Contents:

  1. New criminal schemes
  2. Many approaches to the same scheme
  3. Who is most vulnerable
  4. Measures to protect yourself
  5. What to do if you’ve been scammed

New criminal schemes

As usual, criminals tend to reach out to their potential victims by phone or via messenger apps. However, they have picked up a few novel techniques.

These days, most schemes are aimed at gaining access to victims’ personal accounts on Gosuslugi (the state digital services platform for Russian citizens – Ed.) – and stealing their data; however, criminals can have other aims, too. The usual schemes include a call from an “employee” of some state institution, bank, or mobile operator. You may be asked to share the security code you received in a message or a screenshot from an app after you’ve performed some action. Some commonly used “pretexts” are: 

  • there’s been a mistake and your medical appointment was cancelled;
  • your work history needs to be updated to increase your pension payout or receive social benefits;
  • you need to be vetted for exams at university (a common scam during exam periods);
  • you have violated the law and need to perform certain actions to avoid punishment;
  • you need to renew your mobile plan;
  • you need to secure a “hacked” bank account by transferring your money to a “safe” one;
  • you’ve received a job offer on great terms.

Unfortunately, criminal minds can also make use of AI to improve on their old schemes. These days, when they break into your social media account or messenger app, they can send out not only texts, but also AI-generated voice and even video messages begging your contacts for money. Thus, they can imitate not only your voice or appearance, but also your behavior.

Perpetrators can attempt to gain access to personal data through children, too. They message school students on social media and ask for the information on their parents’ (or other older relatives’) credit cards, promising various gaming perks in return.

Phishing emails and messages are also “in style” – typically, they offer subscriptions at reduced prices or some kind of bonus, but when you click on the attached link, your personal data or even access to your account ends up in criminal hands.

Credit: mne_len / photogenica.ru

Credit: mne_len / photogenica.ru

Many approaches to the same scheme

Social engineering, a type of psychological manipulation, is at the heart of every such scheme. It is commonly implemented in these stages: 

  • Collecting information about the victim: their age, occupation, interests, and even latest actions online – all provide a clear image of you as a person. For this information, perpetrators often don’t even need to hack into your account; just a perusal of your contacts, latest publications, and subscriptions can be enough. For this purpose, personal data aggregators or leaks can be used as well.
  • Developing a personal interaction scenario: this usually depends on the victim’s age and occupation. For instance, pensioners receive calls about pension revaluation, middle-aged people get utilities-related calls, while students get calls about being admitted to exams.
  • Implementing a scenario and gaining trust: first, the goal is to make the victim trust the criminal. That’s why they disguise themselves as administrative officials or someone with a high status in the victim’s eyes. If trust isn’t established, the next tactic is threats – with fines, potential money loss, or refusal to provide an important service.
  • Establishing an emotional connection with the victim and using it: the criminal’s main tool are the victim’s emotions, so they will keep playing them up until the victim caves in. Depending on the victim’s susceptibility, this can be a long game – it can even lead the victim to break the law under the criminal’s manipulations.

Who is most vulnerable

Pensioners (or those about to be). People in this age group are quickest to react with fear and aren’t always familiar with digital platforms and communications.

School and university students. Often, students are careless about their personal data and leave their digital footprints on insecure websites – or can even sell their bank data to third parties (which is a crime).

Credit: solarseven / photogenica.ru

Credit: solarseven / photogenica.ru

Measures to protect yourself

Set up two-factor authentication for all your social media accounts, messaging and banking apps, and other important accounts/apps. This means that you’ll have to confirm your identity twice to log in. First, you fill in your password and then you  confirm that it’s you with biometric data or a security key/code. To a criminal, accessing the info needed for the second step in the login process is harder and won’t be possible without your personal involvement.

Do not reveal crucial personal information or your earnings in personal messaging. Typically, criminals track this information and can kick into action once a large sum of money has hit your account.

Use different, complicated passwords for every platform. Having hacked into your social media account, malefactors can use the same password to access your banking or other accounts.

Don’t answer calls from unknown numbers. Canvass calls are one of the common criminal tactics.

Never reveal the security codes you receive from banking apps, online stores, and other platforms. These codes are used to confirm your identity. Actual employees of these establishments do not require these security codes to perform any operations.

Always check who you transfer your money to. If you see an unfamiliar name in place of the addressee on the banking app, check to see if it’s really your friend asking for help (ask them about something personal that you haven’t discussed in your texts).

If you are having doubts about the caller’s identity (whether they introduce themselves as your friend or a bank/administrative/mobile service employee), confirm it. For personal connections, the approach is the same – ask them a personal question. For “official” callers, you can ask their name and ask them to hold. Then call the official number of the establishment they are “representing” and ask if there’s an actual employee named so-and-so who could be contacting you for the reason they named for their call.

Credit: rokas91  / photogenica.ru

Credit: rokas91  / photogenica.ru

What to do if you’ve been scammed

If you’ve revealed your personal data or transferred money to someone:

  • As soon as possible, end the conversation; 
  • Change your passwords on all apps and social media;
  • Log out of your account on all devices except the one you are using at the moment. This will stop criminals from accessing your account; 
  • Verify your data on all platforms, namely your email address and phone number. If they have been changed, correct them; 
  • Report the case to your bank and the police. Your specific case has to be registered by the police: this can be useful if, in the future, criminals decide to take out a loan in your name;
  • Cancel all your bank cards and order new ones; 
  • Request a security check of the latest transactions at your bank and alert them about potential fraudulent activities; 
  • Block access to services in your bank app (and Gosuslugi, if relevant). If you can’t do it on your own, reach out to support services.

For Gosuslugi data, you will have to regain access to your account as quickly as possible by: logging in with your passport details or other documents; logging in through the platform’s partner bank (if you are a client there); or reaching out to the platform’s support in person. Once you log in, check the latest activities in your account to see what the criminals were after and check if there’s a loan or other service ordered in your name.