Commentary: Robocalls expose weakest link in a new ‘scamdemic’
Scammers use a sophisticated set of tricks to get people to drop their guard and give up personal information but people do not have to be the weakest link in these threats, says a Group-IB security head.
SINGAPORE: One morning in March, one of our employees received a robocall from a local number.
The automated voice message claimed to be calling from the Ministry of Health of Singapore with an important message about COVID-19.
It was not the first, second or even third time that he received that kind of call. It didn’t go too well for scammers, who chose automation over human interaction, not knowing they were dealing with a cybersecurity professional.
For one, everybody knows regular working hours for the Singapore government are 9am to 5pm. Except this call was made at 8.13am.
MORE FREQUENT SCAM CALLS OVER THIS PANDEMIC
Not many people would have more than 10 years of experience in fighting digital crime to rely on to be able to quickly come to the conclusion that such calls were scams and hang up instead of listening on and following instructions.
Such robocalls are getting more frequent in Singapore and across the world, with a growing proportion becoming scam calls.
Three in four Americans say they have been targeted by phone scammers over the past year by phone company Hiya. In Singapore, Singtel had warned the public of the doubling of such scam calls in November 2020.
Worse, such robocalls are just one of many weapons in scammers’ toolset enhanced by the pandemic.
For decades, Singapore was a safe harbour in a world plagued by scams. The country’s online scam rate has traditionally been among the lowest in the world.
Last year, however, the situation turned on its head. According to a Singapore Police Force report, the number of scam cases hit a record high in 2020, jumping by 65.1 per cent.
The pandemic has created a perfect storm for a “scamdemic”.
COVID-19 scams take many forms: Fake websites, branded surveys, social media accounts, rogue SMS or messenger texts, fake ads, fraudulent calls, email etc. In a nutshell, scammers use a wide range of means to get their hands on a victim’s money or personal data, which can be converted in money later.
Yet in this set of financially motivated crimes, one fact stands out: Humans are the weakest link in the cybersecurity chain.
We have always been susceptible to social engineering given how prone we are to acting on our emotions. The pandemic has fueled more uncertainties.
You can hardly expect critical thinking from stressed out and fearful citizens. People are overwhelmed with coronavirus news reports.
READ: Commentary: Forwarding a WhatsApp message on COVID-19 news? How to make sure you don’t spread misinformation
COMMON TRICKS OF THE TRADE
Scammers quickly seize the opportunity feeding on the COVID-19 panic and fears as coronavirus cases in Singapore rise.
One of the many recent examples is a scam involving compromised WhatsApp accounts to solicit donations for the purchase of oxygen concentrator machines to be sent to India.
In all traditional scammer operations, the crooks need something to build trust with their victims. Usually, they masquerade as big brands with large customer bases but during this pandemic, COVID-19 itself became that calling card – as offers for cheaply produced masks became enticing to people concerned with not having sufficient supplies.
Scammers too are leveraging philanthropy efforts. In the early days of the pandemic, just weeks before the circuit breaker was introduced, we detected a phishing campaign disguised as a set of safety recommendations from the UNICEF.
The email prompted the victims to open an attachment and share the email. The attachment can install Netwire – a password-stealing Trojan and keylogger.
Indeed, it seems sometimes that these scammers are pretty well versed in trending news and topics of discussion online.
As soon as Singapore kicked off its nationwide vaccination programme this year, scammers started sending out SMS about vaccination with rogue links.
When Singapore’s unemployment rate rose during the pandemic, newfound fears about livelihoods quickly gave rise to a new round of recent rogue SMS scams offering high-paying vacancies.
Recipients were invited to continue conversation in WhatsApp – a popular social engineering technique to get people to drop their guard.
Another driver behind the rise in scams are the data breaches resulting from the disruption in core IT processes as companies transition to work-from-home, compromising the cybersecurity of corporate networks.
Such big data breaches exposed huge amounts of personal data about users, giving scammers a treasure trove of information to use to their advantage, which has given rise to targeted personalised scams.
Last year, Group-IB’s Digital Risk Protection team discovered that almost 250,000 sets of personal data compromised earlier (including 3,499 records related to Singaporeans) were used to create targeted multi-stage bitcoin scams.
Victims would receive targeted SMS messages with short links. The messages were convincing because they referred to recipients by name.
Each victim’s phone number, which in most cases came with their name and email address, was contained in a unique personalised URL used to redirect people to rogue websites.
Websites built for this purpose featured made-up interviews and fabricated comments attributed to local celebrities, like Bryan Wong.
We need a joint effort between the authorities, brand owners, and regular citizens to fight this growing tide of scams.
While such cases should be brought swiftly to authorities so that investigations can get underway and perpetrators can be brought to justice, governments too have a role in ensuring that scam resources hosted or registered on their territories are taken down swiftly and effectively.
Corporates too have a role in responding swiftly. Much is at stake where customers who have experienced brand abuse online are unlikely to return.
The financial cost can be massive. According to Group-IB’s estimates, online scams abusing brands accounted for 38 per cent of all digital crimes in Q1-Q3 2020.
Good personal cyber hygiene, awareness and some vigilance can help users not to fall victim to online scams.
(Can you really tell the difference between a legitimate email offer and a scam? Listen to cybersecurity experts discuss how scammers are getting increasingly sophisticated on CNA's Heart of the Matter podcast.)
FOUR RULES TO KEEP IN MIND
Some simple rules in helping to differentiate between a scam and a genuine offer work.
First, maintain higher vigilance regarding all COVID-related communications.
Scammers usually impersonate well-known companies. Take a leaf from journalists who use the three-source rule to confirm information: Find the company’s official website, look for reviews, and call customer support. In short, always try to confirm the credibility of the “source”.
Second, always check the domain name of a site you’re directed to.
Google the URL and double check that it is legitimate. Even if you see a well-known brand, make sure you’re visiting a legitimate website. The devil is in the details. Subtle spelling differences could be a tell-tale sign. The date that the website was created is another reliable indicator.
If the page you are visiting is only a couple of months old, it is likely to be a scam or a phishing page. You can use a free WHOIS service to check details of a domain and find a website’s registration date.
Third, treat incoming calls with a healthy dose of scepticism and always check the customer support number on the official website.
Scammers use apps that make it possible to fake legitimate phone numbers. It’s always better to ask for the name of the company and the caller and say that you’ll call them back. Then you can take the time to do your own research online and check reviews.
Fourth, do not enter any personal or payment data on suspicious websites and do not download files from them.
When there is a lot at stake, fraudsters go all in. They develop complicated multi-stage schemes. They begin by approaching cautiously and collecting only a phone number, for example.
Only later do they drop a personalised SMS or contact the potential victim by email.
Ilia Rozhnov is Head of Digital Risk Protection Unit in Asia Pacific, Group-IB.