Family Experience with Scammers

I wanted to take this opportunity to share my story of two phone scams, as I’m sitting in front of a family laptop factory resetting and recovering applications. This is the second time in as little as nine months I am repeating the process, despite the controls and protections, put in place last time.

My story intersects with broader trends, as previously highlighted by the Australian Competition Consumer Commission (ACCC) and 60 Minutes, showing a dramatic rise in scam losses in Australia.

The ACCC Targeting Scams 2022 report revealed “Australians lost a record $3.1 billion to scams in 2022, as government, law enforcement and the private sector look to improve collaborative efforts to support the community in the fight against scams. This is an 80 per cent increase on total losses recorded in 2021.” [ACCC calls for united front as scammers steal over $3bn from Australians | ACCC].

60 Minutes also covered falling victim to a scammer and the awful feeling. CyberCX 's Chief Strategy Officer Alastair MacGibbon appeared on the episode at the time. It was kind of ironic considering the timing. [Is there a meaningful solution to stopping scammers and financial fraud? | 60 Minutes Australia - YouTube]

BACKGROUND

There is about a decade between me, and my brother and it is safe to say I somewhat followed his footsteps into the Information and Communication Technology (ICT) sector. I was indoctrinated at an early age of information security practices whilst he was working for the Australian Government.

At the time, my mother and step father had their own business and the ICT was managed by us. Well, retrospectively looking back now, I think my brother worked out the best outsourcing model of all time, using me as the boots on ground to support and fix everything. He’d often tell me he was getting me to do everything as it was providing me with good experience. I remember thinking what a copout, but in hindsight, the foundations and analytical skills provided invaluable throughout my professional career. I was never allowed to touch the keyboard until I had researched the issue and told him the actions I was going to take to resolve.

Scammers aren’t unfamiliar to me and the techniques that are deployed to convince someone to fall victim to them, with the intent of trying to exploit and profit from individuals or companies. My parents’ business was targeted in the early 2000s with an email and letter attached with very believable and compelling information of accusations for the need to pay money to this fake entity. They used a two-pronged approach, firstly a malicious pdf attachment, which also contained the secondary vector of information, contact details, and banking information for payment transfer. Fortunately, it was enough to discard and rebuild the on-premise environments at the time from backups. No further contact with any of the information from the letter either.

I’ll preface the next part with some important context. My step father has been having chemotherapy for some time now and anyone that has experienced this with a loved one, friend or colleague, would understand how much it can knock you about. Unfortunately, the timings of these scams couldn’t have been worse with medical appointments.

FIRST SCAM

In May 2023, I got a call from my mother rather distressed, as my stepfather had received a phone call about his bank account and unusual activity. The individual on the other end being convincing enough, stepped him through installing an application on his mobile. The intent was to gain access to the mobile banking application on the phone. There were issues for the actor/s trying to remotely connect to the application on his mobile, so he pivoted to stepping him through downloading a piece of software called AnyDesk to his laptop. This allowed the actor/s to remotely connect to the laptop and step him through logging into his online banking portal. At which point the actor took control of the laptop and proceeded to transfer funds from his accounts to one of theirs.

It was about at this point my mother had arrived home and realised what was happening. She had him hang up immediately and they went straight to the banks to report it and see what they could do. Fortunately, this was the correct action, but inadvertently they left the laptop on with the actor/s connected and accounts logged in. For some hours they had been at the bank, before coming home to closing the laptop down and asking for my help. I think I have put the fear of cyber actors into her mind, so much so I will get a photo of a laptop screen asking if she should install updates on devices.

I sat down with them and got them to step me through the incident, actions taken and analyised devices. I remember specifically telling both of them how bad it was leaving the computer on with a likely active connection for the actor/s. I’ve probably created a lasting trauma and reactionary response for my mother.

It wasn’t look good at all for any of the funds that were transferred from the accounts. At the time the banks were saying nothing could be done, due to him logging in and technically transferring the funds from his account. In the end, the banks fortunately were able to stop the transactions due to the speed of reporting the incident to them at the branch.

SECOND SCAM

February 2024, it was like déjà vu. I’d been away for work this time and get a phone call on the weekend. Mum saying that it had happened again. No doubt the same threat actor/s, having almost gotten funds previously, trying for round two. They used the same tactics and playbook, created a sense of urgency and deployed AnyDesk on the laptop again. Although this time the actor downloaded gcapi.dll which is used to connect to Google Cloud services and my mother close the laptop to terminate any connected sessions.

Again, they were lucky in that they didn’t lose any money, but still encountered emotional stresses from yet another experience when they least needed it.

REFLECTION AND LESSON LEARNED

I have been fortunate enough to have worked across the full breadth of ICT from designing, building, deploying, sustaining, and decommissioning operational capabilities in high security environments. I have played the role of defender and attacker. For me, my favourite vector has always been wetware; human beings considered with respect to logical and computational capabilities like a computer. People are far easier to exploit and gain access to information breaching layers of security around a system. This is no different for scammers. It is easier to create an emotional reaction and create a sense of urgency with where the individual is less likely to do any validation.

In the instance of my family, I focus a lot on indoctrination for processes and validation of things that don’t seem right. Some of the key takeaways for my families experience:

1.?????? Acting as fast as possible for reporting scams might save you your money.

2.?????? Don’t leave a threat vector open for the actor to continue to do actions if you find yourself in this situation. Kill the internet through your modem or router.

3.?????? Household signage of scammer indicators as reminders for what to look out for. Recognise and report scams | Cyber.gov.au