Covid-19 and social engineering – a match made in hell

Gilit Saporta, Head of Fraud Intelligence at Simplex, addresses ‘work from home scams’ and how Covid-19 could (and is) potentially increase the number of phishing and social engineering attacks

‘…He said that working from home was really easy, and that I could make more money than what I used to get when I was taking care of older folks. I knew he was a serious employer because he asked for references, and also for my bank account details and my SSN… you hear about people who fall for scams all the time, but I never thought it could happen to me…’

When Maya (names have been changed to protect the privacy of fraud victims) tells her story, it’s important for her to clarify that she was only looking for a chance to make an honest living. For several months, while she was in between jobs, she honestly believed that she was working as a broker for a cryptocurrency investment company. She provided her true personal details, including a photo of her driver’s license, in order to place dozens of Bitcoin purchases. She paid for the Bitcoin with credit cards numbers that were sent to her on weekly spreadsheets (representing the customers of the company, she thought). She forwarded the purchased Bitcoin to the wallet of her employer. She used her own credit card to invest a few thousands of dollars herself, as well.

When Maya asked to withdrawal her earnings herself, she got no reply. Only then, slowly, she began to realise that she had been a victim – and an accomplice – of fraud. She filed chargebacks for the payments made on her credit card, but she neglected to mention the numerous payments she had made using other people’s credit cards. Only later, when contacted by her issuing bank, she openly recounted the events. It was important to her to emphasise that she was a law-abiding citizen.

Home dwellers are natural prey for scammers

As a leader in the field of FIAT to Crypto payment processor, and a licensed Electronic Money Institution, Simplex daily witnesses – and prevents – thousands of social engineering attempts. Simplex’s fraud prevention (powered by machine learning boosted models) detects countless new victims regularly, with the average attacker attempting to steal over USD 7000 per victim (first attacks often aim for roughly USD 2000). Most social engineering attacks viciously target 2 populations: the retired, and the unemployed.

It’s natural for offenders to prefer the elderlies. First and foremost, many senior citizens are not tech-savvy nor internet/crypto-savvy, so they fail to spot signs for scam. E.g., a pair of Canadian scammers convinced their victim that they were customer-care representatives, simply by creating a Twitter account with the handle of @HitBTCAssist. The scammers were successful enough to book a trip to Las Vegas and hit the casinos, before being arrested at the airport.

The second reason for scammers to ‘favour’ elderlies and non-working victims in general is that they are usually free (and often eager) to make long, friendly, phone calls or email/chat correspondences. This is where social engineering artists find their opportunity to shine. As social beings, we are naturally programmed to seek interaction and affirmation from others. Older generations might also consider it their duty to politely listen fully to what their counterparty has to say. Sadly, this plays right into the hands of social engineering masters.

... and then came Covid-19

Why do scammers love it when we’re all stuck at home? They have all the reasons in the world. Millions of teachers, students, caregivers, etc. now spend the better part of their day with their screens to keep them company (both for work/school and for pastime). Most of them are not adequately aware of internet-safety. Many of them are already flooded with emails and direct messages, as they are adjusting to work-from-home mode. It won’t be too difficult for a scammer to find schoolteachers who would install remote control malware, or share student private info, while thinking that they’re installing Zoom.

Moreover, Covid-19 leaves many of us home alone with uncertainty about our financial future. It’s still difficult to estimate how many jobs will be lost during this crisis, but one thing’s for sure – phishing and work from home schemes are already here. In quarantined Israel, for example, phishing schemes which promise free food coupons at a large grocery stores chain are currently flourishing and the rate of new work from home posts on local social media groups has tripled within a month.

Whether we’re already experiencing financial difficulties or if we’re only anxiously looking towards the future, we are all clearly feeling like a fish out of water these days. We may feel bewildered at the fast-evolving reality, swamped with fake news and easily distracted (parents are practicing a whole new level of multi-tasking these days). Honestly, many of us are probably exhibiting the behaviour of senior citizens these days.

Cryptocurrency scammers use work from home workers to launder stolen funds

So, the bad news is that humanity is extra sensitive to social engineering during this crisis. The good news is that several of the high-risk industries of ecommerce and fintech have accumulated years of experience in battling these scams. In cryptocurrency, which was long perceived as the holy grail for fraudsters, EU regulators, together with large exchanges, payment processors and financial partners, were pushing for safety measures long before Covid-19 took over. Nimrod Lehavi, CEO for Simplex, writing for FinanceMagnates, describes how regulators perceive the threat of social engineering on cryptocurrency ecosystem: 

‘For exchanges, who are able to deal in fiat, the necessity of abiding by transparency regulations and rules becomes a significant chore. For such exchanges, proper processes of Know Your Customer (KYC) and Anti Money Laundering (AML) are a lifeline to legitimacy that must not be broken…’

Because of unfortunate data breaches of the last decade, attackers currently have access to so much compromised personal data, that they easily undertake massive attacks … Regulators of 2020 are painfully aware of the massive data breaches of the former decade. The large early breaches, such as the 3 billion 2013 breach at Yahoo, were not necessarily the worst ones … The most severe breaches of the second part of the decade were those which were almost immediately tied with increased fraud and money laundering rates around the world: 143 million records data breached at Equifax in 2017, then in 2018 and early 2019 a series of significant data breaches in Marriot, CIBC, First American Financial Corp and Facebook, affecting over 1 Billion records in total…

Armed with rich stolen personal data, fraudsters perfected a common trick called Smurfing: instead of the same person creating multiple accounts, they use a single broker, with money laundering completed by using it to make multiple transactions to unsuspecting individuals who don’t know they’ve helped the fraudster diversify. When ‘smurfs’ and money-mules are recruited to the aid of the fraudster, detecting illegitimate activity becomes even trickier, because the innocent ‘smurfs’ do not exhibit malicious indicators. North America and EMEA are equally prone to the risk of social engineering, with dozens of fake websites going live on a daily basis to lure in unsuspecting ‘smurfs’.

Stay safe – health-wise, fintech-wise, cyber-wise

It's clear that cryptocurrency related services, who have already honed their fraud (and money laundering) prevention capabilities, are quite aware and well equipped to fight for our safety during this crisis. The example of Simplex, as a payment processor offering multiple flows, shows that the more sensitive payment options requires stronger defences. E.g. there are traditional mechanisms to protect users from the classic fraudster who attacks Simplex’s buy-crypto-with-credit-card flow, and then there are the mechanisms to protect Simplex’s Account onboarding flow, which allows both SEPA transfers and sell-crypto transactions. The latter option, being a stronger financial tool, has a strong appeal to social engineering attackers, which means top-notch identity protection on Simplex’s side.

Still, even with the best protections from payment processors and merchants, the safety of the internet can really be revolutionised through raising user awareness. Perhaps one last silver lining is that the younger generation, who currently can’t go to school, might get a valuable lesson on internet safety. Better yet, if you have a millennial in your area, this might be a good time to ask them to give a call to their grandparent, ask how they’re doing and have a talk about phishing awareness. Stay safe!

About Gilit Saporta

Gilit Saporta, Head of Fraud Intelligence at Simplex, has been  combating fraud since 2005, mentoring and leading teams for FraudSciences, PayPal and Forter. As member of RiskSalon.org leadership, co-host of FraudFightersIL meetups and member of TLV Cyber Week FraudCon steering committee, Gilit’s passion is knowledge sharing across risk organizations worldwide.

About Simplex

Simplex.com is an EU licensed fintech company that provides worldwide fraud-free payment processing and accounts services in the FIAT to Cryptocurrency ecosystem. With a proven track record in high fraud markets, Simplex’s technology enables crypto platforms to process online payments with complete fraud protection, smooth user experience and chargeback coverage.