Most of us who live in Woodstock are wise enough to know to lock the doors of our houses, the garage, and our vehicles.
But because of either a false sense of security or a lack of sophistication, we are not as vigilant when it comes to our electronic devices.
Cybercriminals capitalize on internet users’ laxness to steal millions of dollars from U.S. companies and citizens. The total financial loss to cybercrime is between $57 billion and $109 billion each year, according to a 2018 estimate by the White House Council of Economic Advisers.
Who’s at risk?
“Everyone,” said Stephen Taylor, the CEO of LeadingIT in Woodstock.
Since 2010, Taylor’s company has provided technology, computer, network, and security support for organizations, schools, and small companies that lack a technology department or expert.
“It’s everywhere,” Taylor said.
And, since the average American has 130 different online accounts, according to Taylor, that’s 130 potentially unlocked or poorly secured doors through which a criminal can gain access to an individual’s personal and financial information.
Each workday, Woodstock Police Chief John Lieb sits down at his desk and reads through every written report of a crime or attempted crime in the previous 24-hour period.
“It’s disconcerting to me,” Lieb said in a telephone interview, “the number of reports that come in of people who’ve been scammed or have had a scam attempted against them.”
Who are the “bad guys?”
Generally speaking, cybercriminals are systemized crime teams working all day, every day, on gathering information that can be used to gain access to money, Taylor said.
The teams often operate out of foreign countries, particularly Russia and China, where they are out of the reach of U.S. law enforcement.
“It’s not some kid fooling around in his basement,” Taylor said.
While the “bad guys” employ technology to acquire and profit from information, they “take advantage of the human element,” Taylor said. Specifically, cybercriminals prey upon victims’ trust and fear.
A criminal’s first and easiest way to break into personal data is to trick an email user into inadvertently revealing his or her password.
“Email is a treasure trove,” Taylor explained. “It’s totally insecure.”
With an email account and password, the criminal sender can pretend to be anyone.
Tricks of the trade
Taylor and Lieb outlined a handful of the common scams to which local individuals and companies have fallen victim:
One of the most common breaches is in real estate transactions, Taylor said. The criminal network sends an email purporting to be the title company, real estate lawyer’s office, or real estate agent. The email gives instructions that the money for closing be sent to an account via a wire transfer. Instead of going to the title company handling the closing, the money ends up in a foreign bank account.
“It happens very quickly,” Taylor said, “and is not reversible.”
Victims lose all the money they were to bring to close on the home, sometimes the entire purchase price of the house.
Companies can fall victim to “spoofing,” in which an intruder who has gained access to computers sends a message that looks like it is coming from a trusted email address. In this scenario, the company “CEO” sends a message to the chief financial officer. The “CEO” apologizes, says he or she is out of the office, and has a task that has to be done “right now” – a wire transfer to an account for which the “CEO” helpfully provides the account number.
Similarly, a cybercriminal can get into a vendor’s email and trick a customer into wiring a payment to an account controlled by the criminal network.
Although those emails “appear to be the normal course of business,” Taylor said, the losses can amount to tens or hundreds of thousands of dollars.
With access to an employee’s email account, a cybercriminal spoofs the employee, emailing the company’s human relations department with a change to the employee’s direct deposit information, and sending the next paycheck to the criminal’s account. The employee is shocked to discover on payday that no deposit has been made.
“Credit card thievery is still prevalent,” Taylor said. Once a criminal has credit card information, he or she can try the password other places. Or, a criminal might email the victim and threaten to reveal the password unless the victim pays up.
The crimes that Lieb calls “heartbreaking” are the ones in which the victims are elderly, whose defenses are limited in the face of fast talk and high pressure. A criminal with access to a person’s computer sees what sites are on the computer’s history and uses that information to bribe the user. Sometimes people get an email or phone call from an alleged government agency, usually the IRS, demanding immediate payment of some shortfall. Most despicable, a scammer pretends to be a grandchild in trouble in a foreign country – a car accident in London or incarcerated in Mexico – begging the grandparent to wire money, or in a more recent twist, to send gift cards worth hundreds or thousands of dollars to an address the scammer provides.
Trained to be vigilant
The phony IRS and grandchild-in-distress calls are “well-known throughout our industry,” said Jason Mancusi, manager of Woodstock Jewel-Osco. They are so common that Jewel employees receive online training in what to do if a customer comes through the checkout line with an unusually large number of gift cards.
“We start asking questions,” said Mancusi, who reported that Woodstock employees deal with such situations “probably once a month.”
Store employees caution their customers that the circumstances they’re describing don’t sound legitimate. The IRS contacts people only through the mail, for example. And employees ask whether the grandparent has verified that the family member is really in trouble.
“We try to do our best to make sure that people don’t get scammed,” Mancusi said.
Customers who insist on buying the gift cards find, to their regret, that it is nearly impossible to get a gift card refund.
While scammers often demanded payment in Visa gift cards, the current favorite is the Google Play card, Mancusi said, with which people can buy movies, apps, games, and music. Instead, criminals sell the cards to a secondary market.
Consumers should “focus on the preventive,” Taylor said.
Cybercrime “is not going to stop,” he said. “It will be ongoing. It will be ever-changing.”
Tips for protecting your identity
Use strong passwords, a different one for every website. Store passwords in a computer password manager and change them every month.
Be careful when clicking on attachments, links, and downloads. All are common pathways for a hacker to attack a computer.
Use two-factor authentication. Once you enter your username and password on a website, a code is sent via text message to your smartphone. The code must be entered to get into the site.
Have your credit card company send an alert to your phone whenever your credit card has been charged.
Know that the IRS does not call citizens and threaten arrest. If you have a tax problem, you will receive a letter from the IRS.
Before sending any money, anywhere, consult with family members, the police department, or an attorney to be sure the money is being sent to a legitimate site.
“We are used to doing things quickly,” Taylor said. The best advice is to “put your seatbelt on and click slowly.”