So after returning from a slight blog writing hiatus (for a variety of reasons), I find myself logged into Facebook late one Sunday afternoon when a former work colleague that I haven’t seen for a while pops up on the integrated IM system.
I don’t tend to use Facebook’s chat facility that much but I am not averse to it. When I offer a warm greeting and he politely returns it, but when I enquire into his wellbeing he drops the rather devastating bombshell that he’s been mugged while holidaying in Scotland! Not just mugged, but mugged at gunpoint no less. He explains that he’s lost all his cash, credit cards, wallet and phone in the attack but that he’s okay physically.
This is a lot to take in with the aftermath of Sunday lunch, and while I am breathing a sigh of relief that he has survived unscathed, you’re probably already a little suspicious of what might be coming. I still remain quite firmly committed, however.
His flight home is in two hours, he explains, and the hotel won’t let him leave without settling his bill! No problem, I reassure him, don’t panic. We can easily sort this out over the phone now with a credit card and we can settle it later when he returns to London.
Grateful at this news, he triggers alarm bell number one: can I transfer the money by Western Union wire? What? Why bother with that when I could just call up the hotel desk and secure it on a credit card?
I dismiss this anomaly, and proceed to tell him the plan: go down to reception, tell them a friend will settle the bill and get their phone number so we can arrange the transaction. Tell them to give you a cash advance for a taxi to the airport as well. He seems a little confused by the last point and then rings alarm bell number two in my head: the hotel has a +44 702 “follow-me” number! At this point, my suspicions are aroused: I’m curious, but I still don’t want to believe I’ve been taken in.
In the casual discussion that follows, I reminisce on a tale from work involving one of our colleagues, deliberately forgetting his name, and look to him to banish all my concerns by completing the tale.
But he goes quiet. He can’t do it, and the inescapable truth hits me. This really is a scam. This is not really my friend at all, but someone who has somehow managed to gain the credentials necessary to pose as him. I persist with my questioning and, realising that he has been rumbled, he concedes defeat by logging out and blocking me, presumably to prevent me raising the alarm with my friend’s friends by writing on his wall or similar.
Now as a well-prepared and diligent reader, you’re probably surprised and disappointed that I got so close to handing over my credit card details to scammers of unknown origin. But what makes this scam so considerable are the mechanisms that it capitalises on to disarm one’s normal caution and guarded behaviour when dealing with unknown Internet correspondents.
- Facebook friends tend to come rather high on the trust list. This is not a random email from the exiled president of a small African nature seeking financial help to realise his investment in gold, diamonds, father’s inheritance or whatever. This is someone I’ve explicitly authorised, someone who matches a picture photograph, someone with whom I have conversed.
- Direct IM conversations leave no opportunity for the consideration and reflection that would usually be available before making important decisions. It’s similar to the double-glazing salesman who offers the “sign today only” deal.
- Questioning the authenticity of a message can be considered quite a hostile thing to do and people often feel reluctant to do so. I am sure that if I emailed or IM’d a work colleague and asked for a sensitive bit of data as a convenience, they would probably oblige.
- The urgency of the situation – a flight – and the fact that my friend has already been through a shocking ordeal demands decisive action from me if I am a good friend.
The combination of all these factors make this attack an extremely potent one, and the only failings were the use of some casual language, poor anticipation of the likely responses to the situation and the logistics and local conventions involved for expedient payment. For most of the dialog, I harboured more concerns over how to extract the cash from my Liverpudlian friend on his return than I did about the authenticity of the request!
The good news is that Facebook appear to be well aware of this class of scam and do offer some sensible practical advice on dealing with the problem and reporting the issue.
I do hope that no-one else is adversely affected by scams such as this, but a work colleague pointed me to some useful advice and general tips on dealing with IM – whatever the platform – which is essentially “pre-authenticated” but in a weak manner:
- Get an awareness of people’s writing styles and language: in email, and IM or other short form. They can be quite unique. For instance, a colleague I know at work can be relied upon 100% to apostrophe plurals and omit on contractions. I know if I ever see correct punctuation from him that I should be suspicious!
- Form a characteristic greeting that you always use to initiate and respond with. Correspondents will grow accustomed to it, and will hopefully note its absence in fraudulent communications. Examples include esoteric greetings or even saying hello in a foreign language. Consistent repeatable behaviour is the key.
As the sophistication of electronic “social engineering” attacks increase, I am sure that it will be necessary for people to become more hardened and vigilant in their use of social networking technology, but hopefully this won’t detract from the usefulness and effectiveness that it provides.