What Happens When the Same Old Scam Meets New Technology?
Con artistry is nothing new. Even the Garden of Eden featured one of the world’s first successful con artists. But throughout history, they’ve taken on many different forms. Today’s con artist looks less like the serpent and more like your next door neighbor. So what is any human to do?
For years, “if it sounds too good to be true, it probably is,” was a good enough mantra to keep you safe. Most con artists had to earn your trust by interacting with you on a personal level, learning your strengths and weaknesses, and then exploiting the relationship for personal gain. It was surely a time-consuming process with a considerable risk of failure. As such, the con artist had to pick his or her victims very carefully and constantly adapt to avoid raising any red flags.
Then technology came along. Suddenly, “interacting” could be done on a massive scale in less time and with less risk. Instead of the con artist seeking out the victim, the victim essentially seeks out the con artist. A scammer can craft one story, distribute it to thousands of people and then sit back and wait in anonymity until the perfect victim responds.
Welcome to the world of phishing and vishing. Nearly everyone today has experienced it in some form or another. In simplest terms, phishing is an attempt to trick someone into giving away personal or sensitive information via some form of electronic communication (usually email). Vishing, short for “voice phishing,” is the telephone-based equivalent. Generally, there are two key elements of trust that these types of scams exploit to be effective – reputation and plausibility.
For instance, let’s say a person gets an email purporting to be from Chase Bank and it requests a password reset. If that person is both a Chase Bank customer and has an online banking account, the sender of the email would appear to be highly reputable and the content highly plausible. As a result, the recipient would be very likely to go ahead and follow the instructions in the email. This is precisely what the scammer is (excuse the pun) banking on. There is really no need for him to even know exactly where to find a Chase customer. Because Chase is such a widely used bank, he can blindly send a phishing email to 100,000 random people and the odds are high that many of them would happen to fit the exact criteria needed for it to appear trustworthy.
At the end of the day, phishing and vishing are just higher tech ways to deliver a very low tech con. Like any other con they aim to earn your trust. But rather than use any type of sophisticated targeting, they simply play the “numbers game” to find potential victims.
How can I protect myself?
In my 15+ years in the IT business, I have come across thousands of phishing and vishing scams. They generally all follow a certain pattern that I can now spot very quickly. However, to the untrained eye this is often much more difficult. Here are some of the most serious red flags to watch out for if you get an unsolicited email or phone call:
- No mailing address. Since the CAN-SPAM Act of 2003, email marketers in the US have been required by law to identify themselves with a legitimate physical address somewhere in an email (usually at the bottom). Any caller who can’t provide a mailing address when asked is also automatically suspicious.
- Caller won’t provide a call back number or name of their department within the company.
- Caller calls over and over at short intervals and doesn’t leave a voicemail if you don’t answer. Most legitimate callers will eventually leave a voicemail, and even if it is a scammer the voicemail will give you more time to investigate who the caller is.
- Person tells you there is a problem, and then asks you for personal information or money to solve it. If you get a call or email from someone claiming to be from Microsoft, your bank, the IRS, or any other large company or institution asking you for personal information or money in exchange for solving a problem, you should immediately have your guard up. The chances such a request would ever be legitimate is virtually zero. So if you experience this, hang up the phone or ignore the email. Then contact the company directly using a phone number you know to be legitimate. Be extra careful when using Google to find phone numbers for companies – scammers frequently buy up ad space there to try trick people into calling them instead. As a result, it is recommended that you obtain contact information directly from a company’s official website rather than from Google’s search pages.
- Email address of sender doesn’t match the company domain name. We’ve seen this one time and time again. Let’s say you get an email that looks like it’s coming from Microsoft. If you look carefully at the “FROM” line in the header of the email, you should see “Microsoft.com” somewhere in there. If you see anything else, there is a good chance it either isn’t from Microsoft or it is far less important than it claims to be (e.g. marketing material). Sometimes scammers will also use close variations, such as “MicrosoftTechSupport.com”. These should still be considered highly suspicious, as most reputable companies will send emails from a domain name that is either the same or very similar to the one they use for their official website. Scammers on the other hand usually use domain names that aren’t even close, and that is a dead giveaway.
- Email contains excessive spelling or grammatical errors. Many scams originate from abroad, and if the sender claims to be from a US-based company this would be an even larger inconsistency.
- Scare tactics. If a caller or emailer repeatedly uses words like “urgent” or “warning”, this is an immediate red flag. Most legitimate contacts would use more than one form of communication to reach you about a matter of such extreme importance. So you would likely get some combination of a snail mail letter, a call and an email rather than just one call or email that seems to be imploring you to listen. Most companies, especially banks, request several forms of contact information to keep on file for precisely this reason. Be mindful of what that contact information is and be wary of any supposedly urgent requests that don’t fully utilize it to reach you.
Are there any services that use technology to automatically identify phishing and vishing scams?
Yes, but most of them have limitations. Almost all modern email providers have “spam” filters. However, they are designed to focus primarily on unsolicited marketing emails rather than scam emails. As a result, they don’t come with many options. Generally they will either filter a message out or they won’t. So while they might be effective against some scam emails, when a suspicious email does sneak through to your inbox, they won’t provide any further analysis.
A similar issue exists with apps that are designed to block “robocalls”, such as Robokiller or NoMoRobo. These apps are geared mainly towards stopping telemarketing calls and will usually either block calls completely or allow them to go through.
Such limitations are what inspired our new email-based app, ScamCheck.Me. The service is designed to make it incredibly easy for anyone to determine if an email is a scam. It can analyze any forwarded email message and reply automatically in minutes with both an analysis and a recommended course of action. Because it is entirely email-based, you don’t need to install any software or app to use it. Just sign up, and you can begin forwarding emails like you would to a friend. There is a plan that allows you to get a human analysis of suspicious emails as well.
Deciding whether an email is legitimate or not can be a very important choice with lasting consequences. What makes ScamCheck.Me truly unique is that rather than choosing for you, it simply empowers you with the information you need to make a more informed decision. Even if you are already adept at identifying scam emails or have other email security measures in place, it is a great tool to bring your email defenses up to the next level.
The digital age allows one scammer to have thousands of different faces and tell thousands of different stories to thousands of different people. But you don’t have to fall for any of it. Underneath all of that is just a simple old-fashioned con. So always know who you’re talking to, be vigilant, be street smart, and above all – stay safe out there!