Account Takeover Fraud
Lockdown Has Led to a Surge in Fraudster Romeos Operating Remotely, Police Warn
February 12, 2021
The ongoing lockdown may be complicating the path of Cupid’s arrows. But as another Valentine’s Day rolls around, authorities are warning that romance scammers – and other types of fraudsters – are alive and well and have been increasingly preying on unsuspecting victims around the world.
See Also: Live Webinar | The Role of Passwords in the Hybrid Workforce
Take it from the FBI: Romance scams remain big business, accounting for at least 23,000 victims in the U.S. and more than $605 million in losses last year. “Confidence/romance scams have resulted in one of the highest amounts of financial losses when compared to other internet-facilitated crimes,” the FBI warns in a fresh romance scam alert.
“You should never hesitate to report if someone asks you for money, even if they do this outside of the dating service.”
Ongoing lockdowns due to the COVID-19 pandemic don’t appear to have blunted scammers’ success, likely because so much online dating today remains remote – as do romance scammers.
In Britain, authorities say romance fraud involving bank transfers increased by 20% last year – from January to November – compared to 2019. The sum total of losses reported by victims over that 11-month period was $25.5 million, or an average of $10,800 per victim.
“With the rising use of online dating service during lockdown, criminals are using clever tactics to exploit people who think they’ve met their perfect partner online,” says Katy Worobec, managing director of economic crime at UK Finance, a trade association for Britain’s banking and financial services sector.
Authorities Want a Date With Scammers
As with all types of scams, authorities ask victims to report the crime in two ways – first to your bank or credit card issuer and second to authorities so they can help disrupt such attacks. Contact points include the FBI’s Internet Crime Complaint Center in the U.S. or Action Fraud in the U.K., except in Scotland, where victims should call 101.
“If you think you’ve been a victim of romance fraud, please don’t feel ashamed or embarrassed – you are not alone,” says Pauline Smith, head of Action Fraud. “Anyone can fall victim to fraud, but it’s important that you contact your bank immediately,” as well as report it to authorities.
8 Rules for Dating
Based on reports that it’s received, Action Fraud recommends that when dating, before you have met and gotten to know someone, you should never:
- Send them money;
- Give them access to your bank account;
- Transfer money on their behalf;
- Take a loan out for them;
- Provide copies of your personal documents such as passports or driver’s licenses;
- Invest your own money on their behalf or on their advice;
- Purchase and send the codes on gift cards from Amazon or iTunes;
- Agree to receive and/or send parcels on their behalf – such as laptops and mobile phones.
George Kidd, chief executive of the Online Dating Association, notes that association members offer secure messaging services designed to help spot and block these types of fraud as people get to know each other. “You should never hesitate to report if someone asks you for money, even if they do this outside of the dating service,” he says.
Account Takeover Fraud Also Continues
Of course, not all fraudsters work the romance angle. Another prevalent type of fraud continues to be customer account takeovers, driven by the copious amounts of user information in circulation thanks to years’ worth of data breaches.
British magazine Which?, which focuses on consumer rights, last month reported that fraudsters continue to advertise large quantities of stolen customer data, including via cybercrime forums and darknet markets.
An investigation conducted by Which? and England-based cybersecurity firm Red Maple Technologies found a ready supply of stolen credentials for sale. It also noted that some service providers take stolen credentials, see which other sites they work on and then sell this access to others.
These credential-stuffing attacks – reusing a username and password stolen from one site on others – are easy to prevent, provided individuals always use unique passwords for every site. Unfortunately, too many people continue to reuse passwords, making them easy prey for such attacks. (So if you want to get something “cyber special” for a loved one this Valentine’s Day, get them a password manager).
Accounts for online food delivery service Deliveroo, for example, were being advertised for about $6 each on darknet markets, the researchers found, and could be used on orders that might be worth more than $40. “Compounding the issue is that Deliveroo still does not offer two-factor authentication – an important additional security measure – on accounts to help customers protect themselves,” they said.
Also for sale in bulk for a similar price, and offering the same value proposition: “My McDonald’s” accounts, which criminals can use with the fast-food chain’s mobile app to fraudulently place an order with someone else’s account and then pick it up themselves. McDonald’s so far only appears to offer two-factor authentication to account holders in Singapore.
McDonald’s and Deliveroo both say they have anti-fraud measures in place. But of course, some scammers still get through.
Fraudsters Hit Starbucks Customer Accounts
Starbucks accounts are also a target. In 2015, I reported that fraudsters had been accessing Starbucks customers’ accounts and draining their balances, for example, to purchase gift cards that they could resell to others. At the time, Starbucks offered no type of multifactor authentication, meaning if a scammer knew a customer’s email address and could guess their password, they were likely in.
Such schemes continue.
“I just discovered last night that this very thing happened to me,” a reader recently wrote to me. “My American Express card was compromised. The only app I had connected to this Amex card was Starbucks. Several Starbucks charges for $100 each were on my statement. When I tried logging into my Starbucks app my email wasn’t valid,” she said. “Starbucks gave me the new email information. They did switch it back to my old one.”
Credit card companies will, of course, reverse fraudulent transactions, if alerted in a timely manner. Also, Starbucks now offers two-factor authentication in the form of SMS-based one-time codes, which is welcome – although using an authenticator app would be even more secure because SMS messages can be intercepted.
Keeping track of all of your apps and accounts, and adding TFA when it becomes available, can be challenging – but less challenging than trying to recover from account takeover or identity theft.