Hacks and Exploits for the New Year

The holiday season and the new year will bring new scams from the hacker industry. The primary focus of these scams is to use social engineering to prey on the targets or the victim’s emotions. There is nothing new in this approach. For example, when looking at what often drives a stock price, CNNMoney uses the fear and greed index. This considers the emotional forces that drive stock prices; excessive fear drives a stock price down; excessive greed moves the stock price up. In either case, the baseline value of the stock is irrationally discarded based on investor emotions powered by fear or greed.
Social engineering in the cyber context is too driven by fear or greed. These social engineering campaigns are targeted to victims based on their fears or greed. The tax season is an example. Very soon, there will be email messages focused on how you need to access a website or download a file to help you save taxes, the greed aspect. On the other hand, there will be emails letting you know your back taxes are overdue, even if you do not have any, and the IRS will foreclose. Unless you access a website, call a fake hotline, or download a file, the fear aspect. The best way to combat these campaigns is through education and common sense. Education would include looking first at the sender’s email address. If the email sender, for example, is “joesconstruction.com,” and the subject is the seizure of your property by the IRS, then the email is not from the IRS. Common sense is knowing that the IRS will not threaten people, and no one is sending the police to arrest for your back taxes, non-existent or real.
Other popular fears and greed scams are targeting business loans. The most popular target is the stimulus funds for the SBA Coronavirus Aid, Relief, and Economic Security Act (CARES Act) which includes the Paycheck Protection Program (PPP) and the Economic Injury Disaster Loan (EIDL) program. The scam themes are signup here for the easy way to be at the head of the line when applying for your loan or through this company that will get you the loan you need. The fear component is often used in such terms as the money is running out; you will miss out if you do not apply here. Email lists of businesses owners are easy to get, and often the scammer will apply for a loan without the knowledge of the legitimate business owner. Companies are now offering to assist with the loan application process for a fee, though the application process is free and relatively easy. In corresponding with the SBA, the first thing to do is validate the email sender’s address; if it is not “[email protected],” there is a problem. Another thing to do is call the office and validate the contact. This holds true for commercial bank loans. In most instances, you are in conversation with the bank lender, and exchanging documents and information should not be a surprise. Again, the requirement is to always closely validate the sender’s email address, recognizing that a scammer often changes only a letter or two to make a unique email address.
In these examples and many more, fear and greed are powerful emotions that, when used, can drive people to act irrationally and impulsively. One of the reasons we get these emails is because they work; there is a hit ratio. Meaning out of every five million random emails sent out, a percent will respond, and from that number, another percent can be compromised. These scams are often categorized as Business Email Compromise (BEC) attacks. In the FBI Internet Crime Complaint Center (IC3) Report of 2020, BEC was the leader in the number of complaints, about 19,400, with losses of over $1.866 billion. A dead giveaway that the transaction is a scam is if the payment for whatever service is in cryptocurrency. Most all legitimate businesses do not accept cryptocurrency.
Another scam affecting businesses is Tech Support Fraud this type of scam relies on fear. In this case, the target will receive an email from someone posing as a service technician, or there is an email informing the business there is a software vulnerability that needs to be closed, or there is dangerous out-of-date software, etc. The point of these notices is to present a problem and then to offer a solution through their technical support for a fee. At best, the scammer will do nothing but collect money for nothing. The most likely outcomes are that the scammer will have the target download malware, and then the attacker will own the target’s computer. In 2020 the FBI IC3 received about 15,400 Tech Support Fraud complaints, translating into $146 million in losses. The actual number is most likely much higher than what is reported.
In the new year, the expectation is that both BEC and Tech Support Fraud will increase. Ransomware attacks will also increase; it is the one that seems to get all of the attention. The attackers will not disappear as long as there is money to be made by leveraging human feelings and emotions to override common sense and good judgment. The hacker industry is non-stop in separating people from their money. In 2020 the top attack category was BEC at $1.866 billion, followed by confidence fraud/romance scams at $600 million. Tech Support Fraud was $146 million; Ransomware was $29.1 million, an admittedly low estimate. The most effective way to combat these, and related attacks, is through education. It is the knowledge of recognizing these scams for what they are which are the best defense.