Letter from the CISO, Vol 4 Issue 4
WashU Community:
Whether you are a leading-edge user of online financial payment apps or a traditionalist who loves a signature on a paper check, malicious actors are out to separate you from your money.
In the September 12, 2024 issue of Hacking Humans, “Baked goods and bad actors,” malicious actors are identified using both the most modern payment applications and traditional paper checks.
First for the payment apps
Payment apps are great for paying people you truly know and have met in person.
BUT, for all others, beware!
Unlike credit cards, most payment applications provide absolutely no protection against fraudulent charges. If a malicious actor cons you into transferring money to them via Zelle, Venmo, CashApp, PayPal, or Remitly, there is no way of recovering the money.
Think of it this way – these apps are called cash payment apps for a reason. Using them is like handing cash to someone else without a contract or receipt. So, if a stranger walks up to you on the street and asks for $100, handing them $100 cash is the equivalent of transferring it to them via one of these apps.
The same is true if someone who looks like a friend or family member walks up to you, wearing a mask, and asks you for money and you hand it to them. Even if your family member asks you for money, and as you are handing it to your loved one, an extra hand pops up and takes it, the money is gone!
Therefore, always be sure to transfer money via these apps only after verifying in multiple different ways that the account is really theirs, AND that they are still in control of it. For me, this means calling them on the phone and validating their account information.
All this said, if you are going to use this kind of app, CNBC has a good article on “The top money transfer apps for sending money between friends, family and small businesses.”
But how can paper checks be abused?
The classic movie “Catch Me If You Can” starring Leonardo DiCaprio, Tom Hanks, and Christopher Walken (and if you haven’t seen it, please do so soon!) provides a lot of information about the traditional ways of forging checks. It includes the ways people used to “wash” checks and how hard it was to print good forgeries of checks. Technology has made this much easier, leading to a surge in check fraud.
One common con is to send someone a check for an excess amount of money, and then ask for the overage to be returned. If you received such a check, it is good enough that it will be accepted by your bank and the money will show up in your account. But 2 or 3 days later, the check will bounce, and the funds will be removed from your account. The forgeries are so good that there are many stories of people being suspicious, taking the check to their bank, and being told it looks fine. But it still bounces when it is processed fully.
A typical scenario we’ve seen frequently at WashU is when an employer offers a student a job and sends them a check to pay for a computer and other work supplies. The employer specifies a vendor to use, which the student then pays with their credit card (or worse, via a cash payment app!) By the time the check bounces, the student’s payment is unrecoverable.
Another frequent con involves the malicious actor sending a payment for something you’re selling online, but paying too much, and then asking for a refund of the balance. This is particularly suspicious when the payment comes via a check or (stolen) credit card, but the refund is requested via a payment app.
Call to action
In all of these cases, my constant plea to be vigilant, skeptical, and a little bit paranoid will go a long way to protecting you.
To quote Harold Finch in the TV series “Person of Interest”, “It’s not paranoia if they’re really out to get you.”
And if you know more about cyber security than your friends – and if you’ve read this far, you probably do – please share this information with them, and then help them put it to use.
If you need help with any of these ideas, please contact the Office of Information Security.
Thank you for reading my column and being a member of the university’s Information Security team!
Good luck and be careful out there!
-Chris Shull, CISO