Online Trading Scams – Don’t Make a Bad Trade
Make money online. We hear this all the time, don’t we? Let’s be honest, there’s something to love about a get-rich-quick scheme. But this is also why so many people reply emails from the infamous “Nigerian Prince” or “Random Wealthy Person” they receive, claiming to have money just waiting to be claimed.
Many of the messages are around online trading, whether cryptocurrency, stocks, or random funds have a get-rich-quick tone. They promise sterling results in no time at all, providing an offer that is too good to be true. It’s your very own Cinderella story. There are no fairy tales in real life, though, and these messages should be ignored.
Today, most of us are aware of the dangers of clicking on links that drop malware like ransomware onto our computers. We are also much more aware of the various attack vectors used by cybercriminals and how their attack techniques have evolved over the years.
But what we ignore is the level of sophistication of these attacks, and how they are trying new, different ways to break through our defenses.
Evolving attack patterns
Let’s go back a few years to when ransomware first made its presence felt. In those days, cybercriminals worked with economies of scale. The CryptoLocker gang is one such example. While they earned millions of dollars in ransomware (the figure can be higher), they did not demand a huge amount as ransom. The gang targeted a massive number of accounts, scrambled their files and demanded around $300 in ransom to unscramble those files - not an amount that will break the bank!
Now $300 might feel like pocket change compared to today’s ransoms, but the gang raked in the money by targeting hundreds of thousands of systems.
Over time, ransomware attack patterns have undergone a 360-degree change. Today, the usual approach ransomware gangs use is targeting one organization and then moving on to the next. This essentially means they create a bespoke ransomware attack backed by a thorough analysis of the organization’s weaknesses, both from the cybersecurity infrastructure and security awareness perspective.
Once they are able to compromise the target system, they blackmail each organization for hundreds of thousands or even millions of dollars. Attacks have become more sophisticated and criminals have more confidence about their ability to break into even the most comprehensive cybersecurity defenses.
Where they once earned hundreds of dollars from thousands of targets, they are now raking in going after one target for a bigger score. Also, with ransomware attacks becoming more lucrative for criminals, we are seeing the rise of Ransomware-as-a-Service (RaaS), where malware is being sold on the dark web for criminals who want to launch low level attacks at intended targets.
This isn’t good news for us, because we need to protect against advanced ransomware while also not lowering our guards against amateur attacks.
The romance lure is difficult to resist
It doesn’t stop with ransomware – you also need to be wary of online scammers who prey on emotional vulnerabilities to target victims. They focus on the emotional/physical disconnect intended victims have with the world around them and build relationships founded on a web of lies. But victims lap these lies up because they fit within views and expectations.
Enter the world of romance scams or “emotional scams.” This is another type of social engineering attack scammers use to encourage victims to loosen their purse strings and send some money their way.
It is a pure emotional play. The process can take a long time deliver returns. Criminals play on the heart strings of victims, and while this sounds cheesy, it’s a very real threat. Operational patience is key, as they don’t target numerous people at one go. Like the ransomware attackers targeting one organization at a time, these scammers focus on one individual at a time. They create target personas, with a list of likes, dislikes, and even emotional vulnerabilities of the victim and then launch their attack. Over a period of time, once they think the time is right, they will ask for money in fits and starts, which will cumulate in a final big time pay day.
Online trading scams – the evolution continues
We all love making money, and if you can do it with very little hard work or thought, it’s all the better, right? That’s a belief that makes us vulnerable to attacks. Romance is one lure, money is another. The common theme is the emotional connect we have with money. We desire it as much as romance. Maybe even more for some people.
This is what investment scammers do. They promise a lot of money. They create an ‘off market’ app, meaning an app that is not available on the Play Store, yet available on other app markets. Or if you have an iPhone, these scammers use a complex process that make this fake app available on your iPhone.
Does that make you suspicious? It should, and you should never use an off-market app until and unless you are absolutely sure it is the real deal.
Scammers will use exclusivity to trick you: they’ll say it is a very special app only available to ‘special people’ and you guessed it – that special person is you. Think of these fake online trading apps as a sort of “secret” between you and the criminal.
The process is simpler for someone with an Android phone, but if someone has an iPhone, scammers will also go through the trouble of gaming the system.
Here, the scammer will work with a person who pretends to be the developer of the fake iPhone app which will be used for the online trading scam. The victims will be asked to jump through hoops to allow their devices to be registered into the “development process” of this app, and your phone will begin to run the fake app.
It’s the love trap all over again
Let’s say you are an iPhone user. You might ask: How, because the iOS is a closed system, could you be lured into a trading app? But, here’s the rub. While it is a closed system, the scammers will throw a lot of temptation your end to circumvent the protective cover iOS’ closed system affords you.
They’ll leverage diverse channels, such as social media or even dating sites, to lure you in. After all, this is also a romance. A romance with money. They use online proxy companies or what are referred to as Super Signature services as a method of application distribution, so that iPhone users can start using the fake trading app without downloading it from the App Store. Once the app is downloaded, the promise of quick money means the users are convinced to start making regular deposits. Fake feedback regarding their “investments” convinces users (who are now bona fide victims) means they are secure in the belief they are going to make windfall. The reality, however, is that they are never going to see their money again.
How do you protect yourself?
If you come across an offer that sounds too good to be true, it is. If it is a get rich quick scheme – remember, there are no get rich quick schemes. Do not sign up for any trading app you know nothing about and is not backed by reputable names. Also, do not download any app outside the app stores.
Don’t implicitly trust links that your friends share with you on social media with telltale language about making money fast and effortlessly. If you see such messages, keep a cool head. Be practical, and if necessary, cull these people from your contacts list for your own protection.
Also, install an antivirus solution on your desktops, laptops, and phones. With Sophos Home, you get features like malware scan and clean, AI threat detection, ransomware security, privacy protection, web protection, and more. This helps deploy a comprehensive security blanket across the devices you use regularly so that you are protected from advanced threats levelled at you through these devices.
But it is also imperative that you exercise security awareness to combat social engineering threats that play at your emotions and your needs. Don’t take security for granted.