Recently, the Better Business Bureau of Greater Houston and South Texas published a list of the top scams of 2017, with some additional information on how to best avoid becoming a victim. In the interest of providing the best possible protection for our customers, we have boiled down some of that information here. Please review and discuss with your employees and coworkers. Knowledge and preparedness are always your first and best defense.
Common Scam Types
- Phishing Scams – perpetrator will request sensitive information (credit card or other banking numbers, sensitive contact information, personal information on you or a coworker) or attempt to record a generic acknowledgement from you (by getting you to say “OK” or “yes” or requesting a code or signature) that can then be applied to another process and used to defraud you or the company.
- Online Purchase Scams – perpetrator sets up either a fake website that appears to be a legitimate site (amazon-com.com, for example) to steal credit card information or, in some cases, sets up a new site which never delivers (probably non-existent) purchased items.
- Employment Scams – perpetrator promises (via phone call, email, or website) access to a fake job opportunity in exchange for payment.
- Tax, Debt, or Penalty Collection Scams – perpetrator claims to represent an agency to which the victim owes money. This can be a local municipality, state for federal tax authority, or a public utility. Victims are told they must pay, typically by prepaid debit card or wire transfer, or face some sort of negative consequence.
- Tech Support Scams – perpetrator tricks and end-user on the Internet (or recipient of an infected email) into calling for technical support after they encounter a pop-up warning from either an infected website or an infection on their own computer from a malware email attachment. Victim is usually told that a credit card is needed for payment, as well as remote access for the “assistance”. Typically results in both excessive charges on credit card as well as identity theft resulting from personal information stolen during remote access connection.
- Fake Check or Money Order Scams – individual or company receives a check for an amount not owed (excessive or non-existent charge) and, when contacted, sender requested to be refunded the difference electronically. Check then does not clear and funds are lost.
- Processing or Advanced Fee Scams – perpetrator requests an advance or processing fee to grant the victim access to a loan, government grant, prize, or other reward of significant value.
It is important to note that the perpetrators of many of these scams rely on a tactic called “spoofing” in order to increase their chance of success. Spoofing is the process of falsifying the identity of the perpetrator (typically their Caller ID information, the From field of an email, or the text and graphics of a website) in order to convince the victim that they are being addressed by a legitimate business or authority figure.
In some cases, the spoofing will be flawed in some way, ie. the senders name is correct but their actual email address is not (John Leigh <firstname.lastname@example.org> ), the website address is close (www.amazong.com), etc. In others, it may be appear perfect at first glance.
The best method for handling sensitive information or access in all these cases is verification. If you receive a request for sensitive information, verify the request via another medium. For example, if you are contacted via email, verify with a phone call. If you are asked for sensitive information on a website, call or email your contacts at that vendor or customer to confirm – but do so manually, without using phone or email links on the site itself. Though this may take more time, it is well worth the investment in security for you and your employer.