Warning: Fraud
A
Written by Aleksandr Tashkin
Updated over a week ago

Fraud

What is fraud?

Fraud is a fraudulent activity in the infrastructure of a service provider. The
purpose of such activity is deceiving a service delivery system for personal gain.
Fraud is applicable to banking, e-commerce or telecommunications services. It is
a deceptive act intended by an attacker to take advantage of the victim. Such
activities are based on social engineering and psychological methods of influence
such as intimidation, disorientation, an attempt to establish trust or play on
emotions.


When is fraud committed and by who?


· When serving individuals
· When servicing corporate customers (legal entities)
· When using bank cards
· When making check transactions
· By hacking or theft
· By identity theft
· Through victimization
· By third parties due to individual or legal entity data leaks
· By third parties presenting themselves as an organization
· By third parties presenting themselves as public persons
· By employees within a company
· Through collusion of trusted users
· A result of a guiltless action of the responsible person.


Fraud classification by types:


Phishing is a set of techniques that scammers use to obtain personal
information. Examples of common phishing:

  • Phishing to hack accounts or social networks. A victim receives a
    message containing a report of hack and asking to follow a link and enter
    their credentials to protect their account. After that, a scammer blocks
    access to the victim's personal account and starts sending messages, for
    example, requests to borrow money. This type of phishing extends beyond

    social media. A victim may also lose access to their crypto wallet that holds
    the funds.

  • Phishing of bank account details. In this case, a hacker can call or send a
    message to a victim with false information about debiting money from
    their personal account, problems with the account, verification, etc. Most
    often, scammers ask to send an SMS code to verify an account, reply to an
    authorization letter by mail, or send a pass phrase/word. A victim loses
    access to their personal account and bank card credentials. You can also
    be attacked through links sent directly in a message.

  • Clone phishing. In this case, hackers copy a common message. For
    example, a customer receives a message from their bank containing an
    account statement or a message from PayPal/Amazon asking them to
    verify their account. A scammer substitutes the links in the body text or
    files attached to the message with malicious objects that look as real ones.
    By clicking a link or attachment, a victim grants an attacker access to their
    computer through malware.

Extra types of fraud

  • Malware is a generic term for any type of malicious software designed to harm or
    illegally exploit someone else's programmable device, service, or network. Such
    applications cause direct or indirect damage, for example, they cause a computer
    to malfunction, display additional advertising or steal the user's personal data
    including SMS codes or two-factor authentication codes.

  • Click Spam is generating fake clicks using bots to get past filters and get paid or
    steal data.

  • Ad masking is placing ads in an app or on a website. These ads are placed by
    fraudulent browser extensions that replace or override existing ads or steal data.

  • Download hijacking is a type of ad fraud that uses malware installed on a user's
    device to monitor app store activity or steal data.

  • Install hijacking – Scammers use an infected app that a user installs on their
    phone. Scammers are immediately notified about the install. They fake an ad
    click, attributing a usual app install to themselves, and receive payment through
    an affiliate program or steal data.

  • Domain spoofing – Scammers create a website and make it look it as a website
    from an ad network to receive fraudulent traffic. Users click on ads to go to the
    desired site, but they land on a scam page instead and risk their data.

  • Toolbar – A user is forced to download an application with a special script that
    automatically opens an advertiser's website or installs an application to steal data.

  • SIM-card fraud is taking over a mobile phone number to bypass two-factor
    authentication.

Multiple methods are used for fraud. In case of identity theft, one person
impersonates another for personal gain. Phishing, social engineering, special
devices, special types of malware, user data leaks from services and systems are
used for carding (theft of bank cards details and their owners’ personal
information such as address, security questions, date of birth, name). In case of
collusion, employees commit internal theft using their position and
communication with third parties. To exploit data leaks, scammers create
Internet fraud forums on the dark web where they share their experience and
teach newbies.


Fraud examples:

  • Scammers create a fake website that looks like the real one except for a
    few subtle details. For example, URL changed to 1 character. Visitors get to
    the website, make a purchase and, as a result, provide their card details.

  • Creating fake ads where scammers present a certain product, but insert a
    link to a fake website that is not related to the ad.

How can you protect yourself from fraud?

  • Always check a link carefully: jumbled letters in the site name are a sign of
    a fake page. Instead of changing a URL in a browser phishers can also
    create another browser in the browser and manipulate anything in it, see
    example. Links on fraudulent websites usually contain errors or link to
    third-party sources. Review the links in the browser address bar.

  • Before entering your login and password, check if the connection is
    secured with the https protocol. Check the correctness of the entered
    values in the forms, do not enter your personal details or bank card details
    when participating in drawings or other events. If a suspicious message
    with a link or request came from a loved one, colleague or friend,
    remember that their account could have been hacked.

  • Always check the account name and availability of a phone number in case
    of a full copy of the account. We are talking about accounts in apps or
    websites of banks, tax authorities, online stores, travel agencies, airlines,
    etc. Check your work accounts. Keep in mind that their typical features can
    be faked.

  • Check your work accounts. Keep in mind that their typical features can be
    faked.

  • A file sent by your playmate or colleague may be a spyware or ransomware
    Trojan as well as email or message attachments.

  • Try not to use unverified apps on your personal and corporate devices.
    Follow the licensing policy.

  • When interacting with your partners, try to receive reliable quotations and
    only from your corporate mail.

  • If you receive a suspicious message, check if the sender's email address
    matches the sender's name. See if the message was authenticated. Before
    clicking the link, hover over it and look at a URL that will appear in a
    browser status bar. If the URL doesn't match the message description, the
    link may lead to a phishing site. Check message headers to make sure the
    “From” line contains a correct name. If you receive an unexpected
    suspicious message, contact the sender using another way of
    communication and check if it was really sent by this person.

A few more tips

  • Try to enable two-factor authentication on all existing accounts. This step
    can help if the master password has become known to hackers.

  • Delete all obsolete and unused accounts.

  • Regularly update passwords for your email and corporate accounts.

  • Don't use the same password too often.

  • Respond immediately to even the slightest hint of suspicious activity:
    change passwords, block scammers, and run a deep antivirus scan.

  • Don’t tell anyone your CVV code, PIN code, one-time passwords and
    passwords for Internet banking and mobile banking.

  • Don’t send or transfer SMS messages, emails with passwords, codes and
    other data to third parties, try to keep your privacy.

  • Request verification details from a contact person, make formal requests,
    and make sure a domain name is correct before contacting a website by
    email.

  • Stay alert when non-trivial questions regarding your personal and
    confidential data.


    What if you still become a victim?

    1. Run an antivirus scan on your PC and smartphone.
    2. Immediately change the stolen password for all accounts where it is used.
    3. Set up two-factor authentication.
    4. If you accidentally provided your card details or a code from SMS, call your
    bank, block the card and check potentially dangerous transactions.

Did this answer your question?