimate information about her, her sister, and her children, which the doctor then passed to her ex-boyfriend in the early stages of his new connection with the woman last July.

“The doctor said that she had got it from friends, or from people in her choir or parents at my children’s school. That left my sister and I wondering if some of our close friends had betrayed us as we knew that only a few people knew those details. She had an unhealthy interest in us.”

The mystery was answered when Addenbrooke's provided the woman with a full audit of all its staff members who had exposure to her medical information at her request. It was discovered that the doctor viewed her medical information seven times between August and September of last year. The clinician first accessed Epic, Addenbrooke's own hospital medical records system, three times.

She then navigated to a different records system known as GP Connect, which contained comprehensive notes of conversations her former partner's new girlfriend had with her GP regarding the tragic impact of the accident and the well-being of one of her children.

On one occasion, the doctor, whom the woman had never seen, called the victim, asked her name, provided it, and then hung up. The victim felt it was a planned effort by the doctor to demonstrate that she had obtained personal information about her

Addenbrooke's first disputed that its employees could access GP Connect via Epic. However, after a meeting with the victim, its deputy medical director, Dr. John Firth, acknowledged that her full GP records were available. Michelle Ellerbeck, the company's head of information governance, later emailed the woman to thank her for demonstrating that it was possible in case "this inquiry ever comes up again."

Dr. Nicola Byrne, the NHS national data protector for England, offers advice on how to keep patients' information safe and how to utilize it correctly. She stated that she was "concerned about the seriousness of the allegations" when the patient wrote to her about the inappropriate intrusion into her medical history.

Byrne identified the doctor's actions as "absolutely unacceptable" and attempted to comfort patients who may be concerned about the incident by emphasizing that it was the first time she had heard of a medic violating rules governing the secure handling of a patient's medical records in order to gather information about them. She did, however, left open the possibility that others were doing the same.
Read more »
Scam
Cyber Security Data data security Facebook Accounts Fraud Hackers Hacking Safety Scam

Verified Facebook Accounts Being Hijacked to Distribute Malware; Here's How You Can Protect Yourself

 

Hackers have been caught getting into popular verified Facebook pages and using them to distribute malware through adverts on the social media behemoth. Matt Navarra, a social strategist, was the first to notice the harmful effort, exposing the danger on Twitter. 

According to Navarra, whoever is behind the campaign targeted popular Facebook sites first (one of the victims has over seven million followers and has been active for over a decade). If they gained access, they would rename the page something like Meta (Facebook's parent company) or Google. They would then buy an ad on the social media network, targeting page managers and advertising specialists.

“Because of security issues for upcoming users, you can no longer manage ad accounts in the browser,” the ad reads. “Switch to a more professional and secure tool,” the ad concludes, before sharing an obviously fraudulent download link.

There are several issues with this campaign, according to Navarra, including how the accounts were compromised, how Facebook enabled the threat actors to change the page's name to something seemingly related to Meta while keeping the blue checkmark, and how they were able to buy and run ads that clearly redirect the target audience to a shady website at best. 

According to TechCrunch, Facebook has since disabled all of the affected accounts and shut down the malicious activities. It also stated that Facebook pages now disclose whether or not the page has changed its name in the past, and if so, from what, which is a nice move to increase openness. 

“We invest significant resources into detecting and preventing scams and hacks,” a Meta spokesperson told TechCrunch. “While many of the improvements we’ve made are difficult to see – because they minimize people from having issues in the first place – scammers are always trying to get around our security measures.”
Read more »
Voice Cloning
Cyber Fraud data security Fraud Safety Scam Voice Cloning

Is Your Child in Actual Danger? Wary of Family Emergency Voice-Cloning Frauds

 

If you receive an unusual phone call from a family member in trouble, be cautious: the other person on the line could be a scammer impersonating a family member using AI voice technologies. The Federal Trade Commission has issued a warning about fraudsters using commercially available voice-cloning software for family emergency scams. 

These scams have been around for a long time, and they involve the perpetrator impersonating a family member, usually a child or grandchild. The fraudster will then call the victim and claim that they are in desperate need of money to deal with an emergency. According to the FTC, artificial intelligence-powered voice-cloning software can make the impersonation scam appear even more authentic, duping victims into handing over their money.

All he (the scammer) needs is a short audio clip of your family member's voice—which he could get from content posted online—and a voice-cloning program. When the scammer calls you, he’ll sound just like your loved one,” the FTC says in the Monday warning.

The FTC did not immediately respond to a request for comment, leaving it unclear whether the US regulator has noticed an increase in voice-cloning scams. However, the warning comes just a few weeks after The Washington Post detailed how scammers are using voice-cloning software to prey on unsuspecting families.

In one case, the scammer impersonated a Canadian couple's grandson, who claimed to be in jail, using the technology. In another case, the fraudsters used voice-cloning technology to successfully steal $15,449 from a couple who were also duped into believing their son had been arrested.

The fact that voice-cloning services are becoming widely available on the internet isn't helping matters. As a result, it's possible that scams will become more prevalent over time, though at least a few AI-powered voice-generation providers are developing safeguards to prevent potential abuse. The FTC says there is an easy way to detect a family emergency scam to keep consumers safe. "Don't believe the voice. Call the person who allegedly contacted you to confirm the story. 

“Don’t trust the voice. Call the person who supposedly contacted you and verify the story. Use a phone number you know is theirs,” the FTC stated. “If you can’t reach your loved one, try to get in touch with them through another family member or their friends.”

Targeted victims should also consider asking the alleged family member in trouble a personal question about which the scammer is unaware.
Read more »
Scam McAfee
Cyber Data Cyber Fraud Data Safety data security Fraud Scam McAfee

McAfee Invoice Fraud Email Pretending to be a Subscription Renewal Receipt

 

Readers should beware of clicking links in a McAfee invoice scam email that claims to be a "confirmation receipt" for the subscription renewal of the company's products. This email does not come from McAfee Corp. Email scams that use the names of antivirus and security companies are probably as old as the internet, but this particular one for McAfee apparently tried to combine two different threats into one: malware and phishing. 

Snopes reviewed one of the McAfee invoice scam emails. The subject line read, "Confirmation Receipt ID.6030955553." The following message came from an email address associated with uilsducoach.com, not the official company website mcafee.com:
  • Reassure your McAfee is up to date.
  • Check now as it may have ended.
  • Your subscription of McAfee for your computer may ended soon.
  • After the ending date has passed your computer will become susceptible to many different virus and threats.
  • Your PC might be unprotected, it can be exposed to viruses and other malware...
  • You are eligible for discount: -70%*
A malicious URL scanner scan of the links revealed that the email was "hosting malware" and contained a "phishing link."

The link started on an Amazon Web Services page. Vestingsupper.com was one of the redirects. More information was not available at the time this story was published. McAfee has previously published several articles about these types of scams, including details on what to do if you believe you've been a victim of one.

It's recommended, "if you accidentally enter data in a webpage linked to a suspicious email, perform a full malware scan on your device. Once the scan is complete, backup all of your files and change your passwords. Even if you only provided a phishing scammer with the data from one account, you may have also opened the door to other personal data, so it's important to change all the passwords you use online in the wake of a suspected phishing attack."

Malwarebytes and Norton are two other companies that are recommended for malware scans. If readers provided financial information to scammers, such as a credit card number, we recommend contacting that financial institution right away to notify them of the problem. To ensure that scammers do not use the compromised card in the future, a new credit card with a new number may need to be mailed to you in some cases.
Read more »
Subscribe to: Posts (Atom)