Phishing, when successful, tricks the user into unwittingly handing over their passwords to the scammer, often through professional-looking emails purporting to be from trustworthy businesses. The endgame is generally acquisition of personal information, like credit card and social security numbers.
Recently, phishing has been weaponized to varying degrees of sophistication with a key technique: impersonation.
The trick was enough to convince one employee at Gimlet Media, which runs the everything-internet podcast “Reply All,” to open an email from his “coworker.” Except the sender was not his coworker, but a hacker attempting a work-sanctioned phishing test on the company's employees.
Familiarity fraud is an online tactic people have to be especially wary of on social media, where friends’ pictures and handles are rife for imitation. Duplicate accounts fish for personal information under the guise of intimacy.
The Nigerian prince scam is one of the oldest on the internet.
The Nigerian prince scam is one of the oldest scams on the internet.
The scam rose to prominence in the 1990s, and is referred to by the FBI as “Nigerian Letter” or “419” fraud.
The premise is simple: You get an email, and within the message, a Nigerian prince (or investor, or government official) offers you an opportunity for lucrative financial gain.
The catch? Pay a small portion of the amount up front, or hand over bank account information and other identifying information so that the transfer can be made. Of course, you lose that “seed money,” never receiving a dime in return.
“It’s malware and phishing combined with clever social engineering and account takeovers,” James Bettke, a counter threat unit researcher at the security firm Secureworks, told Wired reporter Lily Hay Newman in 2018.
“They’re not very technically sophisticated, they can’t code, they don’t do a lot of automation,” he added. “But their strengths are social engineering and creating agile scams. They spend months sifting through inboxes. They’re quiet and methodical.”
Ticket fraud leads to consumers buying fake sports and music tickets.
Another popular online scam is ticket fraud, in which consumers are tricked into buying fake tickets for sporting events, concerts, and other events.
Scammers usually target high-profile events that are likely to sell out so they can take advantage of increased demand. Often, the tickets they send customers have forged bar codes or are duplicate copies of legitimate tickets. Other times, consumers won't receive any ticket at all after they pay up.
"If you have gotten a message from me or any other creator on YouTube that looks something like this, that is very likely someone trying to scam you," DeFranco said in a video posted to his channel.
The faux DeFranco slid into targets’ Youtube messages, promising “gifts” via the click of a hyperlink. The scammer’s real endgame: identity theft for financial gain through a classic online phishing scheme.
"We're aware and in the process of implementing additional measures to fight impersonation," a YouTube employee wrote in response to complaints of scam. "In the meantime, we've removed accounts identified as spam."
And angry mobs incensed by the fiasco that was Fyre Festival — an event so botched it warranted not one, but two documentaries — directed much of their ire at the event's celebrity influencers.
The defrauded cited a lack of transparency as to what the influencers were paid to hawk the festival to their millions of followers online, although not everyone agreed they deserved the blame to begin with.
But sometimes the influencers themselves can get scammed.
One variety of online grift victimizes the influencers themselves with identity-fraud tactics common to phishing.
Earlier this year, a scammer posing as entrepreneur and investor Wendi Murdoch used email handles and other techniques so convincing, social media stars were tricked into buying their own flights to Indonesia and paying for fake photography permits as part of the scam.
The victims, influencers and travel photographers among them, got bilked out of thousands of dollars in the process.
The FBI and New York Police Department opened investigations into the scam in 2018, according to The Hollywood Reporter. Also assisting is the corporate investigations firm K2 Intelligence, which tracked the scam’s pivot from celebrities to influencers.
“For a long time, they were going after people in Hollywood. [Now, they’re] routinely targeting influencers — Instagram stars, travel photographers, people who do stuff that involves them travelling all over the world," Nicoletta Kotsianas, a director at K2 Intelligence, told INSIDER in January.
“It’s about convincing some people that there’s someone else, and manipulating them, being into that, and world-building around the whole thing,” she added. “They’re making some money off it, but it’s really about the ride along the way.”
Ransomware held a whole city hostage in 2018.
Some of the most insidious online scams involve ransomware.
In a ransomware attack, hackers install malware onto a computer or system of computers that restricts a victim's access to their files. Payment, often in the form of bitcoin, is demanded to undo it.
The hackers behind the scheme "deliberately engaged in an extreme form of 21st-century digital blackmail, attacking and extorting vulnerable victims like hospitals and schools, victims they knew would be willing and able to pay,” Brian Benczkowski, the head of the criminal division of the Justice Department, said in November.
The cam-hacking claim, which is bolstered by parroting the user’s password in the email, is means for blackmail: Send us bitcoin, or we send all your contacts the footage.
The reality? Pure manipulation. The scammers don’t have dossiers of footage. They never even hacked you. How? Because the password they flaunted wasn’t hacked, but harvested, gleaned from publicly available databases of leaked passwords and emails.
So there’s no need to cover your laptop’s camera. For now.
GoFundMe fake-outs take advantage of people's generosity.
Another thriving online grift is the GoFundMe sob story fake-out.
One notable example came in a feel-good story from 2017 about a couple raising $400,000 for a homeless veteran who had lent them his last $20. As prosecutors discovered, the trio had concocted the entire story, and not only do they face a mix of federal and state charges, but GoFundMe refunded the donations of all 14,000 contributors.
Another example of strategic storytelling in the art of crowdsourced scamming: A black college student who raised money from Republicans on GoFundMe after claiming her parents disowned her for supporting Trump.
The narrative was suspiciously convenient — because it was a hoax. Although she quickly returned the money she raised, she also exposed how easily you can take advantage of people's generosity.
Pump-and-dump schemes can artificially inflate the value of a currency.
Cryptocurrency is often the form of payment in online scams, but in one scheme, the crypto itself is the fraud.
Investment schemes were always destined to flourish online. By using the web to mass target would-be investors, a schemer can commit the Securities and Exchange Commission no-no of artificially “pumping” up the value of stock to the masses in order to then “dump” the stock on a falsely inflated return.
“[The] ethos is simple: Buy low, sell high. The implication is that investors outside the pump group will see the rapidly rising price and rush to buy in, anxious not to miss the next Bitcoin-style gold rush," Paris Martineau of The Outline wrote.
“There are frankly a lot of groups that have now centered around misinformation,” Laz Alberto, a cryptocurrency investor and editor of the newsletter Blockchain Report, told BuzzFeed reporters Ryan Mac and Jane Lytvynenko in 2018. “It’s obviously illegal, but there’s no regulation and they’ve gotten away with it.”
A cryptocurrency founder was even himself the target of a fake news hoax in 2017, when news spread that Vitalik Buterin, cofounder of the cryptocurrency Ethereum, had died in a car crash.
The fake reports of Buterin’s death caused Ethereum’s valuation to plummet in the market — and later rebound — when the very-much-alive Buterin debunked the rumor himself.