A friend in need — or is it?

Attackers pretending to be acquaintances asking for money — the story is old, the approaches new. We show you how to avoid the e-bait.

Scammers keep things fresh by continually devising inventive new methods to steal from unsuspecting victims by using novel or revamped social engineering techniques. Today’s lesson comes from platforms such as Telegram, WhatsApp, and others that use phone numbers as user IDs.

A few years ago, we examined the case of a Skype account that was hijacked and then used under various pretexts to finagle money out of the victim’s contacts. Today we discuss a somewhat similar scenario — but this one doesn’t even require hacking into other people’s accounts. The crook simply sets up a fake account in a popular messaging app.

It can begin with an innocent call for help on a social media page, with the user giving their phone number to their friends. But criminals don’t even have to wait for someone to upload a post with personal information. People are in the habit of revealing all sorts of personal data, making it available to anyone who cares to harvest it.

Phone number obtained, the scammer looks at the target’s list of friends and selects someone to use as bait. Then, they create a profile in a messaging app, using the name and downloaded photo of the chosen friend.

The attacker then sends a message to the victim, seemingly from the chosen friend. It all looks very plausible: an old friend reaching out for help. Who wouldn’t lend a hand? You don’t immediately cotton on. Why would you? No one remembers phone numbers these days anyway, and it’s easy to fall for such a convincing ruse. Making things even easier, some messaging apps forgo the friend-confirmation step, letting users open communications without anyone having to say “Yes, I accept this friend request.” A criminal can use this scheme again and again, finding new phone numbers online and registering new IM accounts.

How can you avoid becoming a victim of this type of fraud?

  • Think about what data you make public in social media. We have separate posts about what privacy settings to change in Facebook, VK.com, Instagram, LinkedIn, and Twitter, and how to change them.
  • In particular, consider hiding your friends list on Facebook. It’s easy to do: Go to Settings -> Privacy -> Who can see your friends list? and change to Friends or even Only me.
  • If you receive a request for help from someone, it’s best to check that this person really is who they claim to be. Ask questions that only the two of you could possibly answer, or call to discuss it voice-to-voice.