Category Archives: Social Engineering

The grandchild-in-trouble scam claims another victim

According to a story in today’s edition of the NWI Times, a local senior citizen lost $3,200 to an overseas scammer.

This time, the victim got a call from someone that claimed to be his grandson. The caller said he had been arrested in Madrid, Spain, and needed the victim to wire $3,200 to bail him out.

After the victim wired money the first time, he got another call saying the transfer hadn’t gone through. He was asked to return to Western Union and wire another $3,200. It was at this point that the Western Union agent noticed that the first transfer had been successful, and the scam was uncovered.

This type of scam seems to be showing up more lately, which is to be expected in a world economy that’s seen better days. And let’s face it—it’s an easy scam to pull off, and the chances of being caught are low, so it’s an attractive crime to a lot of people.

You have to make sure your older relatives are aware of this scam. It doesn’t take much work to find out the names of grandchildren these days. Plus, an experienced crook doesn’t even need to know the grandchild’s name in advance; they’ll get the victim to say it at some point.

Tell them, “If you ever get a call from one of us saying they’re in trouble in some foreign country, and they’re asking you to wire money, please call us at home before you do anything, because it’s probably a scammer.”

Grandparents are more likely to have trouble hearing than others (at least for now, until earbud headphones have their way), an especially on the telephone, so it’s easier to trick them into thinking a caller is their grandchild. This goes double if the child in question was seven the last time they saw Meemaw. Have your kids called their grandparents lately? Maybe it’s time.

Of course, that’s not just a fraud prevention tip.

Don’t fall for the stranded friend scam

According to the latest Intelligence Note from the IC3, people continue to lose thousands of dollars to a common social networking scam.

Here’s how it works:

  1. Somebody hacks your friend’s Facebook account.
  2. They send messages to all their friends that boil down to “Help, I’m in London and somebody stole all my money and cards and I need you to wire me money. I’ll pay you back later.”
  3. You wire several hundred dollars to London.
  4. You find out your friend has been at home the entire time and, “Oh yeah, by the way, somebody hacked my Facebook account…”

Maybe there are cases where people have actually gotten cleaned out in some foreign city and used Facebook or Twitter to contact their friends and have them wire money to them, but I’ve never heard of it happening.

If you get a message like this from a Facebook friend, don’t just respond immediately by wiring cash. There are some questions you need to ask first:

  1. Is your friend actually in London?

Actually, that one question alone will usually tell you everything you need to know. Pick up the telephone and call your friend. You know that mobile Internet device you’re always using to find sushi restaurants? You can call people on those. If your friend is sitting at home watching the Leif Garrett episode of Behind the Music for the hundredth time, you know that message was a scam. Also, “Oh yeah, by the way, dude, somebody hacked your Facebook account.”

Then again, if you get that message at all, you should already be about 99.9% sure it’s fake. Even now, whose first reaction upon getting robbed would be to run to Facebook? There are police in London, you know, and I’m sure they have procedures.

Plus, you should never wire money to anyone without being able to verify, beyond a reasonable doubt, who you’re sending it to, where you’re sending it, and why you’re sending it.

Your biggest security vulnerability, according to the World’s Greatest Hacker

Kevin Mitnick was a hacker before hacking was even illegal. He was famous for having broken into the computer networks of some really large companies. He didn’t make a single dime from his activities; he just wanted to prove it could be done. He was eventually arrested, convicted and given a harsh five-year sentence, served in solitary confinement because the judge was convinced Mitnick could “start a nuclear war by whistling into a pay phone” (source: Wikipedia).

Later, he was released from prison and started a security consulting business (Mitnick Security Consulting, LLC), and now gets paid by companies to break into their computer systems and tell them what they need to fix.

Since he’s no longer dangerous (many argue that he was never all that dangerous, in the “this guy wants to destroy the world” way the prosecution claimed), Mitnick has also become a popular conference speaker. He knows the single biggest security flaw in every single commercial or private computer system, including yours:

It’s the people.

Time and again, Mitnick bypassed high-tech means of hacking (using software to force his way into a system) in favor of low-tech hacks: calling people on the telephone and asking for information.

It’s called social engineering, and it amounts to tricking people into giving away information simply by talking to them.

Mitnick concentrates on corporate network security, teaching businesses how to keep their data safe. However, the same goes for your own personal online safety: you are the weak point. How public have you made the names of your pets, your birthdate, your children’s names and birthdates, or the school(s) you attended? (I’m looking at you, MySpace and Facebook users.) All of this information can be used to steal your identity, by providing a would-be thief with enough information to talk you into accidentally revealing too much information.

Mitnick’s business card, a miniature lock-picking set, has become quite famous these last few years. Look at his website again, under the “Get Kevin’s Business Card” section. It says “Send your IP address and password to:” and his address. It’s obviously meant as a sly inside joke, but I wonder how many people actually mail this information to him.