Fraud/Scams: Fake Finance
X Cyber Group (XCyber®)
We work with clients to keep data, people and businesses protected within the geography of the internet.
Most of us have heard of how sophisticated scams are getting, and some have been unfortunate enough to be the target or victim.
Scams share common themes: identifying a victim, moving to private communications (such as encrypted messaging), establishing and building trust, and ultimately exploiting victims for financial gain.
Establishing and building trust is essential to their success.
In the recent example provided below, a recipient of a targeted approach identified the scam very early. They agreed to go along with the rest to see what would happen.
Unusually, the scammer provided direct access to their business bank account - hiring the prospective victim to make transactions as a financial administrator.
Or did they?
Targeting (The Hook)
Our prospective victim - referred to as 'clients' by scammers - was contacted using a profile on the dating service Match .com. The profile was specifically designed to appear benign, and avoid detection by Match's automated systems.
(Match are fighting back and have shared guides on how to spot a scammer with users.)
The first thing the scammer does, is to move conversation away from Match (where it might be detected) to WhatsApp and Telegram. The scammer used a UK mobile number, provided by mobile communications company EE .
The conversations quickly progress to our scammer declaring their undying love. They'd also been successful in business - winning an important new contract.
"After a careful review of all bids, we found yours to be deserving"
Photos are sent, followed by video calls - the person in the calls is the same as the one in the images. Our research confirmed that the images were highly likely to be unique (something else dating platforms now monitor for). We also found a Facebook account, which was not directly used in the approach.
The scammer's location is unclear throughout, but they claim to be working in the US - on business and hoping to return to UK once the contract is complete - and from Aberystwyth, a university and seaside town and community in Ceredigion, Wales.
Images sent by scammer show them in Plaza Uruguay, Park Polanco, Mexico City and also working at what appears to be the College Hill Pipeline Project in San Francisco.
Building Trust (The Line)
Our scammer has an opportunity and knows it. They need to build to trust, and specifically need to build trust around financial activities. What now?
Recommended by LinkedIn
"I'm having problems paying some invoices. Can you log in to my account and make payments for me?"
Our scammer recruits the respondent to help them with various financial admin tasks, ostensibly because their banking applications aren't working whilst they are overseas. In reality, it's a clever trick - and a critical part of the scam - deceiving the potential victim into believing they are being entrusted with managing a large amount of money.
Once logged in, a number of transactions are visible along with a displayed balance of £622,000 with "Alliant Bancorp" - a fictitious financial institution created to mimic a genuine banking history.
Our potential victim is sent a series of fictious bank account details via WhatsApp to make the invoice payments to. These transactions appear to go through on the fake banking application - money has seemingly been sent and it appears in the account history. One Time Passcodes are provided to authorise the transactions and the scammer shares these over WhatsApp too.
The scammer is very apologetic, regrets the inconvenience and is thankful to our potential victim for their help whilst they get their overseas access arranged. The scammer does not ask for money. It is all designed to build trust.
Exploitation (The Sinker)
After a number of successful transactions, the process fails and the [fake] bank account is seemingly suspended. The scammer forwards an email from the bank regarding the suspension:
"Your account has been temporarily suspended due to unknown ip access with new login information. You are required to complete our verification process in the bank to re-active your account." - ALLIANT BANCORP
Both are locked out from the banking dashboard. Our scammer pretends to be distressed - not only must they pay the invoices on time, but they may not be able to get home to the UK if they can't access their funds! This is a deliberate and very common tactic - increase the pressure.
Our scammer claims that a friend can lend them a large proportion of the money, but cannot help with the full amount. The victim is manipulated and pressured into offering assistance, but crucially the scammer does not directly ask for money. This awful tactic preys directly on the good nature of potential victims, who are trying to help a person who appears to be in need.
Playing along, our potential victim offers to help out - after all, they've seen the scammer's large bank balance, been trusted to manage it, and are now [pretending to be] confident with proceeding with a short-term loan to help the scammer out of a temporary situation.
The scammer makes no mention of the Starling Bank account provided in the invoice (which almost certainly belongs to a money mule) until a few days later, then requests that small payments are made initially, £500, then £1,000 - coaching the potential victim on various ways to transfer money that are designed to avoid scrutiny from counter-fraud initiatives.
When it becomes clear our victim isn't going to send any money, all conversation abruptly ends.
Reflections
What were the indicators that this was a scam?
If you can think of any others, please comment.
React.js/Node.js teams | COO at Crunch.is
1yImpressive job in identifying the scam! What happened next?