Beware of Impersonators

BY LISA KAHLER

Iassume you’ve heard of phishing, identity theft and hacking. But have you heard of “social engineering”? This term has two meanings: the development of society and future societal change (the social sciences) and scammers impersonating trusted officials to steal people’s money (information security).

My friend “Fatima” was recently scammed. During a virtual staff meeting, her second monitor started blaring. A big white pop up appeared, the noise/alarm wouldn’t stop. Turning down the volume, she soon switched to her phone until the meeting was over.

Like most of us on a busy weekday afternoon, my friend’s schedule was full. When she finally had time to focus on her muted monitor, Fatima read the screen and called the number it displayed for Apple support. The person who answered verified that he was with Apple. The representative was obviously “off-shore” — very common for support centers — so she wasn’t concerned. She was transferred to Apple’s fraud department, which asked about her online banking accounts and the name of the bank most used. Informed that all her online accounts, emails and cellphones had been hacked and were being controlled by cyber thieves, she was advised to hang up so they could call her back on a secured line. The agent called back, told to remain on that line at all times and neither make nor receive any other calls.

After the agent transferred Fatima to Chase, her primary online bank, she was put in touch with its fraud department. The representative confirmed that her account had been hacked and several thousands of dollars had been removed from her checking account to purchase porn — an illegal activity that’s considered a felony. The agent told Fatima to remain on hold while he prepared and filed a report immediately with the FTC to document the fraudulent transactions. Finishing this in a few minutes, he then transferred her to the designated FTC representative in New York City.

The FTC representative, “Mike,” said he’d be handling her case and would communicate directly with her banks. He remarked that speed was essential to document her statement, help prove her innocence and track down the criminals. She was told to remain on the secured line at all times, using the speaker, and not to talk to others as thirdparty voices would make the evidence inadmissible in court filings. And finally, Mike told her, the fraudulent charges made would need to be duplicated in the exact same amounts to quickly track down the culprits.

You may be thinking “This sounds rather odd” — and you would be correct. Essentially, the scammers were preying on her belief in the “system,” the authorities, her incomplete understanding of cybersecurity measures and her naivety.

Unfortunately, for the next few hours she followed instructions: withdrawing the funds and sending them via cryptocurrency to re-deposit them in a secure location. After making the final transaction at the end of the business day, Mike said he would call her the next day and update her about the transactions status on locating the hackers.

At the beginning of this ordeal, Fatima had texted her supervisor that her computer had been hacked and that she’d be unable to work until she resolved the issues. Mike became irate, saying that any communications with third parties would compromise the FTC’s investigation and the recorded documentation.

When she went home, her teenage son “Sammy” said he’d tried to call her several times that afternoon and was worried that she hadn’t picked up. Before leaving the house, she had left him and his sister notes on their desks: “Internet hacked, don’t use computer.” Upon catching the tail end of her conversation with Mike, Sammy realized she’d been scammed.

He insisted that they go to the police station immediately and file a report. When the officers on duty arrived, they told their story. The police captain listened patiently, jotted down a few facts and said they would check out the phone numbers the scammers had used. He also advised Fatima that people report such scams every day and there was little the police could do, as the phone numbers were most likely temporary, Fatima had withdrawn the funds willingly, the cryptocurrency was legally sent and it would be almost impossible to identify the end receiver.

When Mike called her, Fatima handed her phone to the captain, who started talking with the scammer. Mike repeatedly asked to talk to Fatima. After the policeman identified himself as an officer, Mike still brazenly asked to speak to Fatima and insisted that he would call her back in the morning to update her on his investigation.

Back home that evening, the captain called Fatima and said that none of the phone numbers used that day could be traced, except the one used by the cryptocurrency company, which was a legitimate number registered in the U.S.

Fatima’s son told her to file a report with the Internet Crime Complaint Center (IC3), a collaboration between the FBI and the National White Collar Crime Center (NW3C) at www.ic3.gov. While there is little to no chance of getting the money back, these incidents can be investigated and the resulting data may help prevent future crimes.

WHAT DID FATIMA LEARN? God is the best of planners. The money she lost was from a recent inheritance, not part of her daily living funds. In the end, it wasn’t meant for her.

While the situation was traumatic and made her feel emotionally exposed, her son was very supportive. In fact, it actually helped rebuild their fragile relationship.

Although this was a case of fraud, her banks refused to even note it because she’d withdrawn and transferred the funds willingly. Fortunately, she hadn’t given any personal financial information, so the scammers couldn’t access to her funds directly.

HOW TO PROTECT YOURSELF According to the FBI’s 2021 Internet Crime Report, over 300,000 individuals in 2021 reported being victims of social engineering attacks, with over $45 million in losses. There are things you can do to prevent this from happening to you. ➤ Reach out. If an (extended) family member is tech savvy, designate him/her as your cybersecurity point person. Have him/her investigate the family’s systems and explain the overall workings to them in simple terms. Empower him/her, even if a youngster, and rely on his/her advice. This trust may help him/her develop confidence and a better family relationship. Install a security program on all digital devices. ➤ Change passwords regularly; use password protection, manually monitor online banking and credit cards and check regularly for discrepancies; educate yourself on existing scams; and don’t rush or blindly follow any tech support advice, calls or emails. Wait and ask your family expert or a trusted friend for advice.

FILING A COMPLAINT Report all such attacks: fraud (https:// reportfraud.ftc.gov/), identity theft (https:// www.identitytheft.gov/#/), computer or network vulnerabilities (www.us-cert.gov or 1-888-282-0870 [hotline]), forward phishing emails or websites (phishing-report@us-cert. gov), online crime victim (www.ic3.gov), Social Security Number theft (https://oig.ssa. gov/report-fraud-waste-or-abuse/ or 1-800269-0271 [hotline]), consumer complaint with your state attorney general (https://www. consumerresources.org/file-a-complaint/).

If you are a teacher or a school administrator, do the following: ➤ Inform students and staff at the beginning of the year of common cyber dangers (similar to other stranger danger programs), among them scams, bullying and hacking; establish appropriate and inappropriate (e.g., bullying, stealing and threats) conduct and protocols. ➤ Designate appropriate employees that students and staff can go to discuss their cyber- and IT-related concerns (e.g., prevention, training, maintaining and updating systems, reporting and providing tech information and investigating incidents). ➤ Arrange social and emotional support (e.g., provide safe spaces to talk, vent, complain, report and heal), handle the aftermath of a crime, emotional trauma and moving beyond. ➤ Provide discipline and legal assistance (e.g., guidance in reporting, determining the incident’s seriousness and when a crime may have been committed), support for the perpetrators and the victims, be they students, staff or community members. ➤ Initiate public relations (e.g., communicating with the school or broader community when incidents happen, maintaining student and staff privacy, dealing with the parents and community’s right to know, educating the school and general community on prevention and train students and staff to deal with such a situation through role playing). ➤ Be suspicious, don’t open or click on suspicious/unknown messages, protect and change passwords often, and “see something / say something.” ➤ Implement the following protections: develop school/board policies for those who are involved in serious attacks, either as victims or perpetrators; protocols for obtaining legal advice and counsel; understand pertinent local, state and federal laws for cybercrime; and develop effective relationships with law enforcement for reporting crimes, lodging complaints and assisting with legal investigations. ih