Blog

Socially Engineered Fraud Is Nothing to LOL About

We are constantly reminded to create difficult-to-guess passwords, change our passwords frequently, install security hardware and software and regularly update our software to protect against cyber-based fraud.

However, according to David Anderson, a Certified Fraud Examiner and principal of David Anderson & Associates, a Philadelphia forensic accounting firm that provides a full range of forensic accounting services in Philadelphia and the Delaware Valley, some of the most effective and costly frauds – socially engineered frauds – are capable of completely ignoring and bypassing such safeguards.

“Socially-engineered frauds are accomplished primarily through phone calls or emails,” Anderson said, “which seek to persuade the recipient to voluntarily provide the caller or emailer with either passwords and other login information or sensitive personal financial information.”

Anderson, whose firm conducts fraud investigation and installs fraud deterrence programs, said this information can include, but does not have to be limited to, social security numbers, birthdates and bank account numbers.

To illustrate the pervasiveness of socially engineered fraud, Anderson provided several examples that could be underway today right in front of our fraud-detection-sensitive noses:

First, he said, is “The IRS Scam.” This involves, in its most common form, phone calls or, less commonly, email messages coming from the Internal Revenue Service.

The caller informs the recipient past taxes and penalties are owed, and if the recipient doesn’t immediately pay these amounts, IRS agents are poised to haul the person off to jail, or seize the recipient’s house or cars. The recipient is told to purchase a prepaid debit card for the amount owed and to call back with the debit card information.

This year, a variant of The IRS Scam has appeared, Anderson said. The caller informs the recipient that there is a problem with the recipient’s tax refund, and the caller must verify certain information including names, wage amounts and social security numbers for the recipients and their dependents. The fraudster then uses this information to file phony tax returns which seek large refunds that, of course, are to be mailed to the fraudster.

Please note that while the IRS regularly informs taxpayers of tax issues or problems, it does not phone or email them. Despite this, a significant number of people fall prey each year to this scam.

The second socially engineered fraud issue detailed by Anderson is the “Bank-Amazon-eBay-PayPal Scam.” This one occurs via email, making it a “phishing” variety of fraud. The recipient is informed that either there is a problem with his or her online account, or that password information has expired and must be updated.

The email contains a “convenient” link for the recipient to log in to his or her account.  The link is designed to appear to be from the recipient’s bank or Amazon or eBay or PayPal. For example, it would have a URL address similar to “update.amazon.partnerresults.com.” Because the name of the service or firm appears in the link, the recipient believes the link will take him and her to the named site.

Instead, the link takes the recipient to a dummy site where the recipient unwittingly provides the fraudster with a user ID, password and other personal information.  This enables the fraudster to access the recipient’s actual account and to improperly withdraw funds or to order merchandise paid for from the recipient’s credit card or bank account, if that information previously had been stored in the recipient’s account profile.

As with the IRS, most banks, Amazon, eBay and PayPal advise their customers they do not communicate such matters via email. These services advise clients they should go to their corporate site directly to log in and update information rather than clicking on any email links. Again, despite such alerts and warnings, this remains a popular and effective scam.

Finally, Anderson tells of the “You Have Won!” scam. In this cyber subterfuge, the recipient receives a phone call informing him or her that he or she has won an expensive car or vacation in the caller’s sweepstakes.  The caller informs the recipient that before the prize can be awarded, the recipient must pay taxes on the prize.

The recipient is given the option of having the funds withdrawn from his or her bank account – by providing the bank account information to the caller – or by paying via credit card – again, by providing credit card information. In either case – bank account or credit card – the recipient who provides such information either has his or her bank account “cleaned out” or his or her credit card charged to up to the credit limit for fraudulent purchases.

“We should all be aware,” Anderson said, “that we not only are subject to potential hacking of our sensitive personal security and financial information, but also that we are also at risk from socially-engineered attacks via phone or email.”

He said everyone should be cautious about responding to such “attacks” and never should give out sensitive personal security and financial information unless there is absolute certainty that the entity on the other end of such a transaction is the actual organization we think it is and not a social-engineering-savvy fraudster.

If you require the services of a Certified Fraud Examiner or any other forensic accounting services in Philadelphia and the Delaware Valley, please contact the Philadelphia forensic accounting firm of David Anderson & Associates by calling David Anderson at 267-207-3597 or emailing him at david@davidandersonassociates.com.

About David Anderson & Associates

David Anderson & Associates is a Philadelphia forensic accounting firm that provides a full range of forensic accounting services in Philadelphia and the Delaware Valley.  The experienced professionals at David Anderson & Associates provide forensic accounting, business valuation, fraud investigation, litigation support, economic damage analysis, business consulting and outsourced CFO services.  Company principal David Anderson has more than 30 years of experience in financial and operational leadership positions and is a Certified Public Accountant, a Certified Fraud Examiner and a Certified Valuation Analyst.