Charity Fraud Trifecta: Phishing, Vishing and Smishing

December 3, 2015
| |
6 min read

The holiday season is upon us, which means fraudsters are on alert and looking to take advantage of the goodwill of the unsuspecting. According to the National Center for Charitable Statistics, between 25 and 43 percent of annual giving is done between Thanksgiving and New Year’s. As such, fraudsters engaging in charity fraud often create fake charities to solicit donations or fool victims into thinking that they are donating to an existing charity.

The 2015 holiday season is particularly promising for fraudsters due to the recent Paris terror attacks and the resulting focus on the Syrian refugee humanitarian crisis. The general holiday giving surge combined with the Paris and refugee crises provides a plentiful pool of target victims.

The Holiday Season Breeds Fraud

There has been much written about fraudulent schemes targeting charitable giving over the years, particularly around the holiday season. Scambusters.org does a good job highlighting various charity scams, and the Federal Trade Commission (FTC) provides information on what you can do to protect yourself.

There will always be a segment of the population that is quite vulnerable to these schemes due to extreme gullibility or ignorance. Enhancing the credibility of the schemes enables the social engineer (fraudster) to sustain or increase hit rate, possibly victimizing individuals who would otherwise know better.

Social engineering schemes like phishing (emails), vishing (voice mail or direct calls) and smishing (texting) have become a part of our everyday life. It is relatively easy to spot a bogus email or a text or call from an unknown number. But what if the email appears to come from a charity that you donated money to last year? Or the telephone call you receive appears to be coming from the local charity that you support through social media sites? How much more likely would you be to answer the call or respond to that email?

The vast amount of information that can be culled about many of us online is daunting. I would venture to guess that most people not associated with the fraud or cybersecurity industry don’t appreciate how vulnerable they are to an attack designed specifically for them or people of a particular affinity group to which they are part.

Discover why global threat intelligence is critical in the fight against online fraud

Charity Fraud and Crisis Scams

Natural disasters and other events that capture the world’s attention have long been a favorite opportunity for charity fraud social engineering scams. These scams prey on the average person’s sympathies for those affected by such events. Telephone calls and emails from charities soliciting donations purporting to help those affected are purely fictitious, or they may be legitimate charities but only give a small percentage of what is collected to those that it is intended for.

Paris was struck by its worst terror attack ever on Nov. 13, 2015. There will undoubtedly be fraud schemes established to solicit “donations” to the victims that were injured and the families of those killed in the attacks. French citizens will likely be the No. 1 target; however, individuals across Western Europe and North America will be targeted, as well.

Although the Syrian refugee crisis has been ongoing for many months, the Paris attacks have caused a renewed focus on it from political leaders and citizens of Europe and the U.S. This renewed focus may have a negative effect on the refugee population, which will create opportunities for fraudsters.

Previous Donors and Supporters Are More Vulnerable

On any day there are millions of phishing emails sent to individuals all over the world. But what tools and resources are available to bad actors to customize social engineering schemes to those that may have donated to or otherwise supported specific organizations or causes?

Spear phishing uses information known about a target victim to customize a credible attack. How can fraudsters use available information to create a customized attack?

Data Available for Purchase

There are many data brokers that aggregate information about consumers and package that information for sale to marketers, small businesses and salespeople to help them identify potential leads for their products and services. The more sinister view of these services is that they can potentially be used by bad actors to collect information about victims.

Upwards of 40 attributes pertaining to individuals may be obtained through these services, including name, physical and email addresses, telephone number, length of residency and credit card data.

For the purposes of charity fraud and other affinity fraud schemes that will allow customization, important attributes include:

  • Age Older people tend to give more, and the elderly may be manipulated more easily.
  • Ethnicity: Attackers easily identify those of a specific ethnic origin (e.g., French and Syrian).
  • Ailments: Health information can be used to target individuals willing to donate to a cause with which they can empathize.
  • Contributor by cause/Donor by cause: Criminals identify people that have donated to a specific cause or charity in the past.

Social Media Sources

Social media sites can be leveraged to identify potential targets or collect data used as part of building the profile of a target for a customized spear phishing attack. A quick search on Facebook for “Syrian Refugees” produces dozens of Facebook groups dedicated to helping the refugees. The groups, as a whole, include the names of thousands of members. This population could become targets of a spear phishing campaign.

Although the information available from the profile pages of individuals in these communities may be limited, other open-source information sites can be used to identify targets and gather data such as physical address, phone number, email address, family member information and even neighbors. The people identified within these groups could also be cross-referenced against data broker lists.

About the Scheme

Potential victims can be approached using a number of techniques, and in all likelihood, multiple techniques may be used. By adding layers of contact points, more advanced fraudsters can increase the appearance of credibility. Email scripts will be well-written and may provide a choice for the recipient to either click a link to a website or contact the charity at a provided phone number. Additionally, where phone numbers can be identified, a targeted vishing or spear vishing campaign could be designed to collect donations over the phone.

Don’t Trust the Caller ID

Many people implicitly trust their caller ID. They may see a number they recognize and/or a name associated with it and feel secure that the person on the other end is who the caller ID says it is. That’s probably OK if it’s your mother calling you. However, if it’s an organization with which the person receiving the call has an affinity, that person may be more easily duped into providing information or making a donation.

Fraudsters engaging in a targeted vishing attack may use call spoofing services to disguise their true origin and make it appear as if they are calling from the telephone number of the legitimate charity organization. The fraudster may even count on the victim to recognize the phone number and name of the charity. In this situation, the spoofed telephone number provides an enhanced air of credibility.

Call spoofing services are perfectly legal but not meant to be used for criminal purposes. Those using one of these services need only input the number to which they are calling and the number that they want to appear on the recipient’s caller ID. Additionally, some of these services have soundboard options that allow the user to add background noise — such as that of a call center, for example.

Consumers Must Always Be Guarded

It’s no surprise that the more information put online, the more vulnerable we become. Who would think that supporting a worthy cause by becoming a member of a private or closed group on a social network could potentially open you up for a phishing or vishing scheme?

Everyone’s expectation of privacy should be extremely low. As our lives, interactions and transactions increasingly move the digital space, we must be aware and on guard for any solicitation of information or money, particularly when the need is urgent, as in the case of a natural disaster or terrorist attack. Remaining aware of the risk of fraud is of paramount importance.

Fraudsters don’t need to use sophisticated techniques to steal money. Preying on emotions, sympathies and trustworthiness is simple, inexpensive and lucrative.

Steven D'Alfonso
Senior Financial Crimes Intelligence Specialist, IBM Red Cell

Steven D'Alfonso joined IBM in April of 2013 as an inaugural member of the Red Cell team. Red Cell is a team of highly skilled subject matter experts in the ...
read more