How the Theory of Marginal Gains is creating a fraudsters paradise

I’m a firm believer in the power of marginal gains. The Marginal Gains Theory is concerned with small incremental improvements in any process, which, when added together, make a significant improvement. The challenge is always to break something down into small enough increments that they are easily achievable and measurable.

Another way to look at marginal gains is to measure actions by return on investments – if I invest my time/resources/cash into something, then will the return increase based on the the level of investment. For most of us, we make decisions like this multiple times a day. Should I have that extra sausage for breakfast? Should I go a bit above the speed limit to get home quicker? Should I spend an additional hour in the pub? All of these decisions potentially have marginal gains for us but the question we need to ask ourselves is whether the return, whether that is a reward or a penalty, is worth it.

If you look closely at any attempted fraud or robbery, whether physically or virtually, there is a trade off for the perpetrators of risk versus reward. The risk of getting caught or the risk of investing in a scheme more often than not far outweighs the potential reward, which can be substantial in some cases. However, the greater the risk of detection and punishment does deter the vast majority of people from committing crime. Likewise, most frauds and robberies are easy to spot and whilst the vast majority of attempts are foiled, either by the authorities or by our own knowledge, the return on investment for some is relatively small and that is why fraudsters will still attempt to create outlandish scams, knowing that a small number of people tricked gives them the reward they need.

However, there is a growing trend of people falling victim to scams that start with a legitimate looking request for a small amount of money, that soon escalates into something far more sinister and damaging. Using the surge in home deliveries as their modus operandi, scammers have been sending text messages to people informing them that they need to pay a small fee, usually less than £2, to have an item delivered. The small amount and the impression it comes from the Royal Mail (the URLs used in the message tend to feature the words “Royal Mail”) have the message believable, as too does the page whereby the receiver is asked to enter their details. But, this is a scam that does not just want your £2.

The BBC reported a story last week of a former Police Officer who received such a message and believing it to be genuine, followed the link and paid the small fee. That then opened him up to a whole multi-level scam that eventually resulted in him losing thousands of pounds. His story is not uncommon – just a few weeks ago a respected, experienced current affairs journalist and TV/Radio presenter tweeted an image of a text she had received, asking her followers if it was genuine such is the believability of the scam.

For the fraudsters behind the scams, they are looking at playing on our Marginal Gains – it surely isn’t a scam as they “only” want £1.25/£1.99/£2.50 – the risk of it being a fraud to the receiver of the text is low, or so it seems, whilst the reward is that they get the parcel or item that may have been waiting for.

The Royal Mail do not send text messages asking for payment in this way. If an item needs additional postage they will deliver a card detailing how someone can make the additional payments. Likewise, you can always check the domain name used in the URL to see when it was registered and who to. A recent text I received showed the domain name registered on the same day as the text was sent and registered to an individual in China. If in you are in any doubt on the legitimacy of any message you have received, check with Royal Mail themselves and make sure that you do not become another marginal gain for the fraudsters.

Why Vishing is on the rise

We’ve become used to getting email-based scams for some time. The original 419 email scams, so-called because the offence is detailed in section 419 of the Nigerian legal code, are on the most part very easy to spot these days as they follow the same modus operandi. Rich widow of a dictator, dying philanthropist, benevolent banker – the stories haven’t changed over the years – they are fanciful, each to verify and simply too good to be true. However, fraud through email scams, “phishing” continues to rise. What has changed is the sophistication of the emails, the detail that the fraudsters go into to create their traps for innocent victims. However, it hasn’t just been the growth in phishing that has been worrying the authorities.

A new generation of smart phone users now favour message-based communication such as WhatsApp, SnapChat, Direct Messaging via Instagram and texting rather than using email. That has seem the fraudsters adapt their approach and targets, where sophistication is significantly less. Whereas emails needs to look authentic, using HTML-based email templates, branding and styles, text-based messaging does not. As long as the call to action, normally a URL to click, has the respective keywords in somewhere, then people will believe it.

The last year has seen a massive increase in the number of these text-based scams, known as “smishing”, with fraudsters looking to take advantage of our home-bound situations such as deliveries as well as Covid-related situations such as testing and access to the vaccines. Examples of URLs include royalmail.parcel-ref212.com, lloyds-confirm-account.com and halifax.secure-personal-login.com where a well-known brand is included in the domain name string to make the URL look authentic.

One more recent, high profile scam, has focused on requesting a small amount, in many cases £2 or less, for postage on a parcel that is due for delivery. By asking for such a small amount, potential victims believe it is a genuine request – most of us have increased our online shopping and have pending deliveries. What harm does paying such a small amount cause? Actually, at the most extreme end of cases, almost everything you own as this story proves.

However, one of the main consequences of interacting with any smishing attempts is that it verifies that the mobile number is valid. Criminals buy mobile numbers in bulk on the dark web and send out these fraud attempts en-masse. However, any “live” number becomes more valuable to be sold on to other scammers which is why you should never engage with any text messages that you may receive, whether that is by following the call to action via the URL or replying to the text message.

Once fraudsters have a live mobile number then they can take their attempts to defraud to the next level, “vishing”, which is defined as the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

Vishing scams play on fear. Whilst phishing and smishing tend to play on victim confusion, such as using typosquatted domain names within a URL, or revealing username and passwords on a convincing fake website, vishing attempts to scare victims into acting. A common example, one that I received myself just a few days ago went along the lines of an automated voice telling me:

“Your National Insurance number has been used in a financial fraud on the border of North Wales. Press 1 now to speak to a fraud investigator to confirm that it wasn’t you. Failure to press 1 now will result in an arrest warrant being issued and you being summoned to court to face serious criminal charges”

Not nice. Similar calls will use the subject of tax fraud, bank fraud or that your car has been involved in a hit and run. The call to action is always the same though – “Press x to speak to an operative/agent/police/investigator now”. By pressing the key, the call is transferred to a real life operative who will then go through a script to to try to get you to reveal personal and financial details that they will claim is to verify your identity “so that you won’t be charged/arrested” but in reality, as with the case highlighted in the BBC report, will be used to defraud victims to the maximum extend.

Whilst some may be tempted to play along with the fraudsters, attempting to engage with them for sport, the best course of action is to hang up on the numbers and block them on your phone, although in most instances they will be using unregistered SIM cards that will be destroyed or never used again. You can also report the numbers to the mobile network providers by sending details of the number used to 7726.

Technology means that vishing attempts will become more sophisticated over time, just like phishing emails have progressed from the original 419-style attempts. Whilst they will become more believable over time it is vital that we all need to take a few seconds if we do receive a suspicious call and if it doesn’t feel right then ignore it.

Just another Manic Monday?

In theory the volume of emails hitting our inboxes should start to decrease after today as we see Cyber Monday move into Giving Tuesday and firms scale back their marketing activities. The amount of money spent online this year, thanks to our COVID-induced lockdown, is likely to have hit record levels, coming at a vital time for many retailers. Analysis carried out earlier in the year by Edge Retail suggested that the COVID-effect to retailers could be up to £5 billion.

However, despite the inevitable increase in online spending, the amount of fraud will have increased accordingly. According to Digital Trust and Safety company Sift, the fraud rate (reported attempts of fraud divided by total online transactions) from the start of October to mid-November was nearly 400% up on the same period in 2019. With online transactions spiking for the year over the last four days, it is anticipated that the level of online fraud will be off the scale in 2020.

Whilst organisations such as Action Fraud have active campaigns focused on consumers and the tell-tale signs of scams, the £13.5m worth of fraud last festive period is unfortunately likely to be topped this year. Fraudsters use the same tactics as genuine brands to hook unsuspecting consumers attention and divert their interest, web session and ultimately hard-earned cash from legitimate brands.

Social Media continues to be the easiest method of attracting customers for fraudsters – the more information we share with the networks, the more targeted the scammers ads can be. To give an example, from looking at my posts it is clear I am a football fan. I live in England and so there is a higher chance than average that I may be interested in England’s National Team football merchandise. Which is why I was served with the advert on the right.

This shirt caught my eye as it appears to be manufactured by Under Armour rather than Nike who currently hold the contract as official merchandise supplier to the Football Association. I searched for similar images and found dozens, all identical apart from the two logos on the shirt. So if you were an Irish Rugby fan or an Arsenal fan, you may have seen one of the images below.

The website that is selling these shirts has so many alarm bells that it is surprised any potential customers aren’t deafened on loading, ranging from using the same text for their terms and conditions as many other websites, only offering contact through a webform and a domain name that was registered relatively recently. The return on investment on a social media campaign is relatively low and it only takes a few orders from customers who don’t see the warning signs for them to profit. Of course, capturing personal and financial details from unsuspecting customers is valuable data enough for them.

Whilst the madness of the Black Friday weekend is drawing to a close, it doesn’t mean that the fraudsters will also disappear back into the corners of the dark web. We all need to keep our guard up and make sure that we don’t become part of the problem rather than solution…..and, of course, remember if it looks too good to be true, it probably is.

‘Tis the season to be wary

It is not a surprise that the number of scams we are exposed to as consumers increases in the four weeks before Christmas. The traditional sales period starts earlier and earlier every year but with the vast majority of our shopping this year forced online, we all need to be part of the solution rather than the problem when it comes to online fraud.

The must-have item in many households in the UK this year is the PS5. Sony’s new games console was launched last week to a great fanfare and consequently, huge demand. As predicted, stores quickly ran out of their limited supply of the consoles, which retail at up to £449. It isn’t just Sony who can’t meet demand – Microsoft’s Xbox Series X, launched earlier in November is sold out everywhere and may not be available until Spring 2021. The huge demand and the scarce supply is bad news for consumers but is the perfect storm for the fraudsters.

The festive period is a lucrative time for both legitimate and illegitimate businesses. Whilst genuine retailers will have invested not only in stock but also marketing campaigns, the fraudsters will ride on the crest of the wave of consumer demand, knowing that a few well-placed adverts on Social Media will reap their ill-gotten rewards.

In the space of a few days there have already been stories of consumers being duped even when using legitimate retail websites.  In an article for Forbes.com, tech journalist Barry Collins reported a number of cases where customers had received items that certainly weren’t the PlayStation 5 consoles they had ordered from Amazon, whilst the usual adverts have been appearing on Facebook for the consoles, using genuine retailers brand but as usual, featuring poorly written adverts that give away to most people they are scams.  Unfortunately, that still doesn’t stop desperate consumers being tricked into handing over their personal and financial details.

The National Cyber Security Centre (NCSC) updated their guidance for online shoppers this week ahead of what promises to be a big week for online retail:

  • Be selective about where you shop online – if a deal looks too good to be true it probably is!  So, if a retail store or website you have never heard of has hard to find items in stock, ask yourself why.
  • Only provide the necessary information to make a purchase – some scam websites will try to gather as much personal data as they can to either use themselves for other scams or sell onto third parties who have nefarious intentions.
  • Only use websites which are protected through encryption or SSL.  Look for the green browser bar or the small padlock in the address bar.  Never submit any personal or financial details unless you are on an encrypted page.
  • Be very wary of suspicious emails, phone calls, texts or WhatsApp messages.  Unfortunately, our personal data is constantly at risk of being used for fraud.  Scammers do not adhere to GDPR regulations!

If you are unsure whether to trust a website, check when the domain name was registered. Most, not all mind, scam websites use recently registered domain names which may also be typos of well-known brands. 

In the last seven days hundreds of new domain names featuring the trademarked term “PlayStation” have been registered, including PlayStation5.deals, PlayStation5.gift and PlayStation5.online – none of which appear to have been registered by Sony.  The speed by which a scammer can register a domain name and get a website up and running is faster than ever so consumers should check if things don’t stack up.

As always, the need to exercise caution increases at this time of the year not just for consumers but also for brand holders.  Unfortunately, the actions of the scammers has an consequential impact on the reputation of the brands.  Stories about consumers being scammed when trying to buy their products or using their websites will scream their brand name and so it is important that organisations also need to be monitoring the situation and taking action swiftly to reassure consumers. 

We’ve all faced enough problems in 2020 to not want more headaches and heartache this festive period.  Don’t let the fraudsters win – if something looks too good to be true, it probably is!