Does a friend “need money urgently”? Verify your information before paying… – Naked Security


Thanks reader Naked Security Mr Carter for their help with this article.

Last week, we warned about a Facebook Messenger scam that used a fake video to lure you to a fake Facebook login page.

In this scam, scammers used stolen Messenger passwords to phish even more Messenger passwords by sending messages that genuinely appeared to be from friends and family.

Fraudulent messages of this type are much more credible than spam emails, for two reasons:

  • Social networks and instant messaging groups are often closed to strangersso you are more likely to trust messages within the group.
  • The fake messages are indeed coming from friends’ accountsbut not friends themselves.

But why do criminals use the stolen email passwords, other than stealing even more passwords?

Here’s an example sent by a Naked Security reader who was asked by a “friend” for help making a payment:

As you can see above, the scammers, who had access to the friend’s account, got straight to the point:I need help paying a bill.

Although most of us will probably be suspicious right away, many of us will have friends and family members that we have already helped financially, so we might be willing (or at least polite enough) to inquire further.

In this case, the recipient knew it was a scam from the start, but decided to see how things would pan out if they gave a few carefully guarded answers.

Here’s how the conversation went:

The situation here is plausible – anyone who’s ever been forced into taking out a short-term “payday loan” will know that fees add up quickly for missed payments – and many of us might decide that helping out a friend or member of family is something we should do.

By the way, the payment details we redacted above were genuine, identifying a financial company in the UK which is what you might call a “cloud bank” – a new online financial startup aiming to offer Banking-as-a-Service (BaaS) to help future online merchants easily create their own transactional apps and websites.

The recipient reported the scam to the company involved, which we applaud.

While the bank cannot summarily close an account on the advice of anyone other than the account holder, we hope the report will at least help in having the account investigated and suspended.

Unfortunately, most people who go so far as to receive the account number in a scam like this will already be convinced that it really is their friend in financial trouble on the other end, so it’s unlikely they’ll report the problem to the bank until after realizing they have been scammed.

On the other hand, most people who think it’s a scam will just ignore the message and therefore won’t end up with an account number to report or a bank code to track down.

Notice how the scammers asked at the end for the account details which they could use to refund the money.

Even though the scammers would know which account you deposited the money into (account details are recorded as part of the transaction), you may be divulging even more personal financial information if you comply with this latest request.

Old scam, new twist

Interestingly, this type of “urgent money need” scam, sent from hacked accounts, was widespread a few years ago under the guise of a friend who was assaulted while traveling abroad. .

At the time, the amount of money was usually a little higher – often $800 or more, compared to the £290 (around $400) above, and you were told to send the money by wire transfer bank, an irreversible process that is equivalent to handing over money. .

The use of a transfer instead of a regular bank payment was justified on the grounds that the “victim” no longer had his bank card, or even any identification, and therefore needed the funds sent to him in a way that allowed him to get paid at the other end in cash.

Details were often added to these “attacked abroad” scams to increase the urgency, such as that your friend would soon be kicked out of their hotel after canceling their credit card, or were under pressure to offer a fee. hospital to pay for the treatment they received after the assault or who needed cash for transportation to get to the nearest consulate to get an emergency passport.

Nowadays, of course, people are not only more aware of the risks of bank transfers – namely that there is almost no possibility of recourse in the event of fraud – but also unlikely to travel abroad unexpectedly, thanks to coronavirus regulations.

So the scammers have reinvented an old fraud in a new form, with “loan in progress” replacing “stolen on vacation” and “online banking payment” replacing “bank transfer”.

What remained the same is that you are not helping your friend at all because your friend’s account has been hacked and the money is going straight to the crooks.

By the way, the reader who sent us the details was one of many mutual friends who received fraudulent contact from the scammers through the hacked account.

What to do?

  • Always check your facts before helping friends in trouble. But be careful how you reach a friend you’re worried about – never respond directly to an online account that might have been hacked. Find another way to contact your friend, based on the information you already have.
  • Let your friends know if you think they’ve been hacked. But never respond using the account that has been hacked otherwise you are just letting the crooks know. Find another way to reach them, like a phone call, where you’ll have a way to make sure you’re actually talking to them.
  • Use a password manager and 2FA to make it harder for scammers. A password manager prevents you from putting real passwords into fake sites, which helps you avoid being a victim of phishing. And using 2FA means your password alone isn’t enough for scammers to log into your account.
  • Report scams if you can. You may not feel like you’re doing much to help, but if lots of people provide evidence, there’s at least a chance of doing something about it. On the other hand, if nobody says anything, then nothing will or can be done.
      Below, we've listed scam reporting links for various Anglophone countries:
      AU: Scamwatch (Australian Competition and Consumer Commission)       

      CA: Canadian Anti-Fraud Centre

      NZ: Consumer Protection (Ministry of Business, Innovation and Employment)

      UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre)

      US: (Federal Trade Commission)

      ZA: Financial Intelligence Centre


About Author

Comments are closed.