Why You're Not as Scam-Proof as You Might Think

The world is evolving -- technology, norms, and trends are constantly changing. Why wouldn't scammers, too? Sure, you delete the obvious spam emails, but what about a message from a hacker that begins with your password?

In this week's episode of Industry Focus: Tech, host Dylan Lewis talks with economic crimes detective (and Fool.com writer) Matthew Cochrane about today's internet scams and how to keep your information safe. Learn the four signs of a scam, how scammers use fear and greed against their victims, some tips on creating and managing strong passwords (or using secure software to help), how to find out if your accounts have been compromised, why you should put some tape over your webcam, and more.

A full transcript follows the video.

This video was recorded on August 17, 2018.

Dylan Lewis: Hey, folks! Friday Tech show host Dylan Lewis here. We're going to try something a little different with today's show. I'm actually going to start things off with a story.

Last week, I woke up, checked my phone, and saw my old college Gmail had an email from a name I didn't recognize. 

New message from Sheldon Figueroa. Subjects: Alert for [bleep]

I won't beat around the bush. I do know [bleep] is your password. More importantly, I'm aware about your secret and I have proof of this. You don't know me, and no one employed me to investigate you. It's just your misfortune that I found your blunder. The truth is, I actually set up a malware on the adult vids (adult porn), and you visited this site to experience fun (you know what I mean?). While you were watching videos, your internet browser started functioning as an RDP (Remote Desktop) that has a keylogger which gave me accessibility to your screen and also web camera. Immediately after that, my software collected your complete contacts from your FB as well as mailbox. I then gave in much more time than I should have exploring into your life and created a two-screen video. First part displays the recording you had been watching and second part displays the view of your webcam (it's you doing nasty things). Honestly, I want to forget details about you and allow you to move on with your regular life, and I am about to offer you two options that will achieve that. These two choices are either to ignore this letter or just pay me $3,200.

Let's investigate those two options in more detail. Option one is to ignore this email. Let us see what is going to happen if you opt this path. I will certainly send your video recording to your contacts, including relatives, coworkers, and so on. It does not help you avoid the humiliation your family will must face when family and friends discover your assorted details from me. Second option is to make the payment of $3,200. We will name it my confidentiality tip. 

Now let's see what happens if you pick this option. Your secret remains your secret. I will erase the recording immediately. You continue on with your life like nothing ever happened. 

At this point, you must be thinking, "I will call the cops." Let me tell you, I've taken steps to make sure that this message cannot be traced back to me. Plus, it won't prevent the evidence from destroying your lifetime. I'm not planning to dig a hole in your pocket. I just want to be compensated for the time I put into investigating you. Let's hope you have chosen to generate all of this go away and pay me the confidentiality fee. You will make this payment by Bitcoin (if you do not know this, search how to buy bitcoins on search engine). Amount to be sent: $3,200. Bitcoin address to send: 1P*EVQXCBKYEED3Z15PE0F3S8Y9JFCZRDZP (delete star from this address and copy/paste it carefully). Share with no one what you will use the Bitcoin for, or they will often not offer it to you.

The procedure to have Bitcoin usually takes a short time, so do not wait. I have a unique pixel in this message, and now I know that you have read through this email. You now have two days in order to make the payment. If I don't receive the Bitcoin, I definitely will send your video recording to all of your contacts, including close relatives, colleagues, etc. You better come up with an excuse for friends and family before they find out. However, if I receive that payment, I'll destroy the video immediately. It's a non-negotiable one-time offer. Thus, please don't waste my time and yours. 

Your time is running out. Let me remind you, my tracker will definitely be keeping tracking of the actions you are taking when you find yourself done looking over this letter. Swear to God, if I see any wannabe smart activity from your search history, then I'll send out your video to your family members, colleagues, even before time finishes.

This stranger had blown the doors off my digital privacy and was holding my relationships and reputation as ransom... or so he wanted me to think. The reality? This message was just the latest iteration of a time-honored internet tradition: the internet scam.

Now, anyone could claim to have hacked into my computer, but what immediately gave this Sheldon Figueroa credibility was that he knew my password. I zeroed in on that piece of information because it completely legitimized the idea that he had something I should be ashamed of. In my case, this scammer got lucky, because there was no hacking, at least on his part. This approach, which is gaining popularity, takes account information that has been leaked in large-scale data breaches and attempts to use it to prop up the scammer's legitimacy, at least according to journalist and security expert Brian Krebs. 

I popped my old college email into haveibeenpwned.com, a website that allows users to check and see if an email address has been compromised in any data breaches. Sure enough, the account and password had been included in the 2012 LinkedIn hack, as well as a few others. These scammers were simply masquerading leaked account information as something far more insidious, and I made for a pretty good target. I had totally ignored updating my old email and used the same password across several different accounts back when I was using it. In my case, the scheme only cost me a few minutes of Googling -- way better than $3,200 in Bitcoin. But there were a few other tells that should have tipped me off to the scam.

On today's show, we're going to walk through the signs of an internet scam, how hackers work, and what you can do to protect yourself. To get those tips, I chatted with Matt Cochrane. 

To get us started, Matt, you are a writer for Fool.com by night. By day, you have a totally different job. Do you want to talk a little bit about what you do for your day job?

Matt Cochrane: Sure. I have been in law enforcement for the past 12 years. For the past four of those, I've been a detective in my department's economic crimes unit. During this time, the vast majority of my cases have dealt with identity theft, credit card fraud, money laundering, and, yes, scams. Unfortunately, these types of scams are just growing more and more popular. To the criminal, they offer a superior risk vs. reward payout in crimes such as burglary or theft. For instance, the email you received asking for $3,200 in Bitcoin -- if I'm a criminal, how many cars do I have to break into to steal items worth that amount? Furthermore, if I break into a car, there's a chance a witness might see me, there's a chance a surveillance video picks me up, there's a chance I leave a fingerprint or get cut and leave my blood behind on the scene. If I'm making a phone call or sending out emails, there's several ways to disguise where the phone call came from, or where emails came from, that almost make it impossible to track down. Criminals are on to this, and unfortunately, these types of scams are probably not going away anytime soon. 

Lewis: According to experts this recent hash of passwords extortion emails has already duped over 150 individuals, netting scammers over $250,000. But that's pennies compared to the overall market for fraud. The FTC puts out an annual report summarizing consumer complaints. In 2017, consumers reported losing over $900 million to fraud, up 7% from the year before. To scammers, the pie keeps getting bigger, and technology is making it easier for them to iterate and hide. Which is why as a consumer, you need to be on guard. While the mechanisms might change, most scams follow a similar script. 

Cochrane: All scams are trying to trigger one of two emotional responses in the targeted victim: fear or greed. As you observed, the reason why the scammer wants to do this is because they're looking for you to leave behind your good sense. If they can get you to believe you're either being given the deal of a lifetime -- greed -- or that you or a loved one is facing a dire situation unless you act quickly -- fear -- then often, we're going to overlook these warning bells going off in our head that are telling us something isn't quite right. 

Lewis: The email I received was of the fear-based variety, but the tack isn't limited to email. In fact, the best-known fear-based scam might be the grandparent scam.

Cochrane: The caller is going to call someone, typically an older person, and they're going to say, "I'm the bailiff at the..." and they'll say some faraway court. They'll say, "Your grandson has been arrested for drunk driving, or leaving the scene of an accident, when he was on his skiing trip here. He said I could call you because he knew you were the one person he could call to trust to help him out. And he really doesn't want you to tell his parents. He seems like a nice guy, so I'm calling you for his sake. He needs you to wire X amount of dollars." What's that grandparent going to do? A lot of times, they're going to react based on that fear for their grandson, like, "Oh my goodness, he's in jail, and I need to help him out!" And they're going to wire that money. And then, of course, the next day, they always keep going back to the victim asking for more money until the victim stops.

Part of that scheme is, don't tell Johnny's parents because he doesn't want them to know. So, they're not going to talk to anyone. Of course, if they talked to Johnny's parents, they would find out that Johnny wasn't on a skiing trip in Canada at that time. 

Lewis: But that's not all.

Cochrane: Of course, there's tax scams. "If you don't pay your taxes, you're going to jail."

Lewis: For greed-based scams, most people are probably familiar with the idea of the Nigerian prince -- someone who's willing to share his fortune so long as you provide the money necessary to process the transfer. These fun transfer scams are older than the internet, so people are a little bit more familiar with them. But if anyone is ever offering you a huge lump sum out of the blue, be skeptical. 

One other style worth noting: the romance scam.

Cochrane: I mean, they're all sad, but this one... They'll develop an online relationship with someone. And this person thinks it's real. And they're a worker in a faraway state, so they're starting this long-distance relationship. And at some point: "Oh, I got this job, but I need some money to pay upfront and dag nabit, I can't take the job because I need $2,000."

The brilliance of this scam is, they don't even actually outright ask the victim for the money. But the victim almost inevitably offers the money. "Oh, you need $2,000? I can forward you that money." Yeah, yeah, romance scams are definitely another type of popular scam out there right now. 

Lewis: And these scammers in particular will go to incredible lengths to get money from people. 

Cochrane: I'll still be amazed, to this day, the type of investment these people are willing to make, as far as time goes, into these scams. For instance, these online relationships, they can go on for months. They'll send poorly written love poems to their target, and these long descriptions of how their day was. I'm sure it's mass-produced, but to the victim, it feels very real.

Lewis: Now that we've scared you out of your senses, made you question pretty much every online interaction you've ever had, here's what you need to watch out for.

Cochrane: There's several common signs of a scam, many which were present in the email you received. All of these signs are not going to be present in every single scam, but there's almost invariably some of them present in every scam. One is: "Absolutely don't tell anyone." The scammer knows if you begin to ask around about the situation, someone's going to know it's a scam. So, a part of the scam will always be to not tell anyone.

Lewis: This is made even easier depending on the scammer's approach. In the email I got, the scammers are preying on a particularly private moment that makes it even harder to have a voice of reason pop in and say, "Hey, this is a scam." But that's not the only trick that scammers use. They also don't give you very much time. 

Cochrane: Another thing they try to do is create this sense of urgency. Whatever needs to be done, needs to be done within a hard time limit. Going back to your email, you have two days to respond. You have to do this quickly. 

Lewis: Something you should also be on the watch for? People asking for important information. 

Cochrane: Another common sign is seeking private information. This one doesn't have too much to do with what you received. But a lot of times, they're going to ask you for, "Hey, we need your Social Security number to make this right." Or, "We need your bank account information to get the money you owe us," or whatever. They're going to ask for some type of private information. 

Lewis: The last common sign Matt sees in scams is that they're often asking for payment via some untraceable or irreversible method. 

Cochrane: They don't want you to send a check. If you owe the IRS money, why couldn't you just send them a check? But this time, the IRS wants you to wire the money via Western Union or MoneyGram. They want you to buy iTunes gift cards and send them the gift card numbers. Or, in your case, they want you to send cryptocurrencies, which are very hard to track, sometimes impossible. 

Lewis: So, your four signs of a scam: sense of urgency, don't tell anyone, private information, and untraceable payment methods. To put a bow on it, it's coming from an unknown individual or totally unsolicited.

The reason it's so important to recognize these signs is that once you get roped into a scam, it won't stop. The people behind the scheme will keep coming back.

Cochrane: One common thing about a scheme is, they will not stop contacting you until you stop paying. What would happen next is, they would probably ask you for more money. Going back to the grandparent scam, little Johnny's in jail and he needs to be bailed out. Wire $1,000. So, they'll wire $1,000. Well, once you wire money, they're going to call again and say, "Well, we bailed him out, but his court fees are $1,200." So, you'll wire the $1,200. Then the next thing will be, "We paid his court fees, but he also hired an attorney, and the attorney fees are $2,000." And they won't stop, unfortunately. It's horrible. Either they won't stop until the person stops sending money or until the person runs out of money. 

Lewis: Those are the tips for keeping yourself from being scammed. On the second half of the show, we're going to run through best practices to keep in mind online.

Some Googling saved me trouble in my experience, but the episode also revealed I wasn't up to date on best practices for online security. Matt also ran me through the teachable moments from my experience, and it all starts with passwords.

Cochrane: Most of us know and understand the golden rules for passwords -- use a variety of alphanumeric characters and symbols, use a unique password for each account we use, don't use something someone could easily guess, like our firstborn son's name and birth year. Don't write down a list of our passwords and keep it next to our computer, or in a Word document on our computer. The rules are simple to understand. They're just almost impossible to execute. I mean, who can possibly remember all the passwords we need in today's society without making it mind-numbingly simple or repeating the same passwords over and over again across multiple accounts?

Lewis: The recommendation: Use a password manager like LastPass or create a system for yourself. For me, I've developed a code. I have an alphanumeric root word that I use across passwords. For the sake of the podcast, we'll call it arugala44$. Then, I have a site-specific nickname, and I'll add that to it, so I have a memorable but unique login for each domain name.

Prevention tip No. 2 from Matt: Mind your webcam. The email I got was full of empty threats, but it was channeling a very real danger. There are several examples over the past few years of hackers actually gaining access to an individual's computer; searching their files for private messages, images, videos; and then blackmailing them while monitoring their emails and controlling their webcam. One of the easiest ways to avoid that is to cover your webcam -- and all it takes is a piece of tape. 

Matt's final piece of advice: Be critical of emails asking for sensitive information.

Cochrane: Many scams that do contact you by email are part of a phishing scheme. Phishing is the attempt to obtain sensitive information such as usernames, passwords, Social Security numbers, credit card information, and other account numbers for fraudulent purposes by impersonating what should be a trustworthy source. In general, be wary of all emails coming from unknown sources. 

Oftentimes, a simple Google search could reveal that what you received is a scam. Don't give anyone sensitive information over email, unless you are certain you know who you are giving it to. That includes entering information on links that were included in emails from unknown sources. Your bank doesn't need to ask you what your Social Security number is. They don't need to ask you what your account number is. They already have that information.

Lewis: The reason why understanding the signs of a scam and taking preventative measures is so important: Examples of victims recouping the money they've lost are few and far between. 

Cochrane: Unfortunately, in today's world, it's just so easy. These criminals are getting more savvy than they used to be. Even since the time I've been investigating these types of cases, I've seen it where, I used to be able to track down an IP address and use that to actually find where the criminal might have generated his attack from. These days, everybody knows about Tor routers or Onion routers, where it basically can spoof a million IP addresses. And, also, same thing with phone numbers, unfortunately. There are success cases. But it can be a low batting average at times.

Lewis: After a few red flags, I thankfully had the good sense to Google a few elements of the email I got to check and make sure it was a scam -- something that only took a couple of seconds. I got lucky, though. I'd already changed all the passwords for accounts that had used that password, and no damage was done. One victim from the 2012 LinkedIn attack had a far worse fate. 

Cochrane: One person whose account was compromised in that breach also happened to use the same password for his Twitter and Pinterest accounts. Years later, the hackers would break into these accounts, posting his password for the entire world to see -- dadada. And after the LinkedIn breach, the user had changed his password for LinkedIn, but he failed to reset his password to other social media sites where he had reused the same password. Years later, this came back to haunt him, because the hackers had embarrassed probably the world's richest and most famous millennial, Mark Zuckerberg.

Lewis: Listeners, that does it for this episode of Industry Focus. We like to do these more heavily produced, fun shows every now and then. Please let us know what you think with an email or iTunes review. You can reach us at [email protected] or on Twitter @MFIndustryFocus, as well. Special thanks to Austin Morgan for all his work behind the glass today, and to Taylor Harris and Kristine Harjes for lending their voices to the first part of the show. 

As always, people on the program may own companies discussed on the show, and The Motley Fool may have formal recommendations for or against stocks mentioned, so don't buy or sell anything based solely on what you hear. Thanks for listening and Fool on!