It’s Too Good to Be True: Do We Recognise Internet Fraud?

Internet fraud involves services or software with internet access that attempts to defraud or take advantage of victims. Internet fraud encompasses cyber-criminal activities over the internet, including crimes like identity theft, phishing, and other social engineering activities designed to scam people of their personal information. These scams will target victims through fraudulent activities that rob people of their money, and the figures continue to increase as internet usage expands as cybercrime techniques become sophisticated.

Types of internet fraud

A variety of strategies are applied to commit internet fraud. It includes activities done through malicious software, email, and instant messaging services to spread malware and links to spoofed websites that steal user data, along with wide-reaching phishing scams. Internet fraud includes several types of attacks:

• Phishing and spoofing - The use of email and online messaging services to convince victims to share personal data, login credentials, and financial details. 

• Data breach - Stealing confidential, protected, or sensitive data from a secure location and moving it into an untrusted environment consists of stolen data from users and organisations. 

• Denial of service (DoS) - Disrupting the traffic to an online service, system, or network with malicious intent. 

• Malware - Malicious software that damages or disables a user's device or by stealing personal and sensitive data. 

• Ransomware - Malware that prevents users from accessing critical data and then demanding payment in the promise of restoring access. Ransomware is typically delivered via phishing attacks. 

• Business email compromise (BEC): A sophisticated attack that targets businesses that operate on wire payments. It compromises legitimate email accounts through social engineering techniques to submit unauthorised charges.

  
  

To avoid hackers' internet fraud attempts, users must understand the common examples of internet fraud and tactics.

Most Internet users have been victims or seen an online scam in which attackers seek to gain personal information such as login profiles or financial information.

Tactical game played by scammers: Do we know them?

Email-based phishing scams are among the most prevalent types of internet fraud, which continues to threaten internet users and businesses. 

Statistics from Security Boulevard show that in 2020, 22% of all data breaches involved a phishing attack, and 95% of all attacks that targeted business networks were caused by spear phishing. Furthermore, 97% of users could not detect a sophisticated phishing email.

1.5 million new phishing sites are created monthly, and 78% of users understand the risk of hyperlinks in emails but click them nonetheless.

Email-based phishing scams constantly evolve, ranging from simple attacks to more complex threats targeting specific individuals. Email phishing scams see cyber criminals who mask themselves as individuals that their victim knows or would consider reputable. The attack aims to encourage people to click on a link that leads to a malicious or spoofed website designed to look like a legitimate website or open an attachment containing malicious content.

The hacker first compromises a legitimate website or creates a fake website. Then, they acquire a list of email addresses to target and distribute an email message that aims to dupe people into clicking on a link to that website. When a victim clicks the link, they are taken to the website, either requesting a username and password or automatically downloading malware onto their device that steals sensitive information. The hacker can use this data to access a user's online account, steal more data like credit card details and corporate access networks attached to the device or commit wider identity fraud.

Email phishing scammers will often express the need for urgency from their victims. This includes telling them that their online account or credit card is at risk and that they must log in immediately to rectify the issue.

Greeting card scams

Many internet fraud attacks focus on popular events to scam the people celebrating them. This includes birthdays and festive occasions, commonly marked by sharing greeting cards with friends and family members via social media. Hackers typically exploit this by installing malicious software within the greeting card, automatically downloaded into the recipient's device when they open the card.

The consequences can be devastating. The malware takes the form of annoying pop-up ads that affect an application's performance on a smart device. However, the more worrying outcome would be the victim's personal and financial data being stolen and their computer being compromised as a bot within a vast network of computers, also known as - a 'botnet.'

Credit card scams
Credit card fraud typically occurs when hackers fraudulently acquire people's credit or debit card details, to steal money or make purchases.

To obtain these details, fraudsters often use credit card features that are 'too good to be true or through bank loan deals to lure victims. For example, a victim might receive a message from their bank telling them they are eligible for a particular loan or a vast amount of money loaned to them. These activities continue to trick people despite the widespread awareness of suspicious offerings.

Unfortunately, online consumers should be wary of various types of scams propagating on the Internet.

Online dating scams
Another typical example of internet fraud targets various online dating applications and websites. Hackers focus on these apps to lure victims into sending money and sharing personal data with new love interests. Scammers typically create fake profiles to interact with users and develop relationships that slowly build their trust. Then, a phoney story is made, and the attacker requests financial help from a user.

Lottery fee fraud
Another common form of internet fraud is email scams that tell victims they have won the lottery. These scams will inform recipients that they can only claim their prize after paying a small fee.

Lottery fee fraudsters typically craft emails to look and sound believable, which still results in many people falling for the scam. The scam targets people's dreams of winning massive amounts of money, even though they may have never purchased a lottery ticket. Furthermore, no legitimate lottery scheme will ask winners to pay to claim their prize. 

Con artists can be pretty inventive, so be cautious and do not transfer anybody money unless you are convinced it is a legitimate request.

The Nigerian prince

A classic internet fraud tactic, the Nigerian Prince scam approach remains common and thriving despite widespread awareness.

The scam uses a premise of a wealthy Nigerian family or individual who wants to share their wealth in return for assistance accessing their inheritance. They use phishing tactics to send emails that outline an emotional backstory, then lure victims into a promise of significant financial reward. The scam typically begins by asking for a small fee to help with legal processes and paperwork with the promise of a large sum of money further down the line. 

The scammer will inevitably ask for more extensive fees to cover further administration tasks and transaction costs supported by legitimate-looking confirmation documents. However, the promised return on investment has yet to arrive.

Macau scam 

These fraudsters are pretending to be Malaysian Law enforcement agencies such as the - PDRM, LHDN, MCMC, MACC, and the latest scammer tactic, is reported to be calling from – POS Malaysia's express delivery service - POSLAJU.

The MO starts with a call and will convince the victims about the crime they have committed. Hence, they will give their Bank User ID and Password out of fear and release the TAC [Transaction Authorisation Code] to these criminals. Once this information is released, the victim's savings are withdrawn through cash advances through an ATM or transferred to another mule account.

Decrypting mule account holders and their intent

A mule account is an account that belongs to an individual or company, which allows their bank account to be controlled and used by criminals. It works by handing over an automatic teller machine (ATM) card's PIN or by providing access to online banking credentials to criminals who will then receive money from fraudulent activities. These accounts are offered at RM1,000 per week for renting their account.

Mule account holders can be charged under Section 424 of the Penal Code for fraudulently concealing money. It carries a sentence of imprisonment up to five years, a fine, or both upon conviction, even if such mule account holders are not directly involved in whatever their "renter" does.

APK files [Android Application Packages)
Only download links from recognised websites and social media networks comprising links that probably have APK files hiding to hack your smartphones. These links contain - malware, ransomware, or other less visible viruses that can potentially disrupt an android operating system on your smartphone.     

Methods of hacking Android operating systems and how it works: 

1. Generates a malicious payload with MSFvenom and extracts it as an APK file. 

2. Injects malicious payloads on legitimate android apps with MSFvenom. 

3. Both methods will require access to the victim's phone or some form of social engineering on the attacker's part to get their victims to install the malicious APKs on their phones.

As a constant Internet user, you must constantly safeguard your online identity by securing your logins and passwords.

Safeguarding from Internet scams

By remaining vigilant of the common types of internet fraud listed above, Internet users can protect themselves and avoid being caught in a phishing line. It is vital to never send money to someone met over the internet and never share personal or financial details with individuals who are not legitimate or trustworthy. Never click on hyperlinks or attachments in emails or instant messages. Once targeted, internet users should report online scammer activity and phishing emails to the authorities. Check all accounts through PDRM's website for every unknown transfer is better.

Credit card fraud can also be avoided by keeping a close eye on bank accounts, setting up notifications on credit card activity, signing up for credit monitoring, and using consumer protection services. In addition, users who suffer credit card fraud must report it to the relevant legal authorities and credit bureaus.

---

About the Author

Thilo has 30 years of fraud management and loss prevention expertise in banking and retail, including Hong Leong Bank Berhad, Dairy Farm Group, OCBC Bank (Malaysia), and Mbf Cards Malaysia (now known as Ambank Cards).

His current position is as Fraud Investigation Manager for Hong Leong Bank Berhad, a three-year stint as Loss Prevention and Security Head for Dairy Farm Group, and financial crime investigations in the banking sector. Ha has also successfully conducted Fraud Investigation training under the Malaysian Risk Management Task Force ticket to the Royal Malaysian Police force in Langkawi and many others.