Increasingly, in cybersecurity, the corporate end-user is on the frontline. Most security professionals will agree that the perimeter is dead. Repeatedly targeted as the perceived “weakest link”, humans continue to represent a particular risk in being susceptible to phishing tactics or Business Email Compromise (BEC). But every employee is also a consumer, exposed to a growing range of online threats in their daily lives — many of which use similar social engineering techniques.
Several months ago I was alerted to a dating scam. It reminded me of the importance of best practice security to insulate the corporate network from any threats your employees encounter outside of work.
Playing the long game
The dating app scam took in a friend of mine, let’s call her Theresia — a smart and successful business woman in her 40s who was drawn in after communicating with an individual on a popular dating site. He professed to be a successful businessman from Georgia, recently widowed and who had also lost one child and was raising two other children. He claimed this was his first time on a dating app since getting over two separate but recent family tragedies. Yet he was never available to talk on the phone because of a busy work schedule. When he did try to call, it would be 2AM while she was sleeping or during the day while she was in business meetings. Texts or calls would come from different numbers. Whenever a return call was attempted, she could never win the phone tag game. She smelled a rat and asked for my help.
When I suggested that she ask this online Romeo to send a picture of him with today’s paper or some other validation, the inevitable happened. What came back was the picture of the same person used in his fake profile, but with a crudely photoshopped date overlaid on what I assume is an older picture. Thus, this particular scam came crashing down.
It’s not rare in itself, of course. In 2017, three Nigerians were sentenced to a total of 235 years for their part in an international financial fraud scam exploiting women they met on dating sites. In the UK a few years back, a woman in her 40s was conned into handing over staggering £1.6m ($2m) to dating site scammers.
But this case was different, in that Theresia had not been asked for her financial details and had not ostensibly been defrauded in any way. In reality, however, the fraudster was playing a very long game. Over a period of several months he had asked for photos of her and a large amount of personal information. Challenge questions were popular: “my favorite color is blue, what’s yours?” In this way, he found out a great deal about her. Childhood pet, favorite teacher at school — all useful info if you want to commit identity fraud. At all times these questions were interwoven in to the daily routine of texting and dating site conversations.
The chances are he was stringing her along, obtaining as much info as possible, whilst in the meantime using this detail to construct separate fake female profiles to snare men on dating apps. At some point in the future, he would also probably have cashed his chips in, using that profile info to crack her bank and other online accounts, or possibly convince Theresia to be a money mule for another tragic con game.
In the end, the game was getting old. Theresia called con man-Romeo while on a conference bridge so that I could assist in scamming the scammer. Let’s just say that the photographs and the rich accent did not align. While the conversation played on, she would ask questions that she learned over the past few months. Sometimes his answers did not match what he had said previously. It seemed as if there was a database that a team of people were using to crowdsource the victim conversations.
The corporate angle
So why should IT leadership care? Scam victims, like Theresia are also employees. If one of yours gets caught out, who’s to say they haven’t handed over some vital information that will help the scammers guess their passwords, answer challenge phrases, or make them vulnerable to coersion? Given that credential reuse is widespread, this could make it even easier for them to hijack not only their victim’s personal email and online bank accounts, but possibly even their work accounts.
Very often the scammers encourage their victims to continue the conversation away from the dating app, knowing that the platform’s internal police will eventually catch up with them. Once out of the spotlight, they might send the victim links which could give them remote access to their computer.
To minimize the risk of corporate systems being exposed by after-hours scams, consider:
· Stepping up employee training and awareness. Perhaps extend training beyond phishing awareness and password hygiene to educating staff more broadly about common internet scams
· Enforce the use of password managers to generate long and strong credentials for corporate accounts so users don’t have to rely on easy-to-guess or crack passwords
· Even better, implement one-time use pins or multi-factor authentication (MFA) to do away with traditional passwords altogether
· Set browsing egress restrictions to prevent the use of dating sites, while at work
· Ensure any corporate mobile devices or BYOD laptops, handsets and tablets are protected with AV and/or screened before being allowed to connect to the corporate network.