Don't let them fool you

Criminals are perfecting the "police method" scams. They even impersonate the Polish Central Bureau of Combating Cybercrime. Earlier this year, emails purporting to be from the CBCC were urging people to download antivirus software. The link in the message led to a fake website and a file with the .bat extension, the opening of which could be used to change the data stored on the computer, delete the data, or send to other computers.

Recognizing that an email was fake wasn't too hard. The message sent by the scammers contained misspellings, the CBCC email address was incorrect, and the website address was preceded by a fake phrase: troadsecow.com. However, many people were tricked.

Why? Because social engineering, the favorite tool of modern cybercriminals, worked.

Social engineering attacks do not require the perpetrators to have exceptional technical skills. Psychology plays a major role in such attacks, especially the art of manipulation. The easiest way to manipulate the victim is by impersonating an institution of public trust -police, tax office, public insurance etc. The attacker's goal is usually to obtain login details for online banking, or even to urge the victim to transfer money to the indicated account.

A social engineering attack usually consists of several elements whose common denominator is playing on emotions:

? making the victim feel threatened (e.g., by losing money or important data)

? gaining the victim's trust (by impersonating an institution of public trust - the police, tax offices, bank, etc.)

? creating time pressure (you must make quick decisions to avoid danger)

? offer to solve the problem if you cooperate (your money will be safe if...)

? urging to perform certain actions (e.g., providing login details, transferring money to the indicated account)

Scammers use various methods of communication with the victim - from the simplest - sending an e-mail with a dangerous link, through text messages, popular instant messengers, to the more advanced method - phone spoofing - an increasingly popular scam in which the criminal impersonates other numbers to call victims and pretend to be someone else.

A real-life example - a model case of fraud using the "police" method. The entrepreneur arrives at the company around 8.30. He's a little stressed because he has a million things to do after the weekend. He receives the first call of the day and hears the following text:

- Good morning, this is Assistant Commissioner Andrzej Zawadzki, the cybercrime unit of the Provincial Police Headquarters. Do you have an account at Bank "X"? Because we are currently conducting activities related to a hacking attack on accounts at this bank. We call customers and warn against losing money. (creation of threat ??)

- How can I be sure that you are indeed a policeman?

- Very smart of you to ask. You will soon receive an SMS confirming my identity. My police ID number is 709479. Please don't hang up.

After a dozen or so seconds, an SMS comes with the header of the Provincial Police Headquarters: "We have received a report about fraudulent activities. Officer No. 709479 is investigating Bank X. Please follow his instructions.”

In the meantime, the entrepreneur checked on the website what is the phone number to the Provincial Police Headquarters in his city, looked at the smartphone display and… they call from this number! (gain trust ??)?

" Assistant Commissioner " Zawadzki politely asks if they can continue the conversation, emphasizing the need of immediate action because cybercriminals have gained access to the logins and passwords of Bank X customers. "It is not known how much data they stole, but it is very likely that you are not safe (creating time pressure ??)

Then the "Assistant Commissioner" "verifies the identity" of his victim, asking for standard personal information. He confirms that everything is correct and informs that special, temporary accounts for customers whose funds are at risk have been created together with the security department of Bank X. Each customer will receive an individual account number for which he will create his new login and password. Then, he will be able to transfer funds from his old, endangered account to a new secure account. After 24 hours, the money will be automatically returned to your old account. (offering a solution ??)

" Assistant Commissioner " Zawadzki informs that in a moment an e-mail will come from Bank X with the number of the new account and a link to login and payment. He adds that the matter is very urgent, because the money in the old account is at risk. The fake policeman asks the entrepreneur to open the email and stay connected so that all actions can be confirmed. (urging to perform certain actions??)

The email arrives. It's identical to the ones Bank X usually sends. Logo, marketing slogans, footer, everything is correct. Only the address from which the email was sent, and the address of the bank's website have the number "0" instead of the letter "o" in the name. But in a hurry, who would notice. This is the last moment when the victim of fraud has a chance to stop the conversation and call the Bank's hotline or the Police Department to check whether his money is at risk. But instead of disconnecting, the entrepreneur sets up a login and password on the new account and then transfers all funds from the old account. The amount is six figures. In a moment, he receives an e-mail confirming the transaction and a link to check the account balance. " Assistant Commissioner " Zawadzki asks if everything is correct. The entrepreneur confirms. The fake cop thanks for cooperation and quickly ends the call, explaining that he must inform many other clients about a possible hack on their accounts. An hour after the end of the conversation with the "sub-commissioner", a real consultant from Bank X calls asking if the entrepreneur confirms the transfer to the indicated account. The victim confirms.

The next day, the entrepreneur wants to check if his money is safe. He starts by clicking on the link to check the status of the new account, which came in an e-mail from the Bank the previous day. The link is no longer active. Slightly worried he enters his old account via the Bank's website. It's empty. The new account is not visible in the system. Attempts to log in with the login and password set the previous day do not work. The entrepreneur panics. He immediately calls the Bank X hotline, where he finds out that all security systems are working properly and there has been no hacker attack. He calls the Police Headquarters in search of Assistant Commissioner Zawadzki from the cybercrime department, but as you can easily guess, no one with that name works in the Provincial Headquarters.

The entrepreneur asked me for help in finding the scammer and getting his money back. A team of specialists from my company InvestProtect is working on it. We were able to determine that it was most likely a single attack, refined to the smallest detail, aimed only at my client. The criminals were perfectly prepared, they knew the victim's financial status, his habits, they knew exactly when and how to strike.?

My client cares about cybersecurity in his company. The firm is equipped with professional anti-virus protection and has an efficient IT department. We also recently organized training for the company's employees so that they know what to do in the event of a cybercriminal attack. One of the topics of the training was social engineering used by scammers.

What conclusion can be drawn from this story without a happy ending? Don't think that "only other people can be fooled". The weakest link in the cybersecurity chain is always the human being. And that person can be anyone: a business owner, CFO, chief accountant, me, or YOU.

I encourage you to contact me in any case. Tel. 730 006 581.

More about cybersecurity: https://www.investprotect.pl/oferta/cyberbezpieczenstwo