Successful layering

Scams can be extremely sophisticated, yet for many people, a typical scam is a Nigerian prince asking for help to launder money or a desperate, and dare I say naive, scammer that was talked into holding ‘I can’t believe it’s not butter’ sign, hoping this would get them some funds. But the reality is much darker. Good scammers are very good at psychology and often design frauds by layering different fraud techniques, all designed to complement each other for greater success. For example, scams that evoke visceral influence (fear, panic or greed) will usually have time limits attached to them also (e.g. offer expires, you have 24 hours etc.). This is to ensure that the potential victim has no time to regain composure. Under visceral influence, careful deliberation is compromised and we tend to focus on superficial things, like the size of the reward, attractiveness of the offer or even on the scammer, many of whom are polished, charming and will appear trustworthy. Any inconsistencies will be disregarded in favour of these superficial cues, because when one is under the visceral influence, they are likely to focus on goals associated with that influence. This is why you are always told not to go shopping for groceries hungry and it’s equally true of acting on anything when intense fear or excitement has been evoked.

Scams that appeal to social norms, often use altercasting too. Altercasting is another persuasive technique, where a perpetrator will put a victim in a specific role that is congruent with their goals. For example, I have seen advance fee scams that use narratives where either an orphan girl, a widow or even a pastor appeals for help (social norms) and the victim is placed in a role of a friend or a confidante, where a perpetrator will trust the victim with confidential or deeply personal information before asking for funds down the line. By that time the victim has been acting as a friend or an advisor and this role is likely to help facilitate the fraud, because they will be more likely to help.

Screenshot 2019-03-18 at 10.09.25.png


Scammers often layer persuasion techniques for greater impact.

In conjunction with other individual factors, these techniques can be very effective.

 

Other factors also come into play. Different circumstances, for example, have been known to influence compliance in certain scam situations. Or certain individual characteristics, such as lack of vigilance or impulsivity. For example, if you are down on your luck, looking for work and you are running out of money, you will be more likely to take risks and consider financial opportunities that don’t look very sound. You may be more likely to concentrate on potential rewards instead of any negatives associated with high return investments. If you are also more compliant in general, it is even more likely that, when persuaded to do so, you will decide to go along with something you have some reservations about. Of if you are more impulsive, you may act quickly, without allowing the time to think about your decision. All of these factors combine (or layer) to produce a unique vulnerability score.

Many frauds are still relatively simple. Badly constructed phishing email that will bring a smile to your face, for example, but many are far from simple. It all comes down to how good the scammer is and how motivated they are in developing a highly credible looking, psychologically designed frauds that create situations that can be highly persuasive, and how they go about executing them. The more effort they invest, the more lucrative the venture will be, so it’s good to be vigilant and not underestimate what fraudsters are able to do by concentrating only on badly designed scams that are easy to spot.

Good customer service can make your organisation vulnerable to social engineering attack?

Many companies invest a great deal in security systems but very little in training their staff. They feel that having protocols in place means that protocols will always be followed and that this offers robust protection against fraud. This is not true. Humans are extremely vulnerable to social engineering attacks and employees trained to follow protocol are no exception to this. If you don’t believe, please read and watch this.

So what is social engineering in terms of fraud?  It can be defined as a deception to manipulate and coerce individuals into divulging confidential or personal information, which is then used for fraudulent purposes. Not everyone is equally susceptible to social engineering attack. My own research found that some people are more compliant, impulsive or less vigilant and those traits will make them more likely to succumb to fraudulent attacks. Understanding and addressing these vulnerabilities is the key to fraud prevention. Equally, detecting and understanding scam techniques used in social engineering attacks is also extremely important. See this example – induced urgency (baby crying) will encourage customer service agent to rush decisions and likely compromise the company protocol. This is not an employee problem. Everyone is vulnerable to social engineering attacks under certain circumstances. Continuous education and awareness are the keys to tackling this problem.

Just as it is important to understand how your employees can be vulnerable to social engineering attacks, it is also important to understand that any decision or protocol implemented by an organisation may create a loophole or an opportunity for fraudsters to infiltrate the system. Take customer service, for example.

Expecting excellent customer service from your employees is desirable, but can make it easier for fraudsters to compromise your protocols.

Expecting excellent customer service from your employees is desirable, but can make it easier for fraudsters to compromise your protocols.

It has become customary to ask a customers for feedback each time they receive a service or contact customer service for help. This feedback often leads to incentives for employees providing customer service and frequently may also be used to penalise employees that have unsatisfied customers. Reality is that you cannot please all of the people all of the time and customers can sometimes  demand impossible things. But having these ‘feedback systems’ in place can influence how your employees behave when they provide customer service and this can compromise safety of customers and affect your company’s reputation. For example, if a customer is unreasonable and wishes to source some personal information details they forgot or misplaced, would you expect your employees to breach company protocol to make that customer happy? Probably not, right? But if you also have systems in place where your employees are always monitored and encouraged to have impeccable customer satisfaction record, you create anxiety and encourage company protocol to be broken to achieve this. And this makes you an ideal target for any fraudster that wishes to source personal information that will likely be used for fraudulent activities somewhere else.

It is likely that this types of attacks will be happening more and more. They are extremely lucrative to criminals and can often lead to customers’ bank accounts being compromised and funds stolen, therefore a lot of effort goes into designing these attacks. This can leave your organisation open to lawsuits in the future. Don’t assume basic training and protocol is enough to protect your organisation from social engineering. Always seek better preventative measures, keep on top of new fraud techniques and never underestimate what fraudsters are capable of doing.

 

Nigerian scams are still very much alive

Nigerian or advance fee - 419 scams have been around for decades.  They usually contain a story of a bank official who has spotted an account with funds that are unclaimed and needs someone to help him get the money out of the account without it being in his name. This is somewhat illegal and he needs help of someone who can receive the money in their account and be paid for it.  Sometimes it is a royal person, a distant prince, rich widow unable to leave money to anyone, someone dying of cancer with wealth to give away and so on.   Once the victim replies, they request conversations, befriending the victim and eventually ask for fees to process legal papers.  The victim never sees the money they were promised.  Worse still, sometimes the victim will receive a fake cheque and cash it, wire the money to the person that is asking them to launder money and then find out the cheque was fake after few days, losing funds they sent. 

Sometimes victims are not even after money but simply believe they are helping the person as the stories are often elaborate.  In the past, Nigerian scams were executed via postal means, incurring a cost to the scammer.  With the invention of the fax and the phone, they became more prevalent and the Internet finally allowed them to become almost an everyday occurrence for most people while not costing much to execute.  Research also stipulates that they are now so well known that they are purposely used to identify the most vulnerable victims, whose details are then sold to other scammers too. 

Recently I have been contacted by someone asking me to warn about a scam purporting to be a girl from a refugee camp, but upon reading the email, I realised it was a spin off, a Nigerian type scam with a new twist to fit the current times. Briefly, the story is about a girl who is in a Syrian refugee camp and needs someone to help her get the money that her late and wealthy father deposited in the bank. This is a complex story and I decided to explain why it is complex and how it is written with a view to persuade in the future.  The initial emails asks only that the victim listens to the story but even acknowledging the email might be dangerous if you are uncomfortable saying no. Here is why:


The story starts with an account how the girl lost her mother and father to a violent murder and her consequent life in a refugee camp.  She prays to get out of her situation.  Without explaining what she wants from the victim yet, she asks for trust and not to be betrayed and asks to know more about the potential victim.  This part is likely to elicit empathy towards her situation - who would not feel empathy when someone tells you about their parents' murder.  Asking to know about you is likely to induce feelings of familiarity and closeness, as if you are friends, once you share this information and people help their friends.  She asks for trust and not to be betrayed. You may not think about these words at this point but when the request comes you may feel uncomfortable saying no, because you will feel as if you are betraying her, despite the doubts you might feel. 

persuasive elements in Nigerian type scams

persuasive elements in Nigerian type scams

Second part tells more about her situation in the camp and the pastor who is helping her to email a random person across the globe.  It also gives the pastor's telephone number.  The victim will probably not use it but if they do, it will add credibility to the story. The endearments used are to evoke feelings of closeness, the mention of the secret too - we tell secrets to those we are close to so potential victim might feel privileged they were entrusted with the secret.  She then explains about her father's fund that contains millions, that she cannot access and makes a request.

Scammers often put victims in a position of trust, by making themselves appear vulnerable. This gives the victim a feeling of power but in reality, the scammer holds all the strings.  The girl in this story follows up by reminding you that she requested you to be trustworthy.  Scammers are good at altercasting.
Altercasting, a persuasion technique, is where a person puts the victim in a specific position, often targeting the ego of the person (calling for a man of vision for example) or social norms (understanding and honest people). These types of scams often don’t ask for more than few details and for the recipient to respond to correspondence, which is also a known scam technique. Once invested, it’s harder to back out.

Microsoft research argues that Nigerian type scams are still around and purposely say they are from Nigeria because everyone knows about them. Therefore those that respond and engage with these types of scams are likely to be extremely vulnerable, which means they will, sadly, be a sure thing for a scammer. Their details are harvested and sold to other scammers who will further exploit them. If you have elderly or isolated neighbours, especially if they are not so internet savvy, talk to them about scams. Often knowing something about scams can be enough to protect from becoming a victim.