A couple of years ago, I got a call on my mobile phone from a number I didn’t recognize. I picked up the phone and heard an automated message from the IRS about a problem with my account. It said to dial 1 for a callback. I did. That started my journey down the psychological rabbit hole of a scam.
I am a cybersecurity and fraud protection specialist. I knew it was a scam call, but I wanted to get a glimpse into the tactics of these scammers. When they asked for personal information to check my account, I gave them fake data, and surprisingly, they found a problem with my account. It escalated very quickly from someone made a transaction that doesn’t seem right, to me (the false identity I provided) being accused of money laundering, drug smuggling and having an FBI warrant on my (fake) name, and actually having the FBI “on their way to my home” (in Texas, where I don’t really live). It was scary. I gave them fake information and yet within less than ten minutes, my heartbeat went up and I felt the stress, anxiety, and fear. I had to hang up worrying that they might have my phone number now.
It’s All About (Your) Money - IT Scams, Romance Scams, Authorized Push Payment Scams
A lot has been said about online financial scams, a method of socially engineering a victim into committing an act they have not intended, for identity and financial theft. Roughly 59.4 million Americans have lost money to phone scams over the past year. About 19% fell victim more than once, driving the total $29.8B from phone scams alone. Some examples of such scams include:
- Personally Identifiable Information (PII) Harvesting. These scams are designed to trick you into providing personal information to criminals who will later sell it on the dark web to other criminals who use it in identity theft schemes such as new account opening fraud.
- Stealing a one-time passcode from a legitimate account holder so that the cybercriminal can complete a payment from an account that was taken over
- Remote Access Tool Scams. These scams, also known as IT scams, occur when a cybercriminal persuades you to install an application to allow them to remotely take over your device to “help you” with your invisible IT problems, just to later access your bank account from a known device.
- Authorized Push Payment Fraud. These scams are designed to convince the victim to transfer their life savings to a cybercriminal who impersonates a financial institution, a government official, or even a lover.
Who’s responsible to compensate victims?
The financial industry and governments in some countries have been debating whether the victims of such scams should be refunded if these scams result in financial losses. After all, many of these scams happen out of scope of the banking application, but is it just the right thing to do?
In the UK, half of the banks agreed to abide by a code of practice called the contingent reimbursement model (CRM) in May 2019. This model is designed to to refund those who have complied with certain obligations before and during the payment process, and to provide consistent response to the victims. In the US, a recent guidance by the CFPB states that financial institutions were required to reimburse their customers when any unauthorized funds transfers were made from the consumer’s account. The new guidance effectively expands the sphere of reimbursable scenarios to include situations where the victim is coerced into sharing their account login information, such as a one-time passcode (OTP), with cybercriminals.
But what about the emotional toll?
Let’s be honest, being scammed is not something anyone is proud of. In fact, what is not discussed enough, is the emotional toll that these scams have on their victims. The tremendous amount of shame and guilt. Thinking “How could I be so stupid, so naïve, why didn’t I listen to all the red flags? I should have known better”. Well, the reality is that scammers can be very convincing. They target, well, anyone who will pick up the phone, click the link on a phishing email, or respond to a text. And once someone takes the bait, they use psychological tactics ranging from fear to delight (“you’ve won this amazing cruise for free, just give me all of your personal information”) and even hypnosis.
The victims of such scams are considered to be those who are less tech savvy, more vulnerable, or elderly, but the reality is, it can happen to anyone. They can catch you on an “off” day and get through. We have even heard from fraud experts who fell for these scams. It’s time to take shame out of the picture! Anyone can become a victim, and we need to do more to give anyone who fell victim to a scam the confidence to speak up and get help.
What can I do if I was scammed?
First, you are not alone. Don’t let the shame take over. Instead, take action. Here is some advice by the U.S. Federal Trade Commission for a number of situations:
- If you paid a scammer: Call you bank or your credit card company. They will guide you through next steps ·
- If you gave them personal information: Report a case of identity theft with your official authorities
- If you gave them your credentials: Change you passwords and deploy Mult-Factor Authentication where possible
- If a scammer has access to your computer or phone: Call your company (for work devices) or your carrier and report the problem, ensure your security software is up to date, and check that you have no suspicious activity on your account.
Can something be done to protect consumers even if they got scammed?
The good news is that the answer is YES! Deploying the proper controls to distinguish between a cybercriminal who stole PII at account opening, detect account takeover, and even detect signs of coercion in real time scams.
Tune in to our latest episode of Digital Tells and hear industry thought leaders discuss why there is so much scam activity these days and what financial institutions are doing to better protect themselves and their customers.