This guest post is by Lisa Ventura, founder and CEO of the UK Cyber Security Association, a not-for-profit that raises awareness of the importance of cybersecurity for small and medium-sized businesses.
Online fraud is a huge challenge for businesses and consumers alike as cybercriminals continue to develop new mechanisms to separate innocent parties from their money.
As children we were warned not to talk to strangers or give them any personal information. Yet today we think nothing of sharing our details every time we make an online purchase.
More and more of us have become accustomed to doing more and more transactions online, especially since the COVID-19 pandemic hit last year, and it is easy to forget that there are people out there who will do anything to obtain money or personal information by deception.
How to spot online fraud
There are many types of online and identify scams, but here are some of the most common:
- “Get rich quick” scams
With job uncertainty at an all-time high, attackers are preying on our vulnerabilities and financial worries during the crisis.
Some reports suggest that scams claiming you can “earn” lots of money from home with little effort and no risk have gone up by as much as 66% in the past year.
While we may all dream of earning big for doing very little, you should assume that anything that sounds to good to be true IS too good to be true.
Be especially wary of advertisements that tell that you can work whenever you like; stay away from jobs that involve handling money for other people; and watch out if you have to pay a fee to get started.
- Fake shopping websites and “free” offers
Scammers set up websites that pretend to be the real deal and lure you in with “great offers” and “unbeatable savings” off the recommended retail price. Often these sites either ship fake items or simply take your money and don’t send anything at all.
Other shopping-based scams involve luring you in with a great deal, then “qualifying” you as the lucky winner of a high-value item such as a games console or a mobile phone. Everything is “free” except for a modest delivery charge that requires to put in your credit card data. The scammers then run off with your credit card details.
- Phishing
The Naked Security team has written extensively about phishing, which is sadly still one of the most common and effective cyberthreats around.
Simply put, phishing involves sending you a message that tricks you into clicking a bogus link, opening a booby-trapped file, installing malicious software or simply giving out personal data that you ought to have kept you yourself, such a password, address or account number.
Phishing isn’t just limited to email – it can also take place via SMS text messages (when it is known as smishing), over social media, through other messaging apps such as WhatsApp, or even via voice calls (known as vishing).
LEARN MORE ABOUT SMISHING AND HOW TO STAY SAFE
(Watch directly on YouTube if the video won’t play here.)
- Fake cybersecurity warnings
Sometimes when you are browsing the internet a pop-up appears out of nowhere saying that your computer is infected with viruses. Of course, there’s also a website you can visit for immediate help, and often a tollfree number to call so a “technician” can fix the problem for you right away.
If this happens to you, it’s almost certainly a scam. These fake ads and pop-ups are designed to get you to download and run “security” software for a not insignificant fee, or to pay to give remote access to a “technician” who will “remove” the non-existent security threat for you.
Only trust security information from the antivirus software that you are running. (And don’t forget to check, of course, make sure that your antivirus product is up-to-date, too.)
Can you get your money back?
If you bought an item from an online seller via a site such as Amazon or eBay, see if they can help or intervene.
In addition, you may be able to recover some of the funds you spent, depending on how you paid.
- If you paid by debit card
If you used a debit card you may be able to get your bank to help you recover your money through the chargeback scheme. This is a transaction reversal made to dispute a card transaction and to secure a refund for the purchase.
Contact your card provider for details of their scheme in your country. However, don’t assume that you are going to get your money back.
- If you paid by credit card
If you paid for goods or services with a credit card, most countries have regulations that give you have a greater protection if things go wrong. For example, UK consumers are protected under section 75 of the Consumer Credit Act, while Consumer Protection laws cover buyers in the US.
Unfortunately, whether you can make a claim or not depends on the type of scam you have fallen for, so please get in touch with your card provider for assistance.
- If you paid by bank transfer
If you have been caught out by a convincing scam and unwittingly transferred money into another bank account, you should contact your bank immediately for help. They may help you try to recover the funds.
- If you paid in cash, with cryptocurrency or by wire transfer
Unfortunately, if you paid in cash (or equivalent), you have almost certainly lost it all.
The only person who could refund your money in a case like this would be the scammer you just gave it to.
You may nevertheless want to report the fraud to the police in case they can take any action. If no one says anything, then it’s difficult for law enforcement to justify investigative or preventative action because it looks as though these crimes aren’t taking place.
What if you’re a victim?
Talking about what happened and hearing about the experiences of others who have been through similar experiences can help.
Support groups in the UK are available through charities such as Victim Support, Age UK and Citizens Advice.
Maintain your security hygiene
Here’s a recap of good security practice advice from the Naked Security team:
- Reset your passwords if you’ve been phished, and if you know you’ve used the same password on other websites, change those too!
LEARN HOW TO PICK A PROPER PASSWORD
(Watch directly on YouTube if the video won’t play here.)
- Patch early, patch often. Why be behind the crooks when you could be ahead? Be sure to get operating system updates as well as security fixes for the apps you use and for any devices such as routers, webcams and thermostats that you may have at home.
- Use a password manager and 2FA to make it harder for the scammers. A password manager stops you putting real passwords into fake sites, which helps prevent you getting phished. And using two-factor authentication (2FA) means that your password alone is not enough for scammers to log in to your account.
- Report scams if you can. It might not feel as though you are doing much to help, but if many people provide some evidence, there is a least a chance of doing something about it. On the other hand, if no one says anything, then nothing will or can be done.
Below are scam reporting links for various Anglophone countries:
AU: Scamwatch (Australian Competition and Consumer Commission)
https://www.scamwatch.gov.au/about-scamwatch/contact-us
CA: Canadian Anti-Fraud Centre
https://antifraudcentre-centreantifraude.ca/index-eng.htm
NZ: Consumer Protection (Ministry of Business, Innovation and Employment)
https://www.consumerprotection.govt.nz/general-help/scamwatch/report-a-scam/
UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre)
https://www.actionfraud.police.uk/
US: ReportFraud.ftc.gov (Federal Trade Commission)
https://reportfraud.ftc.gov/
ZA: Financial Intelligence Centre
https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx
Wilderness
It’s a good article, but the headline doesn’t match the contents very well. It’s only 10% “Fallen victim to online fraud? Here’s what to do…” and it’s 90% “how not to fall victim to fraud”
Paul Ducklin
I hear you, so I thought I would check… by my word count, Lisa’s article comes in at about 1000 words, of which 400 are explicitly to do with things you can do (or, sadly, in the case of cash, can’t do) after a scam has happened. So I’ll accept 60/40, but I think 90/10 is rather harsh.
FWIW, an important part of “what to do if it happens to you” is: [a] learn what to look for next time and [b] don’t let it happen again if you can possibly help it. So an article that said it would show you what to do after getting scammed and that simply said, say, “Try to get your money back” would be 0/100 by your criteria, yet not very helpful.
Interestingly, one reason why describing how scams work in the first place is vital as part of “what to do it if it happens” is that some common scams – such as fake support calls and phishing that doesn’t directly hack your account or password – actually escape the notice of many victims. Simply put, some fake support scam victims *never realise that they just paid good money for nothing* (or that the “improved protection” they now think they have is just a pack of lies). They think they paid for a genuine service and genuinely received it. This, very sadly – because they are often the loneliest, the most vulnerable, the most fearful, the ones who really can’t afford the financial losses – means they may get scammed again. (Example in the video about smishing.)
So for all that this article could be headlined, “How to stop fraud and also what to do if you fail to do so”, I’m OK with “Fallen victim? What to do…” as well. It’s short and clear and the article *does* cover what it says. That’s in my opinion. (I neither wrote the article nor came up with the headline – two other people did those things – so I think I am being objective enough here :--)
Wilderness
Fair dues
John Knops
Paul you keep preaching the gospel according to 2FA and so does my bank, my internet provider etc. However, and I am not suggesting it isn’t the way to go, I have a great difficulty with it. I use my iMac for most work that needs passwords etc which is upstairs in my study. My phone is downstairs so it a pain to walk down and up. (I am Jack Benny’s age of 39.). I have tried email for this but that became frustrating because of delays in the world system getting the message. And when you have a 5 minute time limit on the 2FA code you could miss it and have to go through the process all over again. This has happened. No, it’s not my settings to get Mail every ten minutes. I just wish the brains out there could come up with another way that protects us but quicker. Can’t the brains devise encryption at both ends similar to the encryption system used by ProtonMail? Frankly I don’t have an answer but I believe there must be one where you enter a simple password which protects you. Banks do it with a 4 number pin for ATM machines. Which seems to be 99 and 44/100ths safe. Why can’t we develop a similar system for online access. What does this have to do with this article? Very little, maybe 3% and maybe I have missed some Sophos articles that answered my queries.
Paul Ducklin
Can’t you just take your phone upstairs with you?
(Given that you mention a ‘5 minute limit’ on 2FA it sounds as though you are using SMS-based 2FA, not a phone app, where codes typically last just 30 seconds. So all you need is SMS capability, not a full-blown Apple or Android smartphone. So if there is an insurmountable reason why you can’t take your phone with you to your computer, then you could just get a second $5 handset with a prepaid SIM, just for 2FA. And if you aren’t receiving emails in under 5 minutes then it sounds as though something is wrong with your email service. Perhaps you could set up a webmail account just for 2FA, where the lag is not so extreme?)
Your situation sounds very unusual, so if there is no workaround you can figure out, then my recommendations aren’t for you – just ignore them :-)
However, I’m still going to keep on suggesting 2FA for those people who could use it if they wanted to, but have never given it a try.
John Knops
The real problem I figure after some thinking over the past few days is that to me telephones work at the end of a copper twisted pair line. The other thing is to remember at my three score years and seventeen. I will look into the prepaid sim card which I can plug into an old phone just for SMS 2FA. You also gave me a great idea for an emergency phone in the car in case I have to call a tow service.
Paul Ducklin
Could get a cordless phone or an extension line upstairs?
At least in the UK, a prepaid SIM can receive messages for free, as long as you have credit on the SIM and make at least one call or send one message every so often (90 days or something). So a small prepayment credit can last ages. Not being a smartphone, the battery lasts weeks and the power off/power on process (when you don’t want to be tracked) takes a coupole of seconds. Horses for courses, etc.
FWIW, there are 2FA authenticator apps you can run on your regular computer, because the cryptographic calculations are trivial if you have a computer clock accurate within about a minute or so. But I don’t recommend this because the the secret starting seed for your authentication has to be stored and accessed on your computer, which is not very secure and makes it more like one-and-a-quarter-FA.
You might also want to look at the Yubico Yubikey products, see which of your services they will work with.