M is for Malware
Fact : the Mal in malware stands for malicious. Myth : you have to be careless or dumb to fall for a malware attack. Fact : 80% of fraud attacks on Malaysian companies in 2021 were due to malware. Myth : the user needs to make many mistakes to be a victim of malware.
Some of the above might seem shocking whilst some seem obvious. However, these are becoming increasingly important to reinforce as the number of malware victims trends upwards. Just as important to how dangerous malware can be is knowing how malware often makes its way to a healthy host.
As per all good scams, this one starts off by identifying and addressing a need. The logic is simple - if your victim needs something that you can offer, it is likely that the victim will suppress their logic center as they will be driven by desperation. Much like the dopamine hit from buying something, scratching something off a to-do list activates the reward center of the brain, making a decision seem like a good one even if based on impulse or sketchy logic.
Some of the most common needs to cater to are babysitting services, part-time/work from home jobs and of course, cleaning services. These are a few needs that the fraudsters pose as in order to entice their victims. At first things seem normal, the victim engages with the fraudster believing them to be offering a valid service. Increasingly commonly, this is done via WhatsApp or other instant messaging services.
In the course of conversation the fraudsters would try to get as much information out of the victim as possible. This could include information such as how many children do you want me to babysit and for how many hours or how big is your office and how many cleaners do you want to come to clean up?
Then, the fraudsters would entice the victims even further by offering them a promotion to save money in exchange for their services. This is pretty standard across almost all fraud where a sense of urgency to act is encouraged by using the dangling carrot of a limited time offer promotion.
It is at this stage that the fraud changes from standard to extraordinary. In order to complete the transaction the fraudster will inform the victim that the additional step is required. This step normally involves the downloading of a bit of software. It is sent to the victim via a messaging app under the cloak of "you need to use our app to reserve dates" or for "you to get paid for your part-time work you must log your hours via this app." To summarize, the fraudsters force the victims into accepting that the only way to get the service they desire is to download the software.
Another common trick that is seeing increased use is referred to as spear phishing where Malware is sent from one party to another. This is prevalent in offices but does happen in social settings as well. Here, the victim will receive an email or perhaps even an instant message from a fraudster posing as someone they know (ex : the victim’s boss/friend). The email would contain a link to something seemingly innocent like a Google Sheets document or a Facebook post. However, from within that link, either a trojan or virus is downloaded that can compromise the security of the device and the network it is connected to.
But surely there is a smoking gun. The victim should have been more thorough.
This line of thinking is extremely common in people who have not been victims of fraud. The reality is that fraudsters, especially professional fraud rings of which there are many, put in time and effort to cover as many bases as possible to seem legitimate. This can be as simple as creating a Facebook page or a website or as complicated as creating multiple fake accounts to review the company on websites like Trustpilot.
More often than not, the only way to discern if a merchant is fraudulent is to do what it's called a deep dive. This means taking steps such as looking for their registration number on their website. Or if that is not available, which for the record it must be by law, searching for the company name on the registrar of companies website. Another popular step is looking at the accounts on social media that have left positive reviews determining how old these accounts are and other reviews they might have left in the past.
However the reality is that very few people who need services like babysitting, cleaning etc, have the time on their hands to conduct this level of deep dive reviews. And therefore, they fall victims to fraud.
However here are some methods that could be used to ensure that you don't fall victims as well.
Number one - go out of your way to ensure that you don't install malware. This means installing anti-virus software such as AVG or Norton on your phone and your PC. These apps should access impediments when it comes to installing non standardized software meaning you would need to expressly decide to install the software. Of course this is going to depend heavily on you remembering that these impediments exist for a reason.
Number two - pay attention to how you were introduced to the vendor. Most fraudsters use advertising platforms such as Instagram and Facebook because these platforms allow them to deliver extremely targeted ads. This does not mean that all companies who advertise on social media are fraudulent, it's just that when you find a vendor via social media and they ask you to install your app, be extremely cautious. Another tip is to try to comment on one of the vendor's posts. Most of the time fraudsters block comments on their Instagram posts because they do not want former victims to warn potential victims therefore they disable comments.
Number three - call the vendor. Most of the time fraudsters disguise themselves as a female employee of the company when conversing with them via instant messaging. This is down to the fact that people tend to put their guard down when interacting with a stranger who is female as compared to a male. Furthermore, fraudsters tend to shy away from actual conversations and prefer opting for keyboard conversations.
Number four - act technologically backwards. What this means is you should take steps to seem more out of touch with technology than you are. An advisable step is to inform the fraudster that you do not have online banking. Tell them you haven't set it up but you are willing to drive to the ATM to bank in the deposit to secure their services. If they understand and are accommodating, that is a good sign. If they push you to install the app and pay the deposit online, even if that means bothering a friend, relative or neighbor to do so, remove yourself from the conversation.
Of course if all of this seems a bit too complicated and you just want more general advice, reach out to us for a free no strings attached consultation.