The Scammers’ Playbook: How Cybercriminals Get Ahold of Your Data
Cybercrime is a growth industry like no other. According to statistics from the FBI’s 2021 Internet Crime Report, complaints to the Internet Crime Complaint Center (IC3) have been rising since 2017. In 2021 alone, IC3 received 847,376 complaints which amounted to $6.9 billion in reported losses, up from 2020’s 791,790 complaints and $4.2 billion in reported losses.
A major focus of cybersecurity as an industry is its efforts to detect, root out, and respond to potential fraudsters attempting to trick companies and people out of their money, data, or both. To this end, some impressive technology has been created to combat the technological side of the issue, to keep hackers and similar bad actors from accessing data and account privileges they shouldn’t.
This made a lot of sense, especially in the earlier days of the Internet where cybersecurity measures were nowhere near as robust as they are today. However, the technological side of cybersecurity is no longer the weakest link in a company’s proverbial chain. Often, a scammer will simply target the people in a company and fool them into giving up their personal details, account passwords, and other sensitive information and gain access that way.
As a matter of fact, the most-reported crime in the 2021 Internet Crime Report report was phishing, a social engineering scam wherein the victim receives a deceptive message from someone in an attempt to get the victim to reveal personal information or account credentials or to trick them into downloading malware. Phishing complaints were reported over 300,000 times in 2021 to IC3, the only Internet crime to crack 100,000+ complaints.
There are dozens if not hundreds of types of scams out there, but we’re going to focus on the scams most likely to affect a business, such as phishing or business email compromise (BEC). Romance scams aren’t as likely to affect businesses so we’ll leave that one for “eSecurity Planet After Dark,” if we ever go there.
With all this in mind, let’s take a look at what a scammer does, who they target, and how to spot one trying to pick your metaphorical pockets.
Table of Contents:
To talk about which targets scammers pick, we’ll be looking at two categories: individuals and businesses.
The first thing to remember when dealing with scammers is that they are, ultimately, business professionals. They might not operate a legal business, they might be more unscrupulous than the average legitimate business professional, but business professionals and scammers can have a similar mindset. They’re often looking for the sources of income which offer the most profit for the least investment. Cybercriminals look for high ROI too, which is why frustrating them enough to force them to move on is often the goal of cyber defenses.
In search of the easier score, scammers have a tendency to go after older generations. In the 2021 FBI report, individuals over 60 years of age had the highest number of complaints of any age group with 92,371 and the highest amount of reported losses with $1.68 billion. Of the six age groups listed (under 20, 20-29, 30-39, 40-49, 50-59, 60-69), the three oldest age groups reported $4.13 billion in losses, 60% of the reported losses for the entire year.
So why do scammers go after older individuals more? Aside from ageist assumptions of mental enfeeblement or lower technological competence, it’s largely a matter of who has the most money. According to data from the Federal Reserve, the 55-69 age group currently controls 41.2% of the wealth in the United States as of Q1 2022, compared to 6.5% for individuals under 40. In fact, the 55-69 age group have had uninterrupted control of over 40% of the wealth in the U.S. since Q3 of 2007.
For businesses small and large, target factors like age are replaced by type of industry and the sort of data they might contain. According to the 2021 IBM Threat Force Intelligence Index, Manufacturing was the industry most likely to be attacked last year, comprising 23.2% of cyber attacks IBM handled. Finance and insurance finished a close second at 22.4%.
Finance and insurance companies were particularly vulnerable to the sort of phishing scams we’re talking about. Phishing attacks made up 40% of all attacks in the sector. 70% of attacks were on banks.
The healthcare industry is another valuable target for scammers, thanks to the high volume of sensitive information that hospitals, private practices, pharmacies and the like can have on file for patients.
Energy and utility companies have been some of the most high-profile cyber attacks in recent memory, such as the May 2021 Colonial Pipeline attack or the Delta-owned Monroe Energy attack in November 2021. Given how lucrative and necessary both sectors are to daily life, they make prime targets for ransomware.
Government organizations combine the best of both the energy and healthcare industries for scammers, with government entities both having access to sensitive information and being necessary to the day-to-day lives of citizens. In 2020 alone, 79 ransomware attacks were conducted against government entities in the U.S., costing an estimated $18.88 billion.
This section will be divided into two parts. First, we’ll cover the technological side of cyber attacks, such as evading detection tools or digital reconnaissance techniques. Then, we’ll go over the basic, foundational techniques most scammers find themselves using, such as social engineering and phishing.
The thing that defines cyber crime is the access scammers and other Internet criminals have to digital tools and solutions to exploit user and company data for their own ends. Malware like SharkBot can record your keystrokes and browser cookies to steal logins, ransomware can block access to data until victims pay the hackers their requested fee, hijack Internet browsers, and so much more.
Much like other fields of tech, cyber crime is also constantly evolving. When Microsoft blocked macros from running on untrusted files in Microsoft Office (a common point of entry for scammers), hackers were able to reformat and circumvent their malicious files and continue using that point of entry.
One particularly potent emergent technology for scammers is blockchain and the related cryptocurrency and NFTs. Blockchain supporters have touted it as a fraud prevention tool, but while blockchain can be useful in preventing certain kinds of attacks, it is incredibly vulnerable to others.
Cryptojacking, the practice of taking over a computer’s processes in order to mine cryptocurrency, is a popular method of blockchain-related fraud, often introduced via malicious links or by being directly installed on computers by someone with access. This variant of fraud has been around since at least 2011, when an Australian Broadcasting Corporation employee with high-level IT access privileges hijacked company computers to mine Bitcoin.
Other relatively recent technological innovations in the world of fraud include multi-factor authentication bypass via session cookie theft, the Lilith ransomware which can lock and encrypt Windows machines while stealing data for further extortion, and a new method to exploit Windows event logs through fileless malware to inject codes while evading detection.
However, even with all the tools at their disposal, the scammer’s most useful tools are the simplest. Basic phishing and social engineering techniques are still the most common starting point for cyber attacks. Whether they’re getting you to trust or sympathize with them over the phone or simply scaring you into opening a malicious email, it’s important to recognize that and to try to be vigilant, especially when dealing with strangers.
Misleading or deceptive emails, as seen in phishing attempts, are one of the most popular methods of attack. Anyone reading this has likely received multiple fake emails from someone pretending to be representing a government institution or a social media platform or a healthcare provider, trying to fool you into clicking on a link to their malware-laden website or opening an infected attachment.
These emails will often try to take advantage of your fear of missing out (FOMO). They’re often marked “URGENT” in some way, shape, or form in order to drive up reader anxiety and force a click. This is the same trick business professionals might use to secure a sale (i.e. “There are only 10 of this product left so you should buy now before they’re gone!”). FOMO is a powerful emotion to exploit, and when dealing with these sorts of communications, it’s often best to delete them without reading if you have even the slightest doubt that the sender isn’t legitimate.
When it comes to the personal side of cybersecurity, vigilance at all levels of an organization is key. While tools like email gateways and DMARC can do a lot to keep your email and data safe, there is no 100% foolproof technological solution to cybersecurity, which means the people in charge of the business must do their part in ensuring the company’s cybersecurity standards are being consistently met.
A common saying is “cybersecurity is a team sport,” and it is still true. If your company’s data is the proverbial money in your vault, everyone who has access to that data is a potential path to success for scammers. This means everyone needs to do their part in keeping the vault safe. Undergoing employee cybersecurity training is extremely helpful in establishing and maintaining the company-wide best practices necessary to keep everyone’s information as secure as possible.
Finally, It’s vital to remember that, even if you do successfully follow best practices and have excellent cybersecurity solutions, hackers and scammers might still find a way to gain access to sensitive information. When a scenario like that occurs, it’s important to have triage and backup procedures in place to minimize the overall damage a cyber attack can deal to your business.
Cybersecurity is one of the most vital parts of any organization in the modern business world. With how much data a company can process, whether in-house or from clients, the potential for exploitation by Internet criminals is high. Whether it’s through rock-solid cybersecurity training for employees, the latest in cybersecurity software and services, or some combination of the two, keeping your data and your customers’ data safe is an absolute necessity.