Refund Vishing Scams

28th June 2022 | Blog, Sticky

Secure your business with CyberHoot Today!!!

We’re constantly receiving emails, text messages, and phone calls from scammers claiming to be reputable brands we use. What you may not know, is where these hackers are coming from. There are call centers across the world whose sole purpose is to socially engineer you out of your money using Vishing, Smishing, and Phishing attacks. The good news is that Interpol, an International Police Organization, has arrested 2000+ suspects in organizations like these and taken down their command and control computing infrastructure. This crackdown on social engineering fraud will hopefully have a noticeable impact on the plague of vishing attacks we’ve experienced in recent years, depicted below.

Interpol Bust

In a two-month global operation in mid-2022, dubbed First Light 2022, Interpol says that:

“76 countries took part in an international clampdown on the organised crime groups behind telecommunications and social engineering scams. Police in participating countries raided national call centres suspected of telecommunications or scamming fraud, particularly telephone deception, romance scams, e-mail deception, and connected financial crime.”

Although results are still coming in, Interpol claims that the operation has so far resulted in:

About 1770 locations were raided worldwide.
About 3000 suspects were identified.
About 2000 arrests of operators, fraudsters, and money launderers.
About 4000 bank accounts were frozen.
About $50,000,000 of illicit funds were intercepted.

As Interpol notes, one of the scams used by these criminals is pretending to be from Interpol itself. This sort of scam is sometimes used as a ‘follow-up’ to exploit scared victims for a second time, by pretending to offer an “official” legal lifeline to recover some of the money they lost in the first part of the scam.

Fake Refund Scams

In a video produced by Mark Rober, he talks about these various criminal organizations, how they operate, and what he did to mess with them. If you haven’t watched the video, we recommend you do, it’s quite an interesting app[roach]! In his video, he details various refund scams that these call centers perform, which are summarized below:

Scammers ‘refund’ you an impressive but believable amount, say $2000, for an ‘over-billing’ for a product or service you actually use.
They then ‘help’ you log in to your bank account to ensure that the transaction went through.
They sneakily edit the HTML in your browser so the page shows a transaction for ten times the amount originally mentioned.
They cry out in alarm, claiming they themselves must have typed in an extra zero and that they’ve accidentally refunded too much.
Then they burst into tears or turn on the emotional blackmail, claiming they (or you) will be liable for the massive difference.

The scammer’s goal is to convince you to refund the ‘extra’ money out of your own account, even when the money is not actually in your account. These scammers often create a fake webpage they have you visit, where it shows the deposit with the ‘extra’ money and an increased overall balance. They then convince you that they’ve made a mistake that will cause them to ‘lose their job’, and even get you into trouble, too. To remediate this non-existent issue, they persuade you to help them fix the mistake by withdrawing the excess amount from your account and sending it back to them through a different channel.

Similar Scams

Vishing doesn’t only involve these refund scams, they have a variety of methods to get money or critical information out of their victims, including:

Emailing you with a ‘Receipt’ for a fake transaction, such as a $100 Amazon charge you never made, but offering an ‘Amazon’ support number you can call to dispute the ‘payment’.
Claiming to be from the tax office to discuss the “late payment” of the tax “penalty” in your latest “assessment”.
Pretending to be a police officer and listing ‘criminal charges’ that could lead to your imminent arrest unless ‘fines’ are quickly paid.
Pressuring you into putting money in ‘high return’ investment schemes, often backed by legitimate-looking but fake websites or mobile phone apps that simulate a healthy return.

What Should You Do?

If you watched the video mentioned before, or at the end of this article, you will learn that this Interpol bust doesn’t stop all social engineering attacks. Unfortunately, there are way more than 2,000 perpetrators of Vishing, Smishing, and Phishing in the world. The best thing you can do to stay safe and secure online and not fall victim to these social engineering attacks is to:

Never be in a hurry to hand over personal information. If in doubt, don’t give it out!
Never grant remote access to your computer. Even if the website says, you have a virus. It’s a scam; close your web browser and start fresh.
Make sure your friends and family know where to look for genuine advice on how to spot scams. Don’t let them learn about scams by walking into the hands of the scammers themselves.
If your friends or family warn you that you might be getting scammed, hear them out. Don’t let the scammers divide you from your loved ones as well as your money.
The Internet opens the door to any number of malicious actors. Always be on the lookout for attacks and be suspicious of anyone you deal with online.

CyberHoot’s Minimum Essential Cybersecurity Recommendations

The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections) or prohibiting their use entirely.
If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.