Preventing Online Fraud—Always Verify Information Requests

October 12, 2018

In Traverse City, and Northern Michigan, we live in a very trusting culture. For most of us, the idea of impersonating someone for fraud or financial gain isn’t something that would enter our wildest dreams. However, in the rest of the world, impersonation is a strong tool that can be used to defraud you.  

In the digital world, it’s easy to impersonate someoneand with all the information available about us from social media and our online history, the impersonators can be very believable and very persuasive. 

When you receive requests for information, whether online through social media, chat (google hangouts, Microsoft Teams, Skype), message boards, online forms, voice (office phone, cell phone), you must verify with whom you are communicating. This means establishing a protocol that can establish identity in at least one way. (See my previous blog post on dual factor authentication to learn about multiple ways of authenticating someone.) 

It is always important to verify identity on information requests, even if the information being requested doesn’t seem important. 

When online fraudsters attempt to defraud someone, they will often take several pieces of information and combine them to create a compelling reason for someone to act. Let’s look at an example of how this works. 

One of the most popular online scams is to trick administrative assistants to transfer funds in some way (either through a bank, but also through things like Apple Itunes cards) to the criminal. One of the ways they trick them is by combining a few bits of information to create a compelling story for the transfer. In our story, the small business owner (or executive) is on vacation.  

How a Common Scam Works 

The criminal has been monitoring the small businesses owner’s social media, and notices posts with pictures of palm trees and LinkedIn posts about recharging their batteries to tackle the year ahead. The criminal now suspects the small business owner is on vacation. The bad guy will then use email, web forms, or other communications to verify that the owner is away. An unsuspecting admin may respond “Mr. Smith is out on Vacation till the 31st. Is there anything I can help you with?”  

Now the criminal has verified their suspicions and can use this to further trick the admin. The criminal may then compose an email from a similar domain to the owner’s companyone that is designed to look like the owners email. For example, the email may be from owner@abcccompany.com rather than the real email address owner@abccompany.com. The email may say something like this: 

Admin Joe, 

I’m having trouble sending a payment to Badguy inc. The wifi here is terrible. Could you please send $20,000 to this bank account – routing 12345678 account# 123454321. 

This is urgent, the project I’m working on upon my return requires this. 

Thanks, 

Owner 

Of course, this scenario has several instances where verifying the identity of the requester is highly important. The admin should’ve worked much harder to learn who was asking to communicate with the owner before they let the stranger know that the owner was away. The admin should be very diligent in verifying the authenticity of the request from the owner before any bank transfer should ever happen.  

In this scenario the process should be: 

  •  Any purchase over a conservative dollar amount agreed upon at a previous date must require a verbal communication with the owner.  

  • Any communication regarding the owner's schedule should be only communicated to verified clients or leads. 

Beware caller ID as your authenticator 

Caller ID should not be used for verifying if someone is who they say they are. Caller ID is very easily manipulated. 

What can I use for authentication? 

  • Secret passcode 

  • Do you recognize their voice? 

  • Emailing or calling others on the staff to verify the legitimacy 

  • Invoice or payment verification (you may recognize this from your bank, asking the amount of the last deposit.) 

One last note of caution 

It is important to verify that the person making the request may not actually work for the company they are representing. They may have your authentication but are working rogue. For very important or costly things, you need to make sure that the person making the request still has the authority to do what is being asked.