A few days ago I placed an add on a peer-to-peer selling site. I was contacted by a person who told me that he wanted to purchase the item through the official online payment service of that website. I was supposed to receive a link to approve the incoming and then send the article by post. The money would be on hold at the website until the item reached its destination and was checked by the buyer. The buyer would approve the transaction, he would get the item, I would get the money. Everything sounded ok and I agreed.
I received the link on my telephone number from a number that seemed to belong to that website and in that link I was requested to:
– Give my card number
– Give my CVC!!
– Write my current balance
– Approve the incoming
– Wait for an “approval code” and then approve again
I have always admitted that technology moves forward faster than we do and my first thought was that the website managed to develop a new method of making payments as everything pointed that the link belonged to that website. But a strange feeling stayed with me.
Why should I give my CVC and my current balance? Even the card number sounded suspicious.
So I decided to test it. I entered a fictious card number and CVC, clicked “approve” and waited…. Waited for an error message or something. And waited… and waited. Nothing happened so I wrote back to the “buyer” telling him that there must be a mistake. And his answer was …. magnificent. I was supposed to have a minimum of 300 RON (equiv. of 70 EUR) for the application to work. LOL! LOL! LOL! I replied that I can give him the item as a present and never heard of him again.
That day I received several messages from my colleagues telling me that they had been targeted in that same scheme and from our discussions we even found out about cases when the scheme “paid off” and the victims were left with their accounts empty.
The scheme was quite popular in Romania and was even published in the press.
https://cert.ro/citeste/alerta-tentativa-de-frauda-olx
And the mechanism is quite simple: the link you receive is an embellished link to make a payment to a certain account. You give all your card details, the amount to be transferred and you approve the payment. You must wait for an approval code (which is actually the one received from your bank for payment approvals), you approve again and … voila! Your account is empty. Genial!
When reading about it as such everything seems so obvious and so clear. And yet, I know people that are well educated, even with financial literacy, that became victims of various forms of fraud. Even I had some moments of doubts when it happened to me, although I work in a very close domain, AML.
So why does it work?
1. Because technology evolves faster than we are prepared
Virtual currencies that are not based on anything real, digital onboarding, digital customer reviews, payments by phone, instant transfers, fingerprint payments … there is always something new, something technological that we didn’t expect. So, when a technical novelty appears, we are so used to “not being prepared” for it, that we simply believe that it is normal to be outdated and maybe “just have a new method of payment”.
2. Because deep-down we truly believe that it can’t happen to us
People think they are safe.
Simple people, with limited access to financial services, cannot even imagine the wide range of fraud schemes to which they can become victims. They want a loan so they send some money in advance or their card by post and their internet credentials by SMS. The want to earn some extra money so they pick up a job ad to do “mystery shopping” for Western Union/ Money Gram and they accept money from Ghana and send them to Afganistan within an hour, with 50 EUR fee (money mule), etc.
Even people with financial background became victims and even CEOs or CFOs – the classical and earthshaking CEO-fraud schemes. Even us, working in AML and reading so many studies and red flags, see everything through a screening glass. It’s our job, it’s something we work with as third parties, it happens to other people that are not financially educated, it can never happen to us.
3. Because we got used to doing many things at a time and we are not being attentive to details
Whether it is a big CEO fraud involving many-zeros amounts, or a “smaller” phishing attack, the truth is that the red flags are always there … for an attentive, rested mind. But people are not attentive. We are bombed with daily advertising messages on TV, on our emails, on our phones, on the street, that our mind has become naturally and automatically self-protecting, blocking many details in order to protect us.
And thus, we miss a doubled letter in the company’s name or the fact that behind the link that we see, if we point the mouse on it, it is actually a different link.
Because, inherently… people trust people
And there is no AML explanation for that. It is what makes us … human. And if we lost that, we would probably start resembling machines and be defeated by them.
So, in the light of the above, it seems as if we are all … doomed – both simple people, with limited access to financial services, as well as those having multiple accounts, digital services and even digital currencies. Fraudsters will always be at least a step before us and we only discover fraud schemes once they are materialized.
So, how can we protect us?
I remember a phrase that stuck with me after an IT security course – “It’s all about digital hygiene”.
And even simpler, it’s all about being just a little more attentive when it comes to our money and asking ourselves the simplest question of all – “why?”.
– Why should I give my card details in order to confirm that I am an adult and approve this free PC game for my child?
– Why should I give my CVC card number for an incoming?
– Why should I send my card by post in order to get a loan?
– Why should my online lover suddenly need money from me and how serious are we if we never talked on the phone/ saw each other?
And if you are not sure about it, then wait just a little. Have a pause, search the internet about similar cases (you will be surprised how the anonymity of the web encourages people to speak up about their errors) or even better, call your bank and ask for an advise.
As many wise people say, “if it is too good to be true, then it probably isn’t.”
By Andreea Tampu, ACAMS
All articles published on this website are property of the author and may not be duplicated, copied, modified or used in any way without my written permission.
The use of this website does not constitute any right or license to use my articles and presentations without my prior written permission.
Hi, I’m from Israel and believe it or not I went through a similar situation. I couldn’t believe when I read your article. I thought that this scheme was local, but it seems it was imported / exported :)))).