Frauds and Scams (OBJ 2.2)

Understanding Fraud and Scams

Definition and Explanation of Fraud

  • Fraud is defined as a wrongful or criminal deception intended to result in financial or personal gain for the attacker.
  • Unlike regular theft where an attacker directly steals valuables from a victim, fraud involves tricking the victim into willingly providing information or assets.
  • Social Engineering: Both fraud and scams are categorized under social engineering techniques that manipulate individuals into divulging personal information.

Identity Fraud vs. Identity Theft

  • Identity Fraud: This term refers to acts whereby an attacker utilizes another individual's personal information to commit a crime without their authorization.
    • Example: Using another's credit card details to make unauthorized purchases.
  • Identity Theft: This is a more severe form of identity fraud where the attacker fully assumes the identity of the victim.
    • Example: An individual from outside the U.S. steals a victim's personal details (like name, address, date of birth) and uses them to get a job.
  • Terminology: The terms identity fraud and identity theft are often used interchangeably, but the distinction lies in the extent of identity assumption by the attacker.
    • CompTIA’s preference is to use the term identity fraud to encompass both scenarios.

Common Personal Information Targeted

  • Criminals frequently attempt to steal sensitive personal information, including:
    • Social Security Number (SSN)
    • Date of birth
    • Birthplace

Understanding Scams

  • A scam is defined as a fraudulent or deceptive act in which a victim is tricked into doing something.
  • Scams can take various forms, but they all share the common objective of deceiving the target.
Example of a Common Scam: The Invoice Scam
  • Invoice Scam: A deceitful act in which an individual is tricked into paying for a bogus invoice related to a product or service not actually ordered.
    • Process of an Invoice Scam:
    1. An employee receives a phone call from the scammer who asks questions about their office equipment (e.g., printer type).
    2. The scammer might either correctly guess or deliberately misstate the type of printer used.
    3. The employee unknowingly verifies this information, providing a pretext for the scammer.
    4. The scammer then states there is an order ready to ship and convinces the employee to confirm via recorded approval (i.e., a simple "yes" or "okay").
    5. The company later receives overpriced toner boxes with a legitimate invoice that has the recorded approval, making it difficult to dispute.
  • Financial Implications: Commonly, toner could cost $100 per box, but the invoice may total $950, indicating significant overcharging.
Variations of the Invoice Scam
  • Other versions of invoice scams can include sending fake invoices as PDF attachments via a spear-phishing email targeting the billing department.
    • If the employee opens the invoice, it may contain malware embedded in the PDF designed to compromise the company’s computer system.
  • Cautionary Measures: Employees should be trained to recognize such scams and refrain from opening attachments from unknown senders to protect sensitive information and systems.

Conclusion

  • Technology vs. Low-Tech Attacks: While identity fraud may involve simpler tactics such as phone calls to collect information, invoice scams can utilize more sophisticated methods like malware-laden emails.
  • Awareness and training are crucial to mitigate the risks associated with both identity fraud and scams, particularly in a corporate environment.