Teacher
Professional
- Messages
- 2,670
- Reaction score
- 798
- Points
- 113
Salute, carders, material in which three schemes are analyzed using social engineering. The schemes are very commonplace, hardly anyone will buy into it, but the main value of the article is not in them, but in the analysis of the behavior of victims and fraudsters.
You know - scammers want your money. Since in our case the money is in a bank account, or, more simply, "on a card", in order to get to them, fraudsters resort to different strategies. What is especially interesting here is that ultimately in all these cases it is the behavior of the potential victim that determines the success of the fraudulent operation. In fact, there are not so many options for such behavior, and having familiarized yourself with examples of such situations, you can learn how to avoid them and repel attackers.
So, in order to answer a number of questions, namely: "What drives us when we fall for the tricks of scammers?", "What emotional processes help them?", "How not to fall for the bait of swindlers?" - let's look at three simple stories about how you can inadvertently lose all your savings.
The first story, in which Valera meets a mysterious administrator
Imagine that Valera receives a message on vk.com:
“Hello, Valera! I am the administrator of the Donut Lovers group you are subscribed to."
Let's say our hero really subscribes to it - it's very easy for any outsider to find out.
“We held a competition and chose you by random vote! Get 1000 rubles (and immediately buy donuts for them ahahah)! "
Valera is glad, but you have probably already guessed what will happen next:
"Send me a photo of the card in a personal note, we will transfer your prize to you!"
The most experienced of you shake their heads and say: "Some primitive!" We agree, but even such a simple scheme, unfortunately, often works. If there are those among you who still have a little doubt whether it is so scary to put a photo of your bank card in the public domain, then let's say right away: yes, that much. It just so happens that your card contains all the information necessary for online payments. For the simple reason that the online store will most likely not require a PIN code that is not on the card, since it does not have the right to do so. Fortunately, the payment information is at least split into two parts, and not everything is shown on the front side of the card: there is the card number, its expiration date and the owner's name, but there is no CVV - another number located on the back side.
But pay attention to one more feature of this simple “divorce” scheme: no one asks Valera for money, they are offered to him. If you look at the corpus of scientific literature on the psychology of fraud (in fact, it is huge), it turns out that scientists have long learned to describe and explain the cognitive principles used by swindlers. Among these principles, there will certainly be an item on the need to establish a relationship of trust with the victim. Trust is given different definitions, here is one of them, applicable directly to the psychology of fraud: "trust is a state of vulnerability or risk that arises from the individual's uncertainty about the motives, intentions and intended actions of those on whom he depends at the moment. "It is usually difficult for a stranger claiming your money to gain confidence in you. Surely you know how ridiculous old-school divorces look like, "Hi, I'm a lawyer for a millionaire from Nigeria, he died and left you an inheritance, but first send me the money for insurance." In this case, you will not have any hesitation: you know 100 percent that this is a scammer.
What is changing in the story with Valera? The fact that no one asks him for money, but on the contrary, we are talking about the fact that money will be sent to him on the card! And in our age of contactless payments, this offer looks pretty decent. Moreover, one of the studies of fraudulent schemes showed that the willingness to commit risky financial transactions is a statistically significant value, in the hope of which fraudsters seek their potential victims.
To better understand this situation, we turned to our expert Natalia Oshemkova, a clinical psychologist and coach, for a comment.
It will be easier for a scammer to deceive you if you really participate in some kind of competition. Or if a contest with the condition that all members of the group automatically take part in it is indeed published on the wall. Or if the fraudster still has some reliable truthful information at his disposal. There is a type of indirect suggestion called the "yes set": after a few statements with which a person inevitably agrees (no matter whether explicitly out loud or silently), he is ready to more easily accept a more dubious proposal. Accordingly, when you are told several reliable facts, this is already a good basis for establishing trust.
In Valera's place, you can do simply: instead of a photo, send the card number to the "group administrator" in the form of a set of numbers and calmly watch as he removes Valera from his friends and goes to look for a new victim ... And to any persuasion in the spirit of: "No, the numbers are not enough, we also need a date and three digits on the reverse side," - you need to accustom yourself to react as a warning of a nuclear attack ... With such a set of information, fraudsters will be able to make any online payment on your card, and you will not have time for donuts.
The second story, in which the employees of the bank swear at Pavel.
Pavel's phone rings. Seeing an unfamiliar number and timidly picking up the phone, our hero hears something like this:
“Good afternoon, Pavel, I'm calling you from the bank ***. Well, how did you not keep track of it? They tried to hack your card, probably, you paid with it in unreliable places: at train stations, in street ATMs, money was withdrawn, was that? "
While Paul is frantically trying to figure out how to respond to this, let's look at what's going on. The scammers' tactics in this case are not at all the same as in the previous story. Sam Antar, in the past a major fraudster, and now a forensic accountant, talks about such techniques perfectly on his website. Instead of kindly rubbing into trust, the scammers decided to talk from an authoritative position and immediately place the blame on the unfortunate client. Oddly enough, this may well work! And questions about the station and the street ATM are not without reason: the likelihood that a potential victim did something like this at least once is very high, so as soon as Pavel answers: “Well, yes, I took money off a couple of times from an ATM on the street, ”his guilt will be finally confirmed:“ Well, you see! A little more, and your money would cry. "
But the gallant "bank employees" will certainly save Paul and protect his savings from any assassination attempts.
"Let's check if you really are the owner of the card: dictate to me a four-digit number and a verification code on the back."
In this case, the idea is the same as in the first story - to steal card data for online payments.
Or it may be like this: "Tell me the PIN-code, after which we will reactivate your card."
But here everything is more serious: PIN is completely useless for online payment, but it is irreplaceable when buying with a physical card. So if fraudsters want to find out your PIN, then it is very likely that they already have your card or they are planning to take possession of it. There are a lot of options: you lost the card, and then they returned it to you (after copying it in advance); you gave the card to the waiter so as not to go to the terminal yourself, because “he is at the bar counter, don't get up, I can take it myself”; you have become a victim of skimming and your card was copied using a fake terminal or reader hidden in the ATM case, which is not closely monitored by anyone. That is why, by the way, street ATMs are not the best choice of place to withdraw money.
What other linguistic techniques might work here? "As soon as you send me a photo of the card, you will immediately receive your prize." Did you notice the difference? The same is said, but the speaker no longer seems to doubt your actions, as if you have no choice. There are other choices without choices. For example: "Will it be more convenient for you to confirm your identity by giving the PIN-code or the code from the SMS-confirmation?"
Finally, let's take a look at another highly ingenious type of scam.
The third story, in which Elizabeth faces the dark side of Avito
Elizaveta wants to sell her old knitting machine through Avito. This is a specific thing, but suddenly who will come in handy? The buyer immediately responds to her ad, calls or writes in WhatsApp:
"I want your product, send it by parcel to Syktyvkar, only I will transfer money from abroad, from Karaganda, so send me your full name and card account number for payment / prepayment."
It's all right here. Indeed, from other banks, especially foreign ones, it is sometimes impossible to transfer money directly to the card, you need to transfer to the account. And note that the buyer again does not offer to send anything to him, but instead he is eager to send money. And he does not even ask for photos or other obvious "divorce" information.
Then the same buyer writes to Elizabeth again, informs that he will be transferring right now, and soon after that she will receive a call from the bank number. Here again it becomes interesting, since such a call greatly increases the confidence in the subscriber: after all, it is not easy to steal the phone of a large bank! Once again, we see how the traditional trust-building scheme develops: the higher the risk a person perceives, the higher their need for trust. Fraudsters in this case act very consistently, postponing the most suspicious steps to the very end, but at the same time saving up trump cards for later, such as a “call from the bank”. The higher the risk, the higher the trust.
By the way, let's make a short digression: sites like Avito, unfortunately, give fraudsters quite a few keys to the heart (and through it to money) of a potential victim. So, after carefully studying the seller's ad, scammers often spend a significant amount of time to thoroughly work out their legend. Let's imagine that some rather specific part is being sold, for example, a radiator for the cooling system for the UAZ Patriot. After a short search on the Internet, you can find a lot of topics on the forums, from which it becomes clear that replacing this radiator is a very popular problem. There you can also learn a lot of tales from life and even concoct "your" sad story. With this preparation, it will not be difficult for a fraudster to convince even an experienced seller in the course of a detailed conversation that he is a really interested buyer, and not a lover of easy money. And as we already know, where there is trust, there is risk.
But let us return to the story of Elizabeth, who, we recall, is "called from the bank":
“Here a transfer from abroad is approaching you, you have to get it. And for this, please, send the sender a one-time code, which you will now receive by SMS. "
Experienced readers will grin here too: “Aha, right now,” and they will be absolutely right. Having developed the reflex “not to tell anyone any details of your bank card, except for its number”, start mastering the following, concerning one-time codes and passwords that the bank sends you. They are for you and only for you, you cannot send them to third parties. The whole point of two-step verification (and one-time passwords are an important part of it) is so that the bank can verify in two independent ways: you are you. The first method is your card details, and the second is a one-time secret code that came to your phone.
Another trick known to psychologists: we really do not like to lose what we already possess (even mentally). If you were promised money on the same Avito, you discussed for some time how it is more convenient to transfer it, perhaps even received a deposit (sometimes scammers throw in a small verification "bait" in the amount of a couple of hundred rubles to convince the victim of their sincerity) and they began to figure out what to use the full amount for - then it will be difficult for you to part with this mentally already spent money, even despite the alarming signals. In general, it is useful to make a habit of at least taking time to think about the situation. "Sorry, I'm very uncomfortable talking right now, could you call back in 15 minutes?" Haste is also a frequent element of such fraud, because in conditions of time pressure, we turn on ready-made schemes for resolving situations, not full-fledged rational thinking. And, of course, sometimes you will feel pressured. For pity, for fear (do not solve the problem right now - the card will be in danger!), For confidence (“come on, are you afraid?”) And so on. Find and learn a good phrase that will be convenient for you to answer, a kind of anchor that you can hold on to in a conversation. "Of course, I am careful with my billing information." "Yes, I care about my money." Any wording to your liking, which will remind you of the correct installation.
How does the scam that Elizabeth almost fell for work? In fact, it all starts with your phone number. Since most online banks today support phone number entry, this door looks especially attractive to fraudsters. It is not so difficult to get a phone number, the name and surname of a certain person, for this there are, for example, social networks. But to find out in which bank a person keeps an account is a more difficult task. And this is where ad services like Avito come to the rescue. And, oddly enough, sellers are often targeted: firstly, they leave their phone number, and secondly, they expect payment from the client, so they willingly share banking information.
After giving the scammers the account number, Elizabeth allowed them to find out in which bank she kept the money. The phone number left in the advertisement for the sale of the car is the login to enter the mobile bank. Of course, there is also a password that is unknown to the scammers, but here's the problem: you can automatically reset it and create a new one, but what is required for this? That's right, the account number (not the card!) And the phone number. After that, all the scammers have left is to go through two-step authorization. Bank Call is their only chance to successfully complete their scam. Using IP telephony, in principle, you can fake any number, which is what happened in this case. Elizabeth, seeing the bank number, relaxed, but caught herself in time, remembering that a one-time number cannot be trusted to anyone at all. By the way, check if they really call you from the bank, not difficult - ask for the details of your account or any other information to which the bank employee definitely has access. The fraudster at this point is guaranteed to merge. We cited the example of Avito for a reason, since the peak of fraudulent transactions according to the above scheme was observed on the last May holidays. Fortunately, if you adhere to basic security rules, you can fight off even such sophisticated assassination attempts. We cited the example of Avito for a reason, since the peak of fraudulent transactions according to the above scheme was observed on the last May holidays. Fortunately, if you adhere to basic security rules, you can fight off even such sophisticated assassination attempts. We cited the example of Avito for a reason, since the peak of fraudulent transactions according to the above scheme was observed on the last May holidays. Fortunately, if you adhere to basic security rules, you can fight off even such sophisticated assassination attempts.
Let's summarize?
Your card data must be protected. If the money is transferred to you, the payer does not need any other data, except for the card number and full name. The most sensitive information about your card is its expiration date, PIN and CVV (three digits on the back). They should be protected especially carefully and not reported to anyone, even if suddenly you are asked about them at the bank branch. Anything can happen.
Finally, secret one-time codes - they are secret one-time codes in order to remain known only to the legitimate owner of the card. Do not part with them under any pretext.
Well, if what happened - instantly call or run to the bank, they will help you there, or maybe they will treat you to donuts.
You know - scammers want your money. Since in our case the money is in a bank account, or, more simply, "on a card", in order to get to them, fraudsters resort to different strategies. What is especially interesting here is that ultimately in all these cases it is the behavior of the potential victim that determines the success of the fraudulent operation. In fact, there are not so many options for such behavior, and having familiarized yourself with examples of such situations, you can learn how to avoid them and repel attackers.
So, in order to answer a number of questions, namely: "What drives us when we fall for the tricks of scammers?", "What emotional processes help them?", "How not to fall for the bait of swindlers?" - let's look at three simple stories about how you can inadvertently lose all your savings.
The first story, in which Valera meets a mysterious administrator
Imagine that Valera receives a message on vk.com:
“Hello, Valera! I am the administrator of the Donut Lovers group you are subscribed to."
Let's say our hero really subscribes to it - it's very easy for any outsider to find out.
“We held a competition and chose you by random vote! Get 1000 rubles (and immediately buy donuts for them ahahah)! "
Valera is glad, but you have probably already guessed what will happen next:
"Send me a photo of the card in a personal note, we will transfer your prize to you!"
The most experienced of you shake their heads and say: "Some primitive!" We agree, but even such a simple scheme, unfortunately, often works. If there are those among you who still have a little doubt whether it is so scary to put a photo of your bank card in the public domain, then let's say right away: yes, that much. It just so happens that your card contains all the information necessary for online payments. For the simple reason that the online store will most likely not require a PIN code that is not on the card, since it does not have the right to do so. Fortunately, the payment information is at least split into two parts, and not everything is shown on the front side of the card: there is the card number, its expiration date and the owner's name, but there is no CVV - another number located on the back side.
But pay attention to one more feature of this simple “divorce” scheme: no one asks Valera for money, they are offered to him. If you look at the corpus of scientific literature on the psychology of fraud (in fact, it is huge), it turns out that scientists have long learned to describe and explain the cognitive principles used by swindlers. Among these principles, there will certainly be an item on the need to establish a relationship of trust with the victim. Trust is given different definitions, here is one of them, applicable directly to the psychology of fraud: "trust is a state of vulnerability or risk that arises from the individual's uncertainty about the motives, intentions and intended actions of those on whom he depends at the moment. "It is usually difficult for a stranger claiming your money to gain confidence in you. Surely you know how ridiculous old-school divorces look like, "Hi, I'm a lawyer for a millionaire from Nigeria, he died and left you an inheritance, but first send me the money for insurance." In this case, you will not have any hesitation: you know 100 percent that this is a scammer.
What is changing in the story with Valera? The fact that no one asks him for money, but on the contrary, we are talking about the fact that money will be sent to him on the card! And in our age of contactless payments, this offer looks pretty decent. Moreover, one of the studies of fraudulent schemes showed that the willingness to commit risky financial transactions is a statistically significant value, in the hope of which fraudsters seek their potential victims.
To better understand this situation, we turned to our expert Natalia Oshemkova, a clinical psychologist and coach, for a comment.
It will be easier for a scammer to deceive you if you really participate in some kind of competition. Or if a contest with the condition that all members of the group automatically take part in it is indeed published on the wall. Or if the fraudster still has some reliable truthful information at his disposal. There is a type of indirect suggestion called the "yes set": after a few statements with which a person inevitably agrees (no matter whether explicitly out loud or silently), he is ready to more easily accept a more dubious proposal. Accordingly, when you are told several reliable facts, this is already a good basis for establishing trust.
In Valera's place, you can do simply: instead of a photo, send the card number to the "group administrator" in the form of a set of numbers and calmly watch as he removes Valera from his friends and goes to look for a new victim ... And to any persuasion in the spirit of: "No, the numbers are not enough, we also need a date and three digits on the reverse side," - you need to accustom yourself to react as a warning of a nuclear attack ... With such a set of information, fraudsters will be able to make any online payment on your card, and you will not have time for donuts.
The second story, in which the employees of the bank swear at Pavel.
Pavel's phone rings. Seeing an unfamiliar number and timidly picking up the phone, our hero hears something like this:
“Good afternoon, Pavel, I'm calling you from the bank ***. Well, how did you not keep track of it? They tried to hack your card, probably, you paid with it in unreliable places: at train stations, in street ATMs, money was withdrawn, was that? "
While Paul is frantically trying to figure out how to respond to this, let's look at what's going on. The scammers' tactics in this case are not at all the same as in the previous story. Sam Antar, in the past a major fraudster, and now a forensic accountant, talks about such techniques perfectly on his website. Instead of kindly rubbing into trust, the scammers decided to talk from an authoritative position and immediately place the blame on the unfortunate client. Oddly enough, this may well work! And questions about the station and the street ATM are not without reason: the likelihood that a potential victim did something like this at least once is very high, so as soon as Pavel answers: “Well, yes, I took money off a couple of times from an ATM on the street, ”his guilt will be finally confirmed:“ Well, you see! A little more, and your money would cry. "
But the gallant "bank employees" will certainly save Paul and protect his savings from any assassination attempts.
"Let's check if you really are the owner of the card: dictate to me a four-digit number and a verification code on the back."
In this case, the idea is the same as in the first story - to steal card data for online payments.
Or it may be like this: "Tell me the PIN-code, after which we will reactivate your card."
But here everything is more serious: PIN is completely useless for online payment, but it is irreplaceable when buying with a physical card. So if fraudsters want to find out your PIN, then it is very likely that they already have your card or they are planning to take possession of it. There are a lot of options: you lost the card, and then they returned it to you (after copying it in advance); you gave the card to the waiter so as not to go to the terminal yourself, because “he is at the bar counter, don't get up, I can take it myself”; you have become a victim of skimming and your card was copied using a fake terminal or reader hidden in the ATM case, which is not closely monitored by anyone. That is why, by the way, street ATMs are not the best choice of place to withdraw money.
What other linguistic techniques might work here? "As soon as you send me a photo of the card, you will immediately receive your prize." Did you notice the difference? The same is said, but the speaker no longer seems to doubt your actions, as if you have no choice. There are other choices without choices. For example: "Will it be more convenient for you to confirm your identity by giving the PIN-code or the code from the SMS-confirmation?"
Finally, let's take a look at another highly ingenious type of scam.
The third story, in which Elizabeth faces the dark side of Avito
Elizaveta wants to sell her old knitting machine through Avito. This is a specific thing, but suddenly who will come in handy? The buyer immediately responds to her ad, calls or writes in WhatsApp:
"I want your product, send it by parcel to Syktyvkar, only I will transfer money from abroad, from Karaganda, so send me your full name and card account number for payment / prepayment."
It's all right here. Indeed, from other banks, especially foreign ones, it is sometimes impossible to transfer money directly to the card, you need to transfer to the account. And note that the buyer again does not offer to send anything to him, but instead he is eager to send money. And he does not even ask for photos or other obvious "divorce" information.
Then the same buyer writes to Elizabeth again, informs that he will be transferring right now, and soon after that she will receive a call from the bank number. Here again it becomes interesting, since such a call greatly increases the confidence in the subscriber: after all, it is not easy to steal the phone of a large bank! Once again, we see how the traditional trust-building scheme develops: the higher the risk a person perceives, the higher their need for trust. Fraudsters in this case act very consistently, postponing the most suspicious steps to the very end, but at the same time saving up trump cards for later, such as a “call from the bank”. The higher the risk, the higher the trust.
By the way, let's make a short digression: sites like Avito, unfortunately, give fraudsters quite a few keys to the heart (and through it to money) of a potential victim. So, after carefully studying the seller's ad, scammers often spend a significant amount of time to thoroughly work out their legend. Let's imagine that some rather specific part is being sold, for example, a radiator for the cooling system for the UAZ Patriot. After a short search on the Internet, you can find a lot of topics on the forums, from which it becomes clear that replacing this radiator is a very popular problem. There you can also learn a lot of tales from life and even concoct "your" sad story. With this preparation, it will not be difficult for a fraudster to convince even an experienced seller in the course of a detailed conversation that he is a really interested buyer, and not a lover of easy money. And as we already know, where there is trust, there is risk.
But let us return to the story of Elizabeth, who, we recall, is "called from the bank":
“Here a transfer from abroad is approaching you, you have to get it. And for this, please, send the sender a one-time code, which you will now receive by SMS. "
Experienced readers will grin here too: “Aha, right now,” and they will be absolutely right. Having developed the reflex “not to tell anyone any details of your bank card, except for its number”, start mastering the following, concerning one-time codes and passwords that the bank sends you. They are for you and only for you, you cannot send them to third parties. The whole point of two-step verification (and one-time passwords are an important part of it) is so that the bank can verify in two independent ways: you are you. The first method is your card details, and the second is a one-time secret code that came to your phone.
Another trick known to psychologists: we really do not like to lose what we already possess (even mentally). If you were promised money on the same Avito, you discussed for some time how it is more convenient to transfer it, perhaps even received a deposit (sometimes scammers throw in a small verification "bait" in the amount of a couple of hundred rubles to convince the victim of their sincerity) and they began to figure out what to use the full amount for - then it will be difficult for you to part with this mentally already spent money, even despite the alarming signals. In general, it is useful to make a habit of at least taking time to think about the situation. "Sorry, I'm very uncomfortable talking right now, could you call back in 15 minutes?" Haste is also a frequent element of such fraud, because in conditions of time pressure, we turn on ready-made schemes for resolving situations, not full-fledged rational thinking. And, of course, sometimes you will feel pressured. For pity, for fear (do not solve the problem right now - the card will be in danger!), For confidence (“come on, are you afraid?”) And so on. Find and learn a good phrase that will be convenient for you to answer, a kind of anchor that you can hold on to in a conversation. "Of course, I am careful with my billing information." "Yes, I care about my money." Any wording to your liking, which will remind you of the correct installation.
How does the scam that Elizabeth almost fell for work? In fact, it all starts with your phone number. Since most online banks today support phone number entry, this door looks especially attractive to fraudsters. It is not so difficult to get a phone number, the name and surname of a certain person, for this there are, for example, social networks. But to find out in which bank a person keeps an account is a more difficult task. And this is where ad services like Avito come to the rescue. And, oddly enough, sellers are often targeted: firstly, they leave their phone number, and secondly, they expect payment from the client, so they willingly share banking information.
After giving the scammers the account number, Elizabeth allowed them to find out in which bank she kept the money. The phone number left in the advertisement for the sale of the car is the login to enter the mobile bank. Of course, there is also a password that is unknown to the scammers, but here's the problem: you can automatically reset it and create a new one, but what is required for this? That's right, the account number (not the card!) And the phone number. After that, all the scammers have left is to go through two-step authorization. Bank Call is their only chance to successfully complete their scam. Using IP telephony, in principle, you can fake any number, which is what happened in this case. Elizabeth, seeing the bank number, relaxed, but caught herself in time, remembering that a one-time number cannot be trusted to anyone at all. By the way, check if they really call you from the bank, not difficult - ask for the details of your account or any other information to which the bank employee definitely has access. The fraudster at this point is guaranteed to merge. We cited the example of Avito for a reason, since the peak of fraudulent transactions according to the above scheme was observed on the last May holidays. Fortunately, if you adhere to basic security rules, you can fight off even such sophisticated assassination attempts. We cited the example of Avito for a reason, since the peak of fraudulent transactions according to the above scheme was observed on the last May holidays. Fortunately, if you adhere to basic security rules, you can fight off even such sophisticated assassination attempts. We cited the example of Avito for a reason, since the peak of fraudulent transactions according to the above scheme was observed on the last May holidays. Fortunately, if you adhere to basic security rules, you can fight off even such sophisticated assassination attempts.
Let's summarize?
Your card data must be protected. If the money is transferred to you, the payer does not need any other data, except for the card number and full name. The most sensitive information about your card is its expiration date, PIN and CVV (three digits on the back). They should be protected especially carefully and not reported to anyone, even if suddenly you are asked about them at the bank branch. Anything can happen.
Finally, secret one-time codes - they are secret one-time codes in order to remain known only to the legitimate owner of the card. Do not part with them under any pretext.
Well, if what happened - instantly call or run to the bank, they will help you there, or maybe they will treat you to donuts.
