<\/strong><\/p>\n\n\n\n
Gilit Saporta, Head of Fraud Intelligence<\/em><\/strong> at Simplex<\/strong>, addresses \u2018work from home scams\u2019 and how Covid-19 could (and is) potentially increase the number of phishing and social engineering attacks<\/em><\/p>\n\n\n\n \u2018\u2026He said that working from home was really easy, and that I could make more money than what I used to get when I was taking care of older folks. I knew he was a serious employer because he asked for references, and also for my bank account details and my SSN\u2026 you hear about people who fall for scams all the time, but I never thought it could happen to me\u2026\u2019<\/em><\/p>\n\n\n\n When Maya (names have been changed to protect the privacy of fraud victims) tells her story, it\u2019s important for her to clarify that she was only looking for a chance to make an honest living. For several months, while she was in between jobs, she honestly believed that she was working as a broker for a cryptocurrency investment company. She provided her true personal details, including a photo of her driver\u2019s license, in order to place dozens of Bitcoin purchases. She paid for the Bitcoin with credit cards numbers that were sent to her on weekly spreadsheets (representing the customers of the company, she thought). She forwarded the purchased Bitcoin to the wallet of her employer. She used her own credit card to invest a few thousands of dollars herself, as well.<\/p>\n\n\n\n When Maya asked to withdrawal her earnings herself, she got no reply. Only then, slowly, she began to realise that she had been a victim \u2013 and an accomplice \u2013 of fraud. She filed chargebacks for the payments made on her credit card, but she neglected to mention the numerous payments she had made using other people\u2019s credit cards. Only later, when contacted by her issuing bank, she openly recounted the events. It was important to her to emphasise that she was a law-abiding citizen.<\/p>\n\n\n\n Home dwellers are natural prey for scammers<\/strong><\/p>\n\n\n\n As a leader in the field of FIAT to Crypto payment processor, and a licensed Electronic Money Institution, Simplex daily witnesses \u2013 and prevents \u2013 thousands of social engineering attempts. Simplex\u2019s fraud prevention (powered by machine learning boosted models) detects countless new victims regularly, with the average attacker attempting to steal over USD 7000 per victim (first attacks often aim for roughly USD 2000). Most social engineering attacks viciously target 2 populations: the retired, and the unemployed.<\/p>\n\n\n\n It\u2019s natural for offenders to prefer the elderlies. First and foremost, many senior citizens are not tech-savvy nor internet\/crypto-savvy, so they fail to spot signs for scam. E.g., a pair of Canadian scammers convinced their victim that they were customer-care representatives, simply by creating a Twitter account with the handle of @HitBTCAssist. The scammers were successful<\/a> enough to book a trip to Las Vegas and hit the casinos, before being arrested at the airport.<\/p>\n\n\n\n The second reason for scammers to \u2018favour\u2019 elderlies and non-working victims in general is that they are usually free (and often eager) to make long, friendly, phone calls or email\/chat correspondences. This is where social engineering artists find their opportunity to shine. As social beings, we are naturally programmed to seek interaction and affirmation from others. Older generations might also consider it their duty to politely listen fully to what their counterparty has to say. Sadly, this plays right into the hands of social engineering masters.<\/p>\n\n\n\n … and then came Covid-19<\/strong><\/p>\n\n\n\n Why do scammers love it when we\u2019re all stuck at home? They have all the reasons in the world. Millions of teachers, students, caregivers, etc. now spend the better part of their day with their screens to keep them company (both for work\/school and for pastime). Most of them are not adequately aware of internet-safety. Many of them are already flooded with emails and direct messages, as they are adjusting to work-from-home mode. It won\u2019t be too difficult for a scammer to find schoolteachers who would install remote control malware, or share student private info, while thinking that they\u2019re installing Zoom.<\/p>\n\n\n\n Moreover, Covid-19 leaves many of us home alone with uncertainty about our financial future. It\u2019s still difficult to estimate how many jobs will be lost during this crisis, but one thing\u2019s for sure \u2013 phishing and work from home schemes are already here. In quarantined Israel, for example, phishing schemes which promise free food coupons at a large grocery stores chain are currently flourishing<\/a> and the rate of new work from home posts on local social media groups<\/a> has tripled within a month.<\/p>\n\n\n\n Whether we\u2019re already experiencing financial difficulties or if we\u2019re only anxiously looking towards the future, we are all clearly feeling like a fish out of water these days. We may feel bewildered at the fast-evolving reality, swamped with fake news and easily distracted (parents are practicing a whole new level of multi-tasking these days). Honestly, many of us are probably exhibiting the behaviour of senior citizens these days.<\/p>\n\n\n\n Cryptocurrency scammers use work from home workers to launder stolen funds<\/strong><\/p>\n\n\n\n So, the bad news is that humanity is extra sensitive to social engineering during this crisis. The good news is that several of the high-risk industries of ecommerce and fintech have accumulated years of experience in battling these scams. In cryptocurrency, which was long perceived as the holy grail for fraudsters, EU regulators, together with large exchanges, payment processors and financial partners, were pushing for safety measures long before Covid-19 took over. Nimrod Lehavi, CEO for Simplex, writing for FinanceMagnates<\/a>, describes how regulators perceive the threat of social engineering on cryptocurrency ecosystem: <\/p>\n\n\n\n \u2018For exchanges, who are able to deal in fiat, the necessity of abiding by transparency regulations and rules becomes a significant chore. For such exchanges, proper processes of Know Your Customer (KYC) and Anti Money Laundering (AML) are a lifeline to legitimacy that must not be broken\u2026\u2019<\/p>\n\n\n\n Because of unfortunate data breaches of the last decade, attackers currently have access to so much compromised personal data, that they easily undertake massive attacks \u2026 Regulators of 2020 are painfully aware of the massive data breaches of the former decade. The large early breaches, such as the 3 billion 2013 breach at Yahoo, were not necessarily the worst ones \u2026 The most severe breaches of the second part of the decade were those which were almost immediately tied with increased fraud and money laundering rates around the world: 143 million records data breached at Equifax in 2017, then in 2018 and early 2019 a series of significant data breaches in Marriot, CIBC, First American Financial Corp and Facebook, affecting over 1 Billion records in total\u2026<\/p>\n\n\n\n Armed with rich stolen personal data, fraudsters perfected a common trick called Smurfing: instead of the same person creating multiple accounts, they use a single broker, with money laundering completed by using it to make multiple transactions to unsuspecting individuals who don\u2019t know they\u2019ve helped the fraudster diversify. When \u2018smurfs\u2019 and money-mules are recruited to the aid of the fraudster, detecting illegitimate activity becomes even trickier, because the innocent \u2018smurfs\u2019 do not exhibit malicious indicators. North America and EMEA are equally prone to the risk of social engineering, with dozens of fake websites going live on a daily basis to lure in unsuspecting \u2018smurfs\u2019.<\/p>\n\n\n\n Stay safe \u2013 health-wise, fintech-wise, cyber-wise<\/strong><\/p>\n\n\n\n It’s clear that cryptocurrency related services, who have already honed their fraud (and money laundering) prevention capabilities, are quite aware and well equipped to fight for our safety during this crisis. The example of Simplex, as a payment processor offering multiple flows, shows that the more sensitive payment options requires stronger defences. E.g. there are traditional mechanisms to protect users from the classic fraudster who attacks Simplex\u2019s buy-crypto-with-credit-card flow, and then there are the mechanisms to protect Simplex\u2019s Account onboarding flow, which allows both SEPA transfers and sell-crypto transactions. The latter option, being a stronger financial tool, has a strong appeal to social engineering attackers, which means top-notch identity protection on Simplex\u2019s side.<\/p>\n\n\n\n Still, even with the best protections from payment processors and merchants, the safety of the internet can really be revolutionised through raising user awareness. Perhaps one last silver lining is that the younger generation, who currently can\u2019t go to school, might get a valuable lesson on internet safety. Better yet, if you have a millennial in your area, this might be a good time to ask them to give a call to their grandparent, ask how they\u2019re doing and have a talk about phishing awareness. Stay safe!<\/p>\n\n\n\n![\"\"\/](\"https:\/\/pbs.twimg.com\/media\/DiXrs-mW4AElhEW.jpg\")
<\/figure>\n\n\n\n