What does a scam look like? With technology, it’s tricky

Using+a+practice+known+as+%E2%80%9Ccaller+ID+spoofing%2C%E2%80%9D+callers+can+alter+the+number+that+appears+on+a+caller+ID+display+and+make+the+call+appear+to+come+from+anywhere+the+scammer+wants.

Photo Illustration: Jonathan Laczniak/Iowa State Daily

Using a practice known as “caller ID spoofing,” callers can alter the number that appears on a caller ID display and make the call appear to come from anywhere the scammer wants.

Paige Anson

Emails, phone calls, direct messages on social media. Fraudsters, or scammers, use them in attempts to steal money or personal information from people.

In Ames and at Iowa State, scams through these mediums are often dealt with by public safety departments, including the Iowa State University Police and Ames Police departments and the Iowa State Information Technology Services Security Team.

The prevalence of scam crimes in the United States is enough of an issue that as of Sept. 1, 2018, the Ames Police Department is required by the FBI to record reports on scams for their annual crime reports in the National Incident Based Reporting System.

“Since Sept. 1, we have tracked 146 scam calls, [mostly] attempts,” said Geoff Huff, commander with the Ames Police Department.

Scam attempts are unsuccessful efforts by a person to steal someone’s personal information or money. Successful scams are those where a person has obtained money or personal information, Huff said.

“It’s at least weekly that we talk to an actual victim of a scam where they are out money or information to varying levels. [Some lose] a few dollars … and we’ve had some that have been out thousands of dollars,” Huff said.

Both the Ames and ISU police departments document successful scam cases, which are usually filed as fraud or identity theft.

ISU Police does not, however, routinely keep track of general attempts, although they will take the calls and they refer people to report attempts to the Federal Communication Commission, said Anthony Greiter, an officer with ISU Police.

ISU Police filed 30 successful fraud cases in 2017, the most filed in the last four years, according to data from ISU Police.

ISU Police and Ames Police get the most calls for scam attempts made over phone calls and emails, also known as “phishing” emails, Huff and Greiter said.

Methods for obtaining information or money across those and other platforms, however, varies.

Scammers most often aim to inspire fear or urgency while impersonating trusted sources in an effort to trick information out of people, Greiter said.

“Big [phone impersonations] are [of] the IRS and any law enforcement agency saying that [they] have a warrant … [and you need] to pay money now or you will be arrested,” Huff said. “We’ve even had 911 spoofed where people were getting a call from 911. That should never happen.”

ISU Police received reports of similar phone scam attempts, Greiter said.

“[Impersonators use] the fear-inducing threat of legal action,” Greiter said. “They typically go for money and they say how you have unpaid this or that … then they ask for payment on an iTunes gift card.”

iTunes and other gift cards have been a common tool used by scammers in their attempts to steal money. Typically, scammers ask a person to purchase a gift card and to tell them the number on the back of the gift card, Greiter and Huff said.

Request for payment through a gift card should be a sure sign of a scam, Huff said, because no government agency will ask for gift-card payments.

The fact that gift cards are easy to access and nearly impossible to trace are what makes them so appealing to scammers, Greiter said.

“It’s almost like giving cash, once the money’s gone, the money’s gone,” Huff said.

Data in an article from the Federal Trade Commission’s website shows that of successful scams reported to the FTC, 26 percent of scammed people now pay with a gift card or reload card, up from the 7 percent reported in 2015.

Forty-two percent of people who reported paying a scammer with a gift card paid with an iTunes or Google Play gift card, according to the same report.

Phishing email scam reports that the Ames Police and ISU Police receive often include descriptions of emails that impersonate trusted agencies or service providers and include links to requests for personal information, including financial information. This information can be used to outright steal money or to access people’s personal accounts, Huff said.

“If they know your email and your password … take an Amazon account for example. Our sign on is an email address and a password. If they can get ahold of the email address and password, [they] can say you forgot your password and they send you a reset. The bad guy gets it, and they can get into your account … [They] can start ordering products,” Huff said.

This valuable information can be used to access nearly any account attached to an email, and can even be sold online by scammers, Huff said.

“If they can get bank or credit card numbers, or emails and passwords they can sell it on the ‘dark web,’” Huff said. “My wife had an email address that was bought and sold on the dark web that we had to get rid of … we can never use that email again.”

The ISU ITS Security Team, a group of technology professionals who monitor phishing reports from the university community, help to identify and “blacklist” scam websites and assist with technology forensics.

The team most often receives reports of attempted phishing emails that appear to come from a trusted source, and can even include personal information, like a previous password a person has used, said Andy Almquist, a security analyst.

Senders posing as trusted sources such as university officials and club presidents are often the most successful scammers, Almquist said.

Other impersonation tactics scammers use in emails in attempt to gain access to personal information includes framing themselves as trusted websites.

“You may receive an email that appears to have come from file-sharing sites like Dropbox or Google Drive, alerting you that a document has been shared with you,” Almquist said. “The links provided in these emails will take you to a fake login page that mimics the real login page, allowing scammers to steal your account credentials.”

Out of the approximately 2,000 reported phishing attempts the team received in 2017, 583 successfully scammed or compromised accounts were blocked or blacklisted. In 2018, these numbers were significantly lower, with roughly 200 accounts compromised out of 1,200 reported phishing attempts. The decrease is likely due to the rollout of multifactor authentication on campus, Almquist said.

International students in the community are often victims to impersonation and false government scams because they may not know how the legal system works in the U.S., Huff and Greiter said.

“They may be scared [at false-authority threats] and not understand that the police department does not call you and request payment [or threaten that] you’ll be arrested,” Huff said.

Fear of losing scholarships or of deportation are other factors international students may weigh in when considering false threats for legal action, Greiter said.

Another scam method reported to the ISU Police this year consists of threats to exploit nude photos that scammers acquire, Greiter said.

“[Scammers] are reaching out on social media. They will typically have a photo so you can assume they are a real person … they start sending DMs [direct messages] and within three or four minutes [messages] start becoming very sexualized,” Greiter said.

From there, scammers request nude photos or video, Greiter said, and as soon as they have them, the scammer screenshots the images. Once captured, the scammer turns around to threaten to blackmail the person by sending nudes to his/her contacts, including close friends and family, if they are not paid a certain amount.

“These people have done their research on you. We recently had one where [a person] paid $5,000 dollars to have that [scammer] not post the photo. Shortly after, they got another message saying ‘this was the boss’… and they asked for more money,” Greiter said.

Community members can avoid scams by questioning every email and message with a link or request for information, Huff said.

“Understand systems and always be suspicious when people are asking for payment … and always doing your research. I don’t give my personal information out over the phone unless I’m 100 percent sure I know who I’m talking to.” Huff said. “If you get a call [asking for personal information] say, from a credit card company … hang up, look up the actual number of the credit card company and call them.”

With phishing emails specifically, caution can be exercised by checking sender addresses and link destinations, Almquist said.

“Whenever you see a link in an email, do not click it,” Almquist said. “Instead, hover your cursor over the link and look for a small box to appear in the bottom left of the window or directly above the link. The actual destination of the link will be visible. Any non-ISU domain should be treated with caution.”

If an Iowa State student, faculty or staff member does click on a scam email in their university email, they can reach out to the ITS Security Team by email at [email protected].

Victims of scam fraud or identity theft are encouraged to call the non-emergency numbers for ISU Police 515-264-4428 and Ames Police 515-239-5133, Greiter and Huff said.

People wanting to learn more about how to avoid phishing emails can visit the ISU ITS Security website.