It’s that time of year again.
A day of romance, crowded restaurants, overblown gestures of love, and…
Well. You get the idea.
For those of us in the security world there’s another, less enjoyable component to Valentine’s Day. Yes, even less enjoyable than trying to share a romantic meal while sitting less than a foot away from four other couples.
Yes, I’m talking about holiday themed phishing scams. We’ve written about this precise topic many times before (including last Valentine’s Day) but so far we’ve never tackled the specific scams that surround this romance-centric annual event.
So before you send those dutch-courage fueled love notes, just take a moment to consider…
The Perils of Love
Firstly, there’s nothing new about scams that prey on our emotions. For years it’s been common practice for a certain type of miscreant to build relationships with lonely people, and use that leverage to con them out of their hard-earned money.
In recent times, this practice has gone online. Scammers create social media profiles and online dating accounts in fictional names, and use them to lure lonely people into relationships.
Once these relationships are established, i.e., the victims are suitably enamored with their non-existent partners, things start to happen.
Perhaps the “eligible middle-aged bachelor” is injured, and has healthcare costs to pay. Perhaps the “young college beauty” has her credit card frozen at an inopportune moment, stranding her at the airport.
Whatever fictional circumstances arise, the result is always the same: the love interest needs money — quickly — to overcome their difficulties.
You can see where this is going, can’t you?
Proficient scammers can sometimes keep victims on the hook for months, scamming thousands and thousands of dollars out of them with their sob stories and promises of future repayment. This visual analogy of a hooked fish, combined with the romantic overtones, led the scam being dubbed catphishing.
Clearly, for those of us with vulnerable friends or relatives, this is a troubling trend. Personally, I know a disturbing number of people who have targeted with these scams, some of whom even sent money before having the situation explained to them. These acquaintances include:
- A recent female retiree, who took her first foray into online dating and was immediately courted by an “overseas military officer” who quickly fell on hard times.
- Two separate lonely, middle-aged men, one of whom sent over $10,000 money to the “lady” he was communicating with, and went so far as to pay for her flight and drive to the airport to collect her (she never turned up).
- An elderly gentleman who was moments away from sending money to a “Nigerian princess” before having the scam explained to him by a young man at the bank.
- A young man who met an attractive lady while on holiday in Thailand, and sent her a great deal of money over the following months before realizing he was being conned. This one was different in the sense that the scammer was using her own identity, but the subsequent online catphishing process was otherwise indistinguishable
A Different Kind of Love
Today, we're here to talk about how catphishing can make it's way into the workplace. It's plausible that catphishers would target an employee hiding under the auspice of love in order to deceive and conduct espionage, or otherwise compromise a business network.
We’re not talking about basic holiday-themed phishing attacks, which typically cast a wide net in the hopes of deceiving the odd distracted user. We’ve written about precisely this phenomenon before, and while it will inevitably surface once again this Valentine’s Day it doesn’t need another post all to itself.
No, what we’re talking about is on another level of deception. That means very carefully selecting targets, meticulously developing a persona (including social profiles, an online footprint, personality traits, and more) and a systematic attempt to befriend, entice, and exploit. These scams are put together so comprehensively that the intended target would need to be paying close attention to realize something was amiss.
Let's face it, we've all experienced the unmistakable feeling of our heart flutter when we see an email or text or instant message from that special someone. Do you think people wait until they get home to open that message? Let's be real.
Once rapport has been built with a victim, scammers may start to ask them more and more questions about their job, the projects they’re working on, or some other area of interest. Alternatively, they may simply use their relationship to persuade victims to open malicious attachments, thereby compromising their network.
This type of targeted attack poses a problem for organizations because it’s very difficult to predict and prevent. It requires individuals to exercise caution and rational judgment in their personal lives, not just while they’re at work.
So what can you do to protect against catphishing ruining your day...year...career?
The most obvious answer is train your users to be safe online but that doesn’t quite cut it. We’re not talking about exercising good cyber hygiene or avoiding obvious traps. The reason phishing works is because it plays on emotional impulses hardwired into every human being on the planet.
Take a busy, lonely professional — irrespective of age, gender, or area of industry — present them with what seems like the perfect online match, and then try telling them to simply “play it safe.” I know plenty of people who open their online dating profile up to the world...yes, world. Do you think they listen when I caution against meeting that person for the first time in a different country? They are "in love" and didn't hear a word I said.
No, preventing becoming the victim of a catphishing scam doesn’t simply require individuals to be careful online. It requires them to keep in mind a few simple facts:
- Nobody is perfect, so be suspicious of online communications if they seem oddly perfect
- Be suspicious of people you meet online if they show no interest of meeting in person or at least speaking via Skype or voice chat
- If they have social media, take a moment to look at their followers. In many cases, these fictional accounts will only be connected with obvious bot accounts
- People who show an unusual level of interest in your job, your organization, and your day-to-day duties are probably not legitimate love interests
Simple, right? Easier said than done.
From the first conversation a victim has with their scammer, they’re gradually building up trust and romantic interest that will ultimately be used against them in seemingly innocuous ways. By the time something remotely suspicious happens, the victim is already caught hook, line, and sinker.
If I had to give one piece of advice to help other avoid the clutches of catphishers, it would be this:
If it seems too good to be true… It is.