Thanks to Naked Security reader M Carter for their help with this article.
Last week, we warned of a Facebook Messenger scam that used a bogus video to lure you onto a phoney Facebook login page.
In that scam, the crooks were using stolen Messenger passwords to phish for yet more Messenger passwords by sending messages that genuinely seemed to come from friends and family.
Fraudulent messages of that sort are much more believable than email spam, for two reasons:
- Social networks and instant messaging groups are often closed to outsiders, so you’re more inclined to trust messages within the group.
- The fake messages really do come from friends’ accounts, just not from the friends themselves.
But what do criminals use stolen messaging passwords for, apart from stealing yet more passwords?
Here’s an example sent in by a Naked Security reader who was asked by a “friend” for help making a payment:
As you can see above, the scammers, who had access to the friend’s account, cut straight to the chase: “I need help paying a bill.”
Although most of us would probably be suspicious right away, many of us will have friends and family members whom we’ve helped out financially before, so we might be willing (or at least polite enough) to enquire further.
The recipient in this case figured out this was a scam from the start, but decided to see how things would unfold if they gave a few carefully guarded answers.
Here’s how the conversation went:
The situation here is plausible – anyone who has ever been forced to take out a short-term “payday loan” will know that fees mount up quickly for missed payments – and many of us might decide that helping out a friend or family member is something we ought to do.
The payment details that we have redacted above, by the way, were genuine, identifying a finance company in the UK that is what you might call a “bank in the cloud” – a new online financial startup aimed at offering Banking-as-a-Service (BaaS) to help would-be online merchants build their own transactional apps and websites easily.
The recipient reported the scam to the company concerned, which we applaud.
Even though the bank can’t summarily close an account on the say-so of someone other than the account holder, we’re hoping that the report will go at least some way towards getting the account investigated and suspended.
Unfortunately, most people who get as far as receiving the account number in a scam of this sort will already be convinced that it really is their friend in a financial pickle at the other end, so they are unlikely to report the issue to the bank until after they realise they’ve been defrauded.
On the other hand, most people who figure this for a scam up front will simply ignore the message, and therefore won’t end up with an account number to report or a bank code to track down.
Notice how the scammers asked at the end for account details they could use for paying the money back.
Even though the crooks would know which account you paid the money out of (account details are recorded as part of the the transaction), there’s a chance you might give away yet more personal financial information if you were to reply to that final request.
Old scam, new twist
Interestingly, this sort of “need money urgently” scam, sent out from hacked accounts, was prevalent a few years ago under the guise of a friend who had been mugged on a trip abroad.
Back then, the amount of money was usually somewhat higher – often $800 or more, compared to the £290 (about $400) above, and you were told to send the money by wire transfer, an irreversible process that is equivalent to handing over cash.
The use of a wire transfer instead of a regular bank payment was justified on the grounds that the “victim” no longer had their bank card, or even any ID, and therefore needed the funds sent to them in a way that allowed them to get paid out at the other end in cash.
Details were often added to these “mugged abroad” scams to increase the urgency, for example that your friend would soon be thrown out of their hotel after cancelling their credit card, or was under pressure to come up with hospital fees to pay for the treatment they received after the mugging, or needed ready cash for transport to get to the nearest consulate to acquire an emergency passport.
These days, of course, people are not only wiser to the risks of wire transfer – namely that there is almost no possibility of recourse in the event of fraud – but also unlikely to be travelling abroad unexpectedly, thanks to coronavirus regulations.
So the scammers have reinvented an old fraud in a new guise, with “outstanding loan” standing in for “robbed on vacation”, and “online banking payment” taking the place of “wire transfer”.
What’s stayed the same is that you aren’t helping your friend at all, because your friend’s account was hacked, and the money is going straight to the crooks.
By the way, the reader who sent in the details to us was one of several mutual friends who received a fraudulent contact from the scammers via the hacked account.
What to do?
- Always check your facts before you help friends in trouble. But take care how you get hold of a friend you’re worried about – never reply directly to an online account that could have been hacked. Find another way to contact your friend, based on information that you already have in your possession.
- Let your friends know if you think they’ve been hacked. But never reply using the account that’s been hacked or else you are just tipping off the scammers. Find a different way to get hold of them, such as a phone call, where you’ll have a way to satisfy yourself you really are talking to them.
- Use a password manager and 2FA to make it harder for the scammers. A password manager stops you putting real passwords into fake sites, which helps prevent you getting phished. And using 2FA means that your password alone is not enough for scammers to log in to your account.
- Report scams if you can. It might not feel as though you are doing much to help, but if many people provide some evidence, there is a least a chance of doing something about it. On the other hand, if no one says anything, then nothing will or can be done.
Below, we've listed scam reporting links for various Anglophone countries: AU: Scamwatch (Australian Competition and Consumer Commission) https://www.scamwatch.gov.au/about-scamwatch/contact-us CA: Canadian Anti-Fraud Centre https://antifraudcentre-centreantifraude.ca/index-eng.htm NZ: Consumer Protection (Ministry of Business, Innovation and Employment) https://www.consumerprotection.govt.nz/general-help/scamwatch/report-a-scam/ UK: ActionFraud (National Fraud and Cyber Crime Reporting Centre) https://www.actionfraud.police.uk/ US: ReportFraud.ftc.gov (Federal Trade Commission) https://reportfraud.ftc.gov/ ZA: Financial Intelligence Centre https://www.fic.gov.za/Resources/Pages/ScamsAwareness.aspx