Don’t be fooled by social engineering

You’ve been chatting with someone on a social media site, and things seem to be going well. So well that you’re already talking finances. The person asks you to conduct a simple transaction at your bank on their behalf. Wanting to build a trusting relationship, you, of course, agree. Things must be serious, right?

In reality, your finances and cybersecurity could be in serious trouble. Not to sound alarmist, but each day, cyber criminals are practicing what’s called social engineering — tactics that deviously manipulate people into compromising their cybersecurity by voluntarily sharing confidential information.

How can you help prevent yourself from falling victim to social engineering? Take an active role in your cybersecurity with proactive steps to inform yourself of the latest social engineering tactics. (A healthy level of skepticism is also good to have.) So, go on, get yourself ready to spot cyberattacks.

Simply put, social engineering is when scammers use deception to obtain personal information from a person and use it for fraudulent purposes.

Fraudsters can commit social engineering in numerous ways, but in most instances, they manipulate you into giving them confidential passwords, bank account information, or other sensitive information. They might also ask for access to your computer. If you grant permission, they can gain control of the machine and install malware or software that gives them the ability to see all your account login information and passwords.

Anyone can be a target of a social engineering scam. In 2019, the Federal Trade Commission received  more than 1.7 million reports  of social engineering fraud, which resulted in $1.9 billion lost. Keep in mind, in some cases, you can be held accountable for the fraud loss and possible “money mule” activity (meaning, the transfer of stolen money) — while the con artist gets away with the money. So, stay vigilant!

And the victims aren't always who you think. Younger and more savvy people are reporting social engineering more than older counterparts. A recent study from the Federal Trade Commission reveals that millennials in their 20s and 30s are 25% more likely to report money lost to a social engineering attack than people 40 and over. It’s a surprising statistic that demonstrates your cybersecurity should remain a priority regardless of your age.

You’ve probably heard about the one where an overseas prince named you a beneficiary in their will and needs your financial information to transfer your inheritance. It’s a common social engineering technique.

But you might not be familiar with the following tall tales that scammers hope will swindle you out of thousands, or even tens of thousands, of dollars.

Popular online dating sites are where the magic happens these days. And, by their nature, social media sites make it easy to stay in touch with friends while reaching out to meet new ones. But how well do you know the new acquaintance or possible new flame who just friended you? Cyber criminals often use both roles to perpetuate this scheme.

The con artist acts romantically interested in an unsuspecting person but often will say they’re living outside the U.S. for reasons like working on an oil rig, in the military, or as a doctor with an international organization. Once a trusting relationship has developed, romance scammers will ask their targets for money to pay for things like a plane ticket, surgery, gambling debts, or a visa and other travel documents.

These cyber criminals will then ask you to pay by wiring money or with reloadable cards like MoneyPak or gift cards from vendors like Amazon, iTunes, or Steam. Not only are these payment methods major red flags, but they allow the scammers to get cash quickly, remain anonymous, and the transactions are nearly impossible to reverse.

Paying someone to open and manage a bank account sounds crazy, but it’s another social engineering tactic and cash grab. A con artist may get a person to open a new account and then ask them to make deposits, transfer money to others, or provide account and routing numbers. At some point, the con artist can then write checks without sufficient funds in the account, leaving the unsuspecting account owner holding a bag of expensive overdraft charges.

This con can occur with various types of business transactions. Generally, the scammer pretends to be interested in purchasing something the victim (a person or business) has advertised — for instance, a vacation rental or a used car. The scammer “accidentally” pays with a check for more than the agreed price and asks the victim to simply wire the excess amount. Once the victim has done so, the original check will bounce. This might result in the victim losing the payment, the excess amount they wired, and, sometimes, the sold item, too.

The reason this scam can work is because it takes time to realize a check is counterfeit. In addition, wire transfers are especially difficult, if not impossible, to reverse or trace.

A quid pro quo scam is exactly what it sounds like: A scammer asks for personal information in exchange for a free gift, like a t-shirt, tickets to a show, or other prize item. In most cases, the “gift” will be fake, won’t come through, or will be poor quality — whatever it is, the scammer makes off with a piece of personal information, and the victim is left to deal with the damage.

Some con artists may hack or impersonate email and other electronic communication channels from reputable companies, trustworthy entities, and banks to obtain usernames, passwords, and credit card details. When phishing, hackers cast a wide net, often sending messages to hundreds at a time, and they may use an email address that appears legitimate.

Another popular phishing method on social media starts with a standard email notification: “Somebody just tagged you in some new photos from your recent party.” You click to check it out, which takes you to a Twitter or Facebook login page. You enter your account info, and a cybercriminal now has control of your account with your username and password. How did this happen?

Spear phishing, in contrast, is highly targeted and focuses on a single individual. Hackers do this by pretending to know you through your social media and other information they find online. It’s much more personal: Well-researched targets receive an email, text, or other electronic communication that appears to be from a known or trusted sender, like a friend.

Often, spear phishing can come in the form of an email that appears to be from a friend claiming that, while traveling overseas, they’ve encountered a problem and need money to be wired (this is a typical red flag) with a promise of repayment when they return. Another common practice is for the hacker to text victims and claim that they are a friend or family member with a new number. And after establishing a level of trust, they may request money or more.

Pretexting is essentially when a scammer pretends to be someone else in order to get information out of a victim. The scammer can pose as a trustworthy person, like a co-worker or bank representative, or they might appear to be a stranger, like a telemarketer. The scammer's goal with pretexting is to gain the victim’s trust — and unfortunately, they can be quite good at it, so be wary if asked to give any personal information over the phone.

Recent times have taught us that would-be fraudsters will leverage current events like COVID-19 and other hardships to appear more legitimate or take advantage of those who are already susceptible.

Any get-rich-quick promises, low-risk “golden opportunities,” and ads across the web and social media for “new credit identities” are most likely scams. Crafty cyber criminals are just exploiting a vulnerability at a time that many people are feeling a monetary squeeze.

Most importantly, be wary of anyone you don’t know and of any request that makes you feel uncomfortable. (Your gut can tell you a lot!) Never give anyone your bank account information, access to your computer, or your email login credentials. Don’t take money (i.e. checks, electronic payments, etc.) from strangers and transfer that money somewhere for them. Apps like Venmo are unlikely to call or email you to request that you provide a password or verification code for your account outside of the app. And downloading a digital file from someone you don’t know or blindly clicking on a shortened, odd URL on Twitter (and other social media sites) is also a no-no.

These scams aren’t sophisticated, so your level of protection is more about paying attention. Data security programs or high-tech measures employed by your financial institutions are important to help protect your digital data. But simply being mindful — and skeptical — about the situation can help keep your money and bank accounts more safe and secure.

Regular account monitoring is also a good best practice to help you spot any fraudulent activity early on. This process means checking your transactions before that monthly statement rolls into your inbox. To make tracking and monitoring a bit easier, many banks allow you to set up fraud alerts, transaction alerts, and/or card controls.

At Ally Bank, we offer our debit card customers the Ally Card Controls app, which allows you to control where and how your card is used and easily monitor your card’s activity. You can also set up specific merchant categories or transaction type controls, giving you greater control over your card’s activity.

Now that you know what to look out for — you can get back on that social media site armed with a healthy level of skepticism for (and knowledge of) scammers.