“The man who sets out to carry a cat by its tail learns something that will always be useful and which never will grow dim or doubtful.”  – Mark Twain

I like that quote from Twain, and besides the humor, it also reminds me that it can be less painful to learn from others’ mistakes, rather than our own.

The internet has, in many ways, shrunk the world. Unfortunately, along with the good, it has brought the scammers, fraudsters, and impersonators to our doorsteps. If you get an email, text message, or phone call offering a free piano, a virus warning, request for help, a kidnapping, extortion, or from your ISP with an update needed to keep your internet connection, it is time to hang up, keep calm, and check with others.

These scams will almost certainly increase as AI is used by scammers to impersonate people by cloning their voices, or even cloning them by video chat. Some of these AI systems only need a very limited amount of audio or video to make very convincing clones of people, and most pastors have videos of themselves talking online for anyone to download and watch.

Deepfake AI video of Tom Cruise
How Scammers Use AI to Impersonate People and Steal Your Money
I am including some links below from the FTC with some common scams, but some scams we have had in our office lately include:
  • Phone call from our “ISP” stating the receptionist needed to follow instructions to keep our internet line working (Our ISPs have the direct contact information for our technical lead, but the caller also refused to be transferred to the correct person.)
  • Email offering a free piano (There is no free lunch coming by email, nor inheritance either.)
  • Pop-up ads stating the computer is infected with a virus and needs a security fix (Nobody is going to contact you with security help.)
FTC – common phone scams
FTC – common text scams
FTC – common email scams
Finally, remember, even if you are certain that an email, text message, or phone call is legitimate, it is best to practice OOB (Out Of Band) authentication, so you can be certain of whom you are communicating with. Instead of clicking on a link in email or a text message, login to the website from your own bookmark. Call the person from your own address book, not from a number supplied in an email or text message.
——[Review of OOB]———-
OOB (Out-Of-Band) Communications is a powerful tool to verify who you are communicating with, and avoid scams, but attackers know this and will attempt to short circuit this important process. With that in mind, I wanted to send this quick follow-up to explain some common attacks to OOB Communications.

Example:
You receive an email requesting you take some action. To verify the message sender, you utilize OOB Communications. You can close the email and login to your account from your own bookmark, walk over to their office to chat in person, or make a phone call to talk to the person or company. By not using the original communication Band (email), you are using OOB Communications and will quickly determine if the email was fraudulent.

A smart attacker might try to circumvent the policy by:

Urgency
They might say something like “I need this done today, right away, don’t bother me with a call, just do it!” This can be especially effective when they are impersonating someone of authority, e.g. your boss, or the police. This is why we have a security policy that directly addresses this, see point 4. on our Security Policy linked below.

Provided verification numbers
The most common example of this is with text or email messages impersonating your bank or a merchant. e.g. There is a suspicious charge on your Chase Credit Card. Call 888-xxx-xxxx immediately if this was not you! or Here is your receipt for your Amazon purchase. If there is a mistake, please call customer service at: 888-xxx-xxxx.
The problem is that if you call provided numbers, you are still in the original communication band, and have not used OOB communications. It seems like you have followed the procedure because communication went from email to phone call, but the email provided the number for the call, so the original message is still the authority. You have to break to OOB by going to the back of your Credit Card and looking up the customer service number from there. Don’t click links in email, instead close them, and go to your bank or Amazon or whatever from your own bookmarks, or from search. Then you will be OOB, and in charge.

We have received emails with instructions like “My phone is not working, use this one instead”. Again, this is an attack attempting to keep you in the original band. What can it hurt to call the number from your own address book, and one you know you can trust.

Poison the Address Book
Since attackers know that there are policies to confirm identities, they will sometimes attempt to get bad phone numbers, email addresses, or other data into organization’s address books or databases. So they might call one person today, with a story like “I had a problem with my phone, and have to change my phone number to this:”. And then the next day attempt to make a financial transaction with a different person, and the phone number they will look up in the database will be bad. It is critical to verify any changes to contact information, and record the date of changes. If someone calls with a new phone number or email address, a phone call or email should go to the old contact info to verify the change is desired.

Below is a link to the Texas District’s external security policy, especially read the second page, and consider making similar policies for your own organization.

Disclaimer: This article’s technical tips are meant to provide helpful alerts and general awareness of the issues raised in this article. We cannot be held liable for any issues that may arise from following our recommendations. We recommend that each group find a skilled technical team to advise and help in a manner tailored to individual needs and circumstances.