Keeping Information Security Simple – Top Lies: Spy Balloons, Earthquakes, and Romance Scams

Letter from the CISO, Vol 2 Issue 9

Washington University Community:

Rule #1: Be Vigilant, Skeptical, and a Little Paranoid

Cybercriminals and scammers are constantly changing and adapting, trying new ways to take advantage of us. Therefore, I return to the one thing I challenge you to do – be vigilant, skeptical, and even a little paranoid. And to help some friends and family members to do the same.

Scammers always take advantage of news cycles

No matter what the news is – spy balloons, devastating earthquakes in Turkey, or the war in Ukraine – malicious actors are continually adapting in hopes of scamming people, one way or another. That said, some scam themes are more permanent fixtures than others.

This letter arrives too late for Valentine’s Day, but hopefully, it will still help you avoid a broken heart, an empty wallet, or public humiliation. Tax season is upon us, ushering in the annual increase in fraud scams. The Federal Trade Commission (FTC) recently released a report on the top-lies-told-romance-scammers. It’s a quick read, but let me highlight a few important points and share some ideas for protecting yourself, your friends, and your family.

Everyone is looking for romance

The FTC report focuses on how scammers use romance to build trust and relationships before patiently taking advantage of their victims. The opening lines often claim to be from someone far away, for example, in the military, or on an oil rig or ship. Often the social media profile shows an attractive person. I have a strong ego, but I always find it more than a bit suspicious when an attractive young fitness instructor from a foreign county (or anywhere) reaches out to be my friend on Facebook, LinkedIn, or other social media platforms.

While many scammers want to make a quick buck, some are very patient and will spend a lot of time building a strong relationship. The stronger they can make the relationship, the better they can take advantage of you.

Isolating the victim from intervention and support

The scammers often try to move the conversation from social media channels that may be monitored, to Telegram or other secure communications apps, to make their con more difficult to detect.

They also try to isolate the victim from talking with friends and relatives about their relationship, using some interesting reason for protecting their privacy because they are of different ages, from different backgrounds, or whatever else they think might work.

Because these scammers can be so attentive and caring, many victims have great difficulty figuring out that they were conned, even after their bank accounts are empty, and the scammer’s “love interest” has disappeared. I saw one report where the victim said the scammer had been “the best and most caring girlfriend he had ever had,” even when acknowledging that the “girlfriend” was probably a male con artist.

Fleecing the sheep

Upon establishing trust, the next step in the con is to start extracting money in one of many ways. The most popular is requesting money because the “love interest” is sick, hurt, or in jail. The second most popular is an offer to help with investing, usually starting with modest bragging about how well they are doing. Sometimes they need help with an important delivery, and other times they are eager to share some money or gold they found or inherited. Scammers are skilled at hiding how you are about to get ripped off.

For example, they might share an image from a bitcoin investing website that shows how they made a great deal of money. They might suggest you go to the same website and invest a little money, and it will appear that you are making a lot of money, too.

And this is where the scammers become nasty, engaging in what is indelicately known as “pig butchering.” In short, they gradually encourage the victim to invest more and more, showing bigger and better returns, until they’ve gotten everything they can. But, as soon as the victim wants to withdraw some funds, there are delays and sometimes fees that need to be paid. And more delays and more fees. This tactic has been used to con retirees out of millions of dollars, often their entire life’s savings.

And watch out for “sextortion…”

The FTC also mentions that the line “You can trust me with your private pictures” is a favorite for people planning to extort money from you to prevent the disclosure of your private (intimate) photos.

Just this morning, I heard about a 15-year-old boy who was friended on Instagram and, over time, was convinced to share a few non-private, non-intimate photos. Unfortunately, they were then photo edited to make them appear sexually compromising and shared with all the boy’s connections when he refused to pay an extortion demand.

What Should We All Do?

I hope this discussion hasn’t frightened you or made you feel helpless because there are things we can all do to prevent attacks on ourselves, our friends, and our families.

By reading this far, you are already forewarned and therefore forearmed. Share this information with your friends and family – you are almost certainly more expert than everyone around you!

Please encourage them to join us in being vigilant, skeptical, and even a little paranoid. Be especially supportive of teens, tweens, and the elderly. Emphasize the importance of checking with trusted friends and family members when in doubt, preferably before falling victim, but as soon as possible if you do fall victim. In some cases, the FBI can retrieve funds if they are notified quickly.

My mother fell victim to a scam a couple of years ago. Fortunately, we got the money back because it was through a credit card purchase. But now I have her bank accounts set up to notify me via text regarding every charge over $1.00. It makes for a fair number of messages, but I quickly recognize the usual legitimate charges and can investigate the others promptly.

Thank you for reading, helping your friends and family, and being members of the university’s information security team!

Good luck, and be careful out there!

-Chris Shull, CISO