You’ve been chatting with someone on a social media site, and things seem to be going well. So well that you’re already talking finances. The person asks you to conduct a simple transaction at your bank on their behalf. Wanting to build a trusting relationship, you, of course, agree. Things must be serious, right?
In reality, your finances and cybersecurity could be in serious trouble. Not to sound alarmist, but each day, cyber criminals are practicing what’s called social engineering — tactics that deviously manipulate people into compromising their cybersecurity by voluntarily sharing confidential information.
How can you help prevent yourself from falling victim to social engineering? Take an active role in your cybersecurity with proactive steps to inform yourself of the latest social engineering tactics. (A healthy level of skepticism is also good to have.) So, go on, get yourself ready to spot cyberattacks.
What is social engineering?
Simply put, social engineering is when scammers use deception to obtain personal information from a person and use it for fraudulent purposes.
Fraudsters can commit social engineering in numerous ways, but in most instances, they manipulate you into giving them confidential passwords, bank account information, or other sensitive information. They might also ask for access to your computer. If you grant permission, they can gain control of the machine and install malware or software that gives them the ability to see all your account login information and passwords.
Anyone can be a target of a social engineering scam. In 2019, the Federal Trade Commission received more than 1.7 million reports of social engineering fraud, which resulted in $1.9 billion lost. Keep in mind, in some cases, you can be held accountable for the fraud loss and possible “money mule” activity (meaning, the transfer of stolen money) — while the con artist gets away with the money. So, stay vigilant!
And the victims aren't always who you think. Younger and more savvy people are reporting social engineering more than older counterparts. A recent study from the Federal Trade Commission reveals that millennials in their 20s and 30s are 25% more likely to report money lost to a social engineering attack than people 40 and over. It’s a surprising statistic that demonstrates your cybersecurity should remain a priority regardless of your age.
What are some common social engineering tactics?
You’ve probably heard about the one where an overseas prince named you a beneficiary in their will and needs your financial information to transfer your inheritance. It’s a common social engineering technique.
But you might not be familiar with the following tall tales that scammers hope will swindle you out of thousands, or even tens of thousands, of dollars.
The sweetheart scam
Popular online dating sites are where the magic happens these days. And, by their nature, social media sites make it easy to stay in touch with friends while reaching out to meet new ones. But how well do you know the new acquaintance or possible new flame who just friended you? Cyber criminals often use both roles to perpetuate this scheme.
The con artist acts romantically interested in an unsuspecting person but often will say they’re living outside the U.S. for reasons like working on an oil rig, in the military, or as a doctor with an international organization. Once a trusting relationship has developed, romance scammers will ask their targets for money to pay for things like a plane ticket, surgery, gambling debts, or a visa and other travel documents.
These cyber criminals will then ask you to pay by wiring money or with reloadable cards like MoneyPak or gift cards from vendors like Amazon, iTunes, or Steam. Not only are these payment methods major red flags, but they allow the scammers to get cash quickly, remain anonymous, and the transactions are nearly impossible to reverse.
The new account scam
Paying someone to open and manage a bank account sounds crazy, but it’s another social engineering tactic and cash grab. A con artist may get a person to open a new account and then ask them to make deposits, transfer money to others, or provide account and routing numbers. At some point, the con artist can then write checks without sufficient funds in the account, leaving the unsuspecting account owner holding a bag of expensive overdraft charges.
The overpayment scam
This con can occur with various types of business transactions. Generally, the scammer pretends to be interested in purchasing something the victim (a person or business) has advertised — for instance, a vacation rental or a used car. The scammer “accidentally” pays with a check for more than the agreed price and asks the victim to simply wire the excess amount. Once the victim has done so, the original check will bounce. This might result in the victim losing the payment, the excess amount they wired, and, sometimes, the sold item, too.
The reason this scam can work is because it takes time to realize a check is counterfeit. In addition, wire transfers are especially difficult, if not impossible, to reverse or trace.
The quid pro quo scam
A quid pro quo scam is exactly what it sounds like: A scammer asks for personal information in exchange for a free gift, like a t-shirt, tickets to a show, or other prize item. In most cases, the “gift” will be fake, won’t come through, or will be poor quality — whatever it is, the scammer makes off with a piece of personal information, and the victim is left to deal with the damage.
Some con artists may hack or impersonate email and other electronic communication channels from reputable companies, trustworthy entities, and banks to obtain usernames, passwords, and credit card details. When phishing, hackers cast a wide net, often sending messages to hundreds at a time, and they may use an email address that appears legitimate.
Another popular phishing method on social media starts with a standard email notification: “Somebody just tagged you in some new photos from your recent party.” You click to check it out, which takes you to a Twitter or Facebook login page. You enter your account info, and a cybercriminal now has control of your account with your username and password. How did this happen?
Both the email and the landing page were fake. And that link you just clicked took you to a page that only looked like your intended social site.
Spear phishing scam
Spear phishing, in contrast, is highly targeted and focuses on a single individual. Hackers do this by pretending to know you through your social media and other information they find online. It’s much more personal: Well-researched targets receive an email, text, or other electronic communication that appears to be from a known or trusted sender, like a friend.
Often, spear phishing can come in the form of an email that appears to be from a friend claiming that, while traveling overseas, they’ve encountered a problem and need money to be wired (this is a typical red flag) with a promise of repayment when they return. Another common practice is for the hacker to text victims and claim that they are a friend or family member with a new number. And after establishing a level of trust, they may request money or more.
Pretexting is essentially when a scammer pretends to be someone else in order to get information out of a victim. The scammer can pose as a trustworthy person, like a co-worker or bank representative, or they might appear to be a stranger, like a telemarketer. The scammer's goal with pretexting is to gain the victim’s trust — and unfortunately, they can be quite good at it, so be wary if asked to give any personal information over the phone.
Current event and get rich quick scams
Recent times have taught us that would-be fraudsters will leverage current events like COVID-19 and other hardships to appear more legitimate or take advantage of those who are already susceptible.
Any get-rich-quick promises, low-risk “golden opportunities,” and ads across the web and social media for “new credit identities” are most likely scams. Crafty cyber criminals are just exploiting a vulnerability at a time that many people are feeling a monetary squeeze.
Oftentimes, schemers will also leverage new technology like the money-sharing apps Venmo, Cash App, or Zelle, which let you send and receive money through your smartphone. In the case of a scam, you may get an unexpected email or text message that asks you to send money via one of these apps. Before logging into the app to doublecheck your requests, you click the link. But there is no matching request and the email or text is just the latest version of a phishing scam.
How can you protect yourself against social engineering?
Most importantly, be wary of anyone you don’t know and of any request that makes you feel uncomfortable. (Your gut can tell you a lot!) Never give anyone your bank account information, access to your computer, or your email login credentials. Don’t take money (i.e. checks, electronic payments, etc.) from strangers and transfer that money somewhere for them. Apps like Venmo are unlikely to call or email you to request that you provide a password or verification code for your account outside of the app. And downloading a digital file from someone you don’t know or blindly clicking on a shortened, odd URL on Twitter (and other social media sites) is also a no-no.
These scams aren’t sophisticated, so your level of protection is more about paying attention. Data security programs or high-tech measures employed by your financial institutions are important to help protect your digital data. But simply being mindful — and skeptical — about the situation can help keep your money and bank accounts more safe and secure.
If you receive a phone call or an email that sounds similar to one of these popular rip-offs, ask yourself the following questions:
Do you know this person? Can you confirm their identity?
Did you meet this person online? Are they trying to manipulate you emotionally (i.e., make you feel sad and/or bad for them)?
Have you shared any personal account information with them?
Is the person asking you to send money to them?
Does the email address seem off? Does the website name or address contain spelling errors or strange letters/ numbers?
Does what you hear sound too good to be true?
Regular account monitoring is also a good best practice to help you spot any fraudulent activity early on. This process means checking your transactions before that monthly statement rolls into your inbox. To make tracking and monitoring a bit easier, many banks allow you to set up fraud alerts, transaction alerts, and/or card controls.
At Ally Bank, we offer our debit card customers the Ally Card Controls app, which allows you to control where and how your card is used and easily monitor your card’s activity. You can also set up specific merchant categories or transaction type controls, giving you greater control over your card’s activity.
Now that you know what to look out for — you can get back on that social media site armed with a healthy level of skepticism for (and knowledge of) scammers.