Beware of Personalized Email and Phone Scams
As the general population becomes ever more skilled at spotting and avoiding the various email and phone scams cybercriminals perpetrate, scammers can only respond by upping their game. Whenever they do, the rest of us need to come up to speed on how scams are changing so we all can continue to successfully spot and avoid them. Change is afoot.
For years, scammers have targeted the general population by creating generic email or phone scripts and then using the same script over and over on millions of individuals. This is starting to change because the effectiveness of these types of generic attacks is apparently dropping. For example, the vast majority of folks today would immediately recognize and know not to open or respond to email purportedly coming from a Nigerian Prince.
A new type of scam, which is starting to take the place of generic scripts, is one that targets individuals instead of the masses and it’s all about personalization. Think about the odds of success with a scam if someone receives an email or a call where they are addressed by name, where the sender or caller already knows the last four digits of the person’s social security number, a password they use, or other personally identifiable information.
This is easier to do than you might think, in part due to the incredible amount of personal information that has been stolen in recent years as a result of events like the Equifax breach. In addition, similar information is also readily available on social media sites and publicly available government records. All a scammer needs to do is find or purchase this kind of personal information and it’s game on.
Here’s just one example. Cybercriminals will obtain passwords from a hacked website, gather a few additional personal details about everyone in the database they are working through and then they will send a personalized email out to all of these target recipients. These emails will inform each recipient that not only has their personal computer been breached, but the target has been caught viewing pornography on their home computer. The target’s stolen password will also be referenced as proof. The scammer will then demand payment of an extortion fee, which if not paid will result in evidence of the embarrassing online activities being shared with friends and family.
Of course, these cybercriminals never tried to hack into any target’s home computer, they have no idea who any of their targets really are and no clue about anything any of the targets have done online. It’s all a scam. Unfortunately, however, the use of personal information in an email or on a call in this way significantly improves the odds of success. All I can say is beware. Just because someone seems to know a little something about you doesn’t mean you should trust them. Oh, and one final thought. Never confirm whether any personal information someone claims to have is indeed accurate and never share any additional personal information, particularly if you didn’t initiate the contact. Doing either would be a really bad idea.
Authored by: Mark Bassingthwaighte, Risk Manager
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 550 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.