Email the Introduction to Financial Cybercrime
One of the most common means of initiating financial cybercrime is through email. Even though email is a relatively new means of introducing criminals to victims, it is based on a centuries-old approach. Many of the financial cybercrimes today are not unlike the stock market Ponzi scams from the last century. The primary focus of these scams was, and currently is, the use of social engineering to prey on the victim’s emotions. There is nothing new in this approach. For example, when looking at what often drives stock prices, CNNMoney uses the fear and greed index. This considers the emotional forces that drive stock prices; excessive fear drives a stock price down; excessive greed moves the stock price up. In either case, the baseline value of the stock is irrationally discarded based on investor emotions powered by fear or greed.
Social engineering in the financial cyber context is too driven by fear or greed. These campaigns target victims based on the irrational fear that they will lose something of great value, their house or savings; or greed that they will miss an opportunity and be poorer as a result. A good indication of a fraudulent email is when you are told this is the last chance or you only have one more chance. Fraud is always initiated by an immediate call to action. The tax season is a great example. Often, there are targeted email messages focused on how you need to access a website or download a file to help you save taxes now before it is too late, the greed aspect. On the other hand, there will be emails letting you know your back taxes are overdue, even if you do not have any, and the IRS will foreclose immediately. That is, unless you access a website, call a fake hotline, or download a file, the fear aspect. The best way to combat these campaigns is through education and common sense. Education would include understanding that there is nothing immediate about IRS actions. Understanding is looking first at the sender’s email address. If the email sender is “joesconstruction.com” and the subject is the seizure of your property by the IRS, then the email is not from the IRS. Common sense is knowing that the IRS will not threaten people, and no one is sending the police to arrest you for your back taxes, non-existent or real.
Other popular fears and greed scams are targeting business loans or real estate sales transactions. The scams have included stimulus funds for the SBA Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which includes the Paycheck Protection Program (PPP) and the Economic Injury Disaster Loan (EIDL) program. The scam themes are sign up here for the easy way to be at the head of the line when applying for your loan, or you are preapproved, and time is running out on this great deal. The fear component is often used in such terms as the money is all but gone; you will miss out if you do not apply here. What would happen is that the criminals with your financial data would apply for the loan on your behalf and keep the money or a large part of it for the fee. In terms of real estate transaction fraud, these may not fit into the fear and greed category. The fraud requires the scammer to follow the transaction electronically. When the transaction is to close and the funds are to be transferred, the scammer will insert themselves in the email chain, announcing an immediate change. Again, there is the urgency component; the deal will fall through, you will lose the deal, if you do not send the money to the new bank or new title company; these are all frauds. In this instance, you need to validate the change. The first consideration is do not call the phone numbers on the new documents. Go to the original parties of the loan, the original agents, bankers, and title companies, call their phone numbers from the original documents, and talk directly with the originating officials. In most instances, you are in conversation with the bank lender, and exchanging documents and information should not be a change in the process. Again, the requirement is to always closely validate the sender’s email address, recognizing that a scammer often changes only a letter or two to make a unique email address. Another dead giveaway that the transaction is a scam is if the payment for whatever service is cryptocurrency. Most legitimate businesses will not accept cryptocurrency.
In these examples and many more, fear and greed are powerful emotions that, when used, can drive people to act irrationally and impulsively. One of the reasons we get these emails is because they work; there is a hit ratio. Meaning out of every five million random emails sent out, a percentage will respond, and from that number, another percentage can be compromised. These scams are often categorized as Business Email Compromise (BEC) attacks, Investment Fraud, Phishing/Spoofing, just three of the 26 crime types. In the FBI Internet Crime Complaint Center (IC3) Report for 2024, these three were responsible for 262,768 complaints with $9.4 billion in losses. In 2024, total losses were $16.6 billion, with these three types accounting for 56% of all monetary losses.
Another scam affecting businesses is Tech Support Fraud. This type of scam relies on fear. In this case, the target will receive an email from someone posing as a service technician, or there is an email informing the business that there is a software vulnerability that needs to be closed, or there is dangerous out-of-date software, etc. The point of these notices is to present a problem and then to offer a solution through their technical support for a fee. At best, the scammer will do nothing but collect money for nothing. The most likely outcomes are that the scammer will have the target download malware, and then the attacker will own the target’s computer. In 2024, the FBI IC3 received about 36,002 Tech Support Fraud complaints, translating into $1.5 billion in losses. The actual number for all these numbers is most likely much higher than what is reported.
In 2024, the reported complaints to the IC3 totaled 859,532, of which 256,256 complaints experienced an actual monetary loss. These losses represented a loss of $16.6 billion, and the 2024 loss represented a 33 percent increase over 2023. Cyber criminals are not going to disappear as long as there is money to be made by leveraging human feelings and emotions to override common sense and good judgment. The hacker industry is non-stop in separating people from their money. The most effective way to combat these and related attacks is through education. It is to know when the email calls for immediate action, there is a crisis, there is an emergency, there is an immediate change in the transfer of money, it is a scam. It is knowledge that is the best defense.