It may not seem like it, but behind almost every successful scam is a scenario so well-crafted it would make Steven Spielberg clutch his chest and go, “Jesus Christ!”. Scammers harness the power of good storytelling. They know that creating realistic scenarios increases their chances of tricking someone into divulging information or sending money. It’s a process known as pretexting — the art of manipulating people with falsified stories. Pretexting thrives on gaining and abusing trust. Here’s an example attack broken down step-by-step from the scammer’s perspective.
Step 1: Identify the Target: Research leads to successful attacks. Scammers will do their best to gain information about specific individuals or job roles. They use public forums like social media to research people and collect data, which can ensure a smooth transition to the next step.
Step 2: Develop Credibility: For a scam to work, the attacker must present themselves as credible and trustworthy. This usually involves the impersonation of someone the victim knows. Examples include impersonating executives, customer service agents, and family members or friends.
Step 3: Set Up the Scenario: With the target identified and information about them in hand, the attacker will attempt to gain trust. This is typically accomplished by calling the target and detailing a plausible scenario. Sometimes, the attacker might even use tools that trick the caller ID and make the call appear like it’s from a legitimate business.
Step 4: Vanishing act: Whether the goal was to gain access to confidential information or defraud the victim of money, the attacker will vanish once successful. Hopefully, the attack will fail, and the target will report the incident immediately so the organisation can warn others of potential scams.
Pretexting utilises old-school techniques with a few goals: steal confidential information, gain unauthorised access, or financially defraud people. How do scammers achieve those goals? Most of the time, they just pretend to be someone else. Let’s explore four common scenarios.
The Bank Representative: One of the most traditional scams involves a phone call from someone claiming they work for a bank where you have an account. They’ll calmly tell you they had to freeze your funds due to suspicious activity and to confirm your username and password to unlock them.
The Friend Who Needs Help: If someone falls victim to a phishing attack, they could also lose control of their social media profile. The attacker can then use that profile to send their friends and family messages like this: “Help! I’m travelling internationally but lost all of my bank cards. Can you wire me some money to buy a ticket home?”
The Manager: What would you do if your boss or manager emails you for highly confidential information? A lot of people tend to respond to requests that come from authority figures quickly. That’s why scammers attempt to impersonate executives and others in management positions.
The Tech Support Agent: Are you having computer problems? You may not, but the scammer posing as a tech support agent sure hopes you’ll believe you are. This common scheme attempts to defraud people out of money by convincing them to pay for support services they don’t need to fix problems that don’t exist.
How to spot scams.
From phishing emails to suspicious phone calls, most scams can be identified by using a little common sense and staying alert for these red flags:
Threatening or urgent language: In an email, text message, or over the phone, threatening or urgent language is always a red flag. Scammers want you to react before you can properly think about the situation. Any time someone asks you to perform an urgent action immediately, “or else,” you can assume you’re being targeted.
Bad grammar or awkward phrasing: Messages that contain poor grammar, incorrect spelling, or an awkward tone should trigger your scepticism. Hover over links to reveal their true URLs before clicking. Unless you’re sure an email is safe, don’t click and don’t respond. At work, report it immediately. At home, block the sender, and delete the email.
Gift cards: Many fraud cases involve asking the victim to purchase gift cards and reveal the payment details to the scammer. Since gift cards are essentially cash, they have no built-in consumer protections like credit and bank cards. Remember that no legitimate organisation or entity will ever ask you to pay for something with gift cards.
Random text messages: Phishing via text messages—known as smishing—has become increasingly frequent. A typical smishing attack features many indicators we encounter with phishing attacks. Most notably, they’ll fail to greet you by name or username, make a threat or an urgent call to action, and include a suspicious link. Always think before you click.
Unexpected email attachments: Email attachments are one of the most common ways data-stealing malware infects devices. Generally, never open or download attachments from people you don’t know. Even if you receive one from someone you know, don’t assume it’s safe. Carefully review the message and confirm its legitimacy before accessing the attachment.
These scenarios are based on actual scams that continue to target organisations and individuals. You can avoid becoming a victim by remaining sceptical, verifying people’s identities before obliging requests, and using common sense. At work, follow policy, and report anything suspicious immediately.
Situational awareness is key.
At Kora, our goal is to connect Africa to the world and connect the world to Africa via payments. We provide All The Support You Need ™️ for startups and businesses working in Africa to start, scale and thrive on the continent. Visit www.korahq.com to see all the ways you can thrive with Kora.