This past week, I was invited to speak with a client’s employees for International Data Privacy Day about “Privacy, Online Fraud, and What You Can Do About It”. There were a few hundred people on the call and I’m told it was well-received. So I’ve decided to take that presentation and turn it into an episode for this channel / podcast.
In my practice, I get to do some really awesome things with really great people who bring innovative products to consumers and business customers. But I also see some pretty shady, horrible stuff that takes place online.
I don’t know what the proportion is between people who are awesome and innovative, and people who are horrible and innovative. There are a lot of horrible people out there who are really crafty, and have found the internet and digital tech to be a great avenue to take your money from you.
So what I want to do today is raise awareness about privacy, explain how it connects directly to online fraud, and walk through the kinds of scams and misuse of personal information I’m seeing most often. I’ll also spend some time on practical, concrete steps individuals can take to protect themselves.
What Is Privacy — and Why Does It Matter?
Privacy is a weird thing. It’s very personal, so it varies from person to person. It also is culturally informed. At the end of the day, privacy expectations vary enormously.
Different countries — and even different generations — have very different norms around personal information.
You’ll often hear people say that “young people don’t care about privacy”. That hasn’t been my experience at all.
Young people care deeply about privacy — but they’re very intentional about “audience”. I often point to examples like people having multiple social media accounts on the same platform: one instagram account for close friends, another that’s more public and curated. That’s not a lack of concern for privacy; it’s a sophisticated understanding of it.
Privacy also depends on context. People post different things on LinkedIn than they do on Facebook, and different things again on Instagram or in a private group chat. The audience matters, and expectations matter.
Privacy as a Legal and Compliance Issue
In workplaces, privacy most often shows up as a legal and compliance issue.
In Canada, privacy laws differ by jurisdiction. In this context, jurisdiction can mean province to province, and it can mean between provinces and the federal government. It can also mean between the health sector and other sectors. But these laws generally share a common structure. But today I’ll focus on the privacy laws – federal and provincial – that govern what personal information businesses can collect, use or disclose, and the parameters around that.
Very broadly, these laws say that organizations may only collect, use, or disclose personal information:
- for purposes that are reasonable;
- that have been explained to the individual;
- that the individual understands; and
- that the individual has consented to, subject to limited exceptions.
Those purposes are critical. They are the thread that runs through privacy law.
Organizations can only collect information that is necessary for the stated purposes. They can only use it for those purposes. If they want to use it for some other purpose, they generally have to go back to the individual and obtain new consent.
And once the information is no longer needed, it should not be kept indefinitely. Retention has to be tied to legitimate purposes, such as legal requirements or risk management. If you don’t need it anymore for the “purposes”, get rid of it.
Privacy laws also require organizations to protect personal information using safeguards appropriate to its sensitivity.
The more sensitive the information, the higher the expectation of protection.
A lot of privacy complaints and mistrust come down to expectations. People feel unsettled or “creeped out” when information is used in ways they didn’t expect, disclosed to people they didn’t expect, or wasn’t protected to the level they expected.
The law doesn’t talk about being “creeped out,” but that reaction is often a sign that expectations were not properly set or respected. It means you haven’t clearly identified the purposes and gotten their OK.
Privacy Harms
Canadian privacy law now explicitly recognizes a range of harms that can result from misuse of personal information, including:
- bodily harm;
- humiliation or embarrassment;
- damage to reputation or relationships;
- loss of employment, business or professional opportunities;
- financial loss;
- identity theft;
- negative impacts on credit records; and
- damage to or loss of property.
Even information that seems relatively innocuous — like an email address — can create real risk when taken out of context.
For example, if someone obtains an email address from a particular organization, they know the individual has a relationship with that organization. That makes phishing attacks far more convincing. For example, a bad guy gets a customer list for a business. The bad guy can send emails to the customers pretending to be someone from the business, asking them to “update their billing information” or something. The fact that it looks like it comes from someone they know makes it more likely that the recipient will act on that email.
The Scale of Online Fraud
Fraud affects individuals, families, businesses, schools, hospitals, and governments. While large organizations often make headlines, individuals frequently suffer the most direct harm.
The Canadian Anti-Fraud Centre has an enormous catalog of the types of fraud that get reported and it’s worth taking a look at it to help understand all the different varieties of scams and frauds that are out there.
As I said, it’s enormous but I’ll go through some of the most common fraud types that I’m seeing and then will provide some pointers on how to protect yourself.
Common Fraud Scenarios I’m Seeing
Email Account Intrusions and Business Email Compromise
One of the most common starting points is an email account compromise.
If someone gains access to your email, they often gain access to much more: documents, shared drives, financial systems, and internal platforms. There’s a lot in your email inbox that a bad guy can use to cause harm.
In many cases, the harm that they can cause is impersonating the person whose email they’ve taken over. I’ve seen far too many cases where attackers simply watch — waiting for the right opportunity to inject themselves into a conversation.
I’ve seen situations where attackers impersonate trusted employees and send emails redirecting payments or requesting urgent action. Because the email comes from a real, trusted account, it’s very convincing.
Funds Transfer and Payroll Fraud
A classic example is funds transfer fraud. An attacker impersonates a vendor or employee and provides “updated” banking information. Payments or payroll deposits are quietly redirected to fraudulent accounts, sometimes for weeks before anyone notices.
I’ve seen many cases where a company is about to make a big sale, and some bad guy lurking in their system impersonates the sales person or a person from finance and tells them the payments for the widgets should be made to a particular bank account. That’s not the company’s actual bank account, but one that the bad guy has access to.
Another, smaller scale example is a bad guy who knows that a person is employed with a particular company and gets the contact information for the payroll department of that company. One email that convincingly looks like it comes from the employee sent to HR saying “I’ve switched banks, so please have my direct deposit go to this new account ….” In the grand scheme of online fraud, that’s relatively small potatoes, but a bad guy that does that A LOT will make a lot of money. And leave a lot of frustrated employees in their wake.
Tech Support Scams
Many people have received calls claiming to be from Microsoft or their internet provider, warning about suspicious activity.
The goal is to convince the victim that they have to make changes to their computer, which is really to install remote access software. Once that happens, the attacker might as well be sitting at your computer. They can block you from using it, they can control the computer, access saved passwords, log into online banking, and move money.
I’ve seen cases where victims were locked out of their own computers while attackers logged into online banking and emptied accounts in real time.
I’ve also seen cases where bad guys have used remote access software to just watch everything the person was doing on the computer, waiting until they can extract the most cash.
Grandparent and Family Emergency Scams
This increasingly common scam targets grandparents, which is one of the most heartless, reprehensible scams out there. It targets pensioners and exploits the best intentions of these victims.
Attackers impersonate grandchildren or other family members using information found on social media, claiming they’ve been injured, arrested, or stranded. They create urgency and demand immediate payment.
In some cases, AI is now being used to mimic actual voices, making these scams even more convincing. In other cases, the scammer pretends to be a lawyer, telling the grandparent or family member that a loved one has been arrested and requires immediate bail money.
Fake Renewals, Refunds, and Overpayments
These include fake subscription renewals, refund scams, and overpayment schemes on online marketplaces.
In some cases, you’ll get a text message or an email saying that some service is about to renew for a huge sum, and “click here” to cancel the renewal. That click takes you to a fake site that is looking for your Amazon, Netflix or other online credentials. With that information, they can impersonate you and perhaps your payment information.
In an overpayment scam, for example, a buyer sends a cheque or bank draft for more than the agreed amount. They say it was a mistake or was intended to cover processing charges, and then asks the seller to refund the difference — before the original payment is discovered to be fake. Before the cheque or bank draft is found to be fake by the seller’s bank, the seller has already sent actual, non-refundable funds to the scammer.
Fraudulent legal notices
Some of them will refer to overdue taxes and penalties. Yeah, it’s just fraudulent.
Ransomware and Data Theft
Ransomware attacks lock people and organizations out of their systems and often involve theft of sensitive data. Using a number of means, including malware infected email attachments or installing remote access software I discussed before, a bad guy gets into a computer system and installs software that will encrypt all the data on the system or the network.
They will then blackmail the victim to pay some amount in bitcoin to get the decryption key.
Once companies realized that having good backups out of reach of the bad guys would mean they didn’t have to pay for the decryption key, the bad guys started to download all the data they could get their hands on before encrypting it.
So even organizations with good backups may feel pressure to pay to prevent stolen data from being leaked or misused.
So many of the cybercrime stories that hit the headlines are ransomware, as they will often shut down a business for days or even weeks before things get sorted out.
Sextortion targeting young people
In my book, if you go after pensioners and whatever savings they have, you’re an absolute horrible person. But words fail me in describing the grotesque and vile people who target young people with sextortion.
In this type of crime, fraudsters create fake profiles on social media, discussion boards and dating websites. Impersonating the persona they’ve adopted, they reach out to people – often young people – and lure them into a relationship. Using a whole range of manipulative tactics, they coerce the into taking intimate images of themselves or performing sexual acts on camera. The victims sincerely believe that they are in a relationship with the bad guy. Then he records the session and threatens to send the image or video to other people – like family members or friends – unless they pay or provide more sexual content.
It prays upon young people’s vulnerability and exploits shame. Many victims have died by suicide and the horrible perpetrators go onto the next victim.
So What Can You Do to Protect Yourself?
There is no such thing as perfect security, but there are practical steps that can significantly reduce risk.
Try to Slow Down
Scammers rely on urgency. If someone is pushing you to act immediately, that alone should raise red flags. The bad guys want you to act immediately so you don’t have a chance to reflect on what’s really going on. Take a deep breath, step back and remember that very few things require an immediate decision – particularly for a situation that comes out of the blue.
Verify things Independently
Never rely on contact information provided in a suspicious email or call. Use a trusted number or address you already have.
For example, if your “bank” calls you and asks for information, hang up and call the number on the back of your bank card.
Never let a stranger tell you to do anything on your computer or your phone
No legitimate company will cold call you and tell you to do anything on your computer or phone, or tell you to install software. If that happens, hang up.
Use Two Factor Authentication
Two factor authentication adds a critical layer of protection. Even if someone gets your password, they still can’t log in without the second factor. Many forms of two-factor authentication, like SMS, are not perfect, but they’re all better than most alternatives.
Never Reuse Passwords
Credential theft is widespread. Reusing passwords means a low risk breach can quickly turn into access to your bank or email.
A lot of companies are hacked on a regular basis, with the bad guys going after customer login information. If you used the same password to order a pizza as you use for your online banking, if that pizza place is hacked, bad guys will likely try that user name and password in other places. A lot of the emails and texts you may get saying that your Netflix has expired are hoping that the login information you put into their fake website will also work on your bank.
Be careful about What You Share Publicly
Be mindful of what you post on social media, especially travel plans and family details. Police report that burglars use vacation posts to choose houses to break into. And the grandparent scams I mentioned before often rely on determining relationships between people from social media sites.
Use a Family Verification Question
For family emergency scams, have a simple verification question that only real family members would know. I’ve told the seniors in my family that if they ever get a call purporting to be from any of my kids, they should ask them for the name of a particular animal that was important to them when they were growing up and that they’d never forget. That name is not on any social media site and anyone who can’t answer that question immediately is an impersonator.
Never buy gift cards at someone else’s direction
One of the most common ways that scammers try to get “money” from victims is having them purchase gift cards. Once the cards are bought and the scammer gets the numbers from the back of the cards, they can use the value from those cards. Actual government agencies will never, ever, ever ask for payment via iTunes or Amazon gift cards. If anyone mentions any sort of a gift card, red flags should go up and alarm bells should start ringing.
Set Alerts and Limits
You should set alerts on your financial accounts so you’re notified when money moves. Someone may have picked your wallet out of your pocket, or taken your credit card number. If you get alerted as soon as a transaction happens, you can immediately contact your bank to have it addressed.
And lower your daily transaction limits if you don’t need higher ones. Scammers who get into your online banking will use money transfer services to send money to other accounts. If you rarely Interac e-transfer more than a couple of hundred dollars per day, set your limit that low. If you have an unusually large payment to make, you can contact your bank to temporarily increase that limit.
Closing
I think it’s worth taking some time to go into your “spam folder” in your email and your text messages to see some of the examples of scam messages that were sent to you that you didn’t see. It’ll help, I think, raise your awareness and sensitivity to what is sketchy and should raise red flags for the future.
We live in a world where personal information is incredibly valuable and increasingly easy to misuse.
Unfortunately, there are a lot of really horrible people who are very creative in trying to separate you from your money. Awareness, skepticism, and a few practical habits can reduce the risk of becoming a victim.
No comments:
Post a Comment