Charity Scams are Real – How Low Will They Go to Exploit a Tragedy?
Here at Social-Engineer.org, we have a motto of “leave people feeling better for having met you.” While this is engrained into our lives, work, and everything we do, to be a professional social engineer it’s important for us to be able to still think like an attacker. However, this mental exercise can prove difficult at times, especially when you realize how few morals criminals have when dealing with fellow human beings.
For example, when tragedy strikes, good people all over the world come together and help one another. It is in our nature to help. We frequently reiterate this fact when teaching and training, because bad actors use human nature to exploit potential targets and they know it works. But how low will criminals actually go to exploit a tragedy? This month, we highlight some recent news and charity scam stories to serve as a reminder of who we’re up against and offer recommendations on how to protect yourself and your loved ones.
Charity Scams Are Real
When something big hits the news feed and receives a lot of attention, attackers pick up on trends and try to capitalize on the opportunity in the moment. When the Camp Fire wildfire in California happened in 2018, there were reports of business email compromise (BEC) attacks being run trying to solicit money for “clients” affected by the fires. The pretext used was for members of the accounting and other financial departments of the targeted companies to buy numerous $500 gift cards with corporate money to provide quick financial assistance to the victims of the natural disaster. The phishing emails claimed to be coming from top-level executives as to appear legitimate to the targets. The targeted businesses were within close proximity of the event to get the most emotional response they could.
Social attacks and human targeting increased by 18% and 20% respectively over the past six years, according to the newly-released 2019 Verizon Data Breach Investigations Report (DBIR). This finding reinforces the need for structured, continuous education and testing of your userbase to help them protect the assets and resources both in your organization and their personal lives. The training employees obtain at work will naturally flow into their personal lives and allow them to better protect themselves and their families.
During the Notre Dame fire that occurred in France, attackers were quick to collect money to “assist” the church. There were crowdfunding sites set up which appeared, at least superficially, to be related to the church but few actual details could be found that showed they were legitimately connected. The attacker’s created fake domains that redirected back to the fake crowdfunding sites and utilized social media to promote both channels in an effort to collect as much money as possible, quickly after the incident occurred.
Closer to Home
Very recently, there was a school shooting in my local area. The news of the event was picked up nationally very quickly. Social media was a buzz with conversations on the topic. When it was occurring, I was diligently working my day job like I would any other weekday. Then in the early afternoon, I received a text message that said something to the effect, “Caleb is talking from my friend’s phone You need to pick me up at REDACTED rec center.” That was odd for many reasons. One, I had never heard of the specific rec center that was mentioned. Two, I don’t know anyone named “Caleb”. And three, the English was a bit broken.
I let the message sit for about an hour before I sincerely replied, “Sorry, wrong number.” Almost immediately after I hit send, I received a phone call. The call was an obvious recording pitching life insurance. The recording made it sound like I was attempting to get a quote on a website and this “person” was calling in reference to that. Now at first, I didn’t connect the two events. Once I hung up on the robocall, I immediately received another call. Different voice but similar pretext playing out. It did originate from the same phone number though. I answered it this time because I was curious. After hanging up on that call I then received a text message, with the same pretext as the calls. At this point, I realized that my simple response to the first message initiated the events that followed.
Later that day, I found out that the recreation center mentioned in the first text message was the location where parents of the students involved in the school shooting that day were being publicly told to meet up. All the pieces fell into place that the text message was a ploy based on current, local news, to pitch a heavily reported insurance scam. I looked up the phone number used in the calls and it was reported multiple times from multiple states to be a scam. While this example is not about a fake charity, it does show that any trending news story can be used to initiate contact with potential victims.
How to Protect Yourself
Natural disasters and horrific tragedies can generate powerful emotions. Just as I talk about in a previous newsletter, having emotions is fundamental to being human. Attackers try to generate or capitalize on powerful emotions because critical thinking suffers during that period of time. When you are presented with a situation where you are being asked for something, personal information or to take an action, and you notice you are very emotional about the topic or request, that should be a red flag to step back and take a minute or two to think about the situation. You only need a short period of time to pass before emotion gives way to critical thinking.
If you want to give to charities during times of need and are solicited to make a donation, take the time to check the validity of the charity. That time will allow you to see the request for what it is and possibly prevent giving money to a fraudulent entity. The question of how low will they go to steal money or information should be clear; cyber criminals will try to monetize any event that generates strong emotions regardless of topic.
Stay safe, be kind, think critically.
Written by: Ryan MacDougall