Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
Social media is a personal and business staple in the lives of 21.3m Australians, making it a key hunting ground for scammers in 2023 and 2024. According to Scamwatch Australians reported losing $80.2m to social media scams in 2022, which was up 43% on the previous year.
To keep you across the latest tactics, this is the first article in our series on social media scams. This blog will focus on the most common WhatsApp scams, but we’ll take a look at other platforms, like Facebook Marketplace, in future articles.
WhatsApp – the messaging service owned by Facebook parent company Meta – is becoming more ‘social’, with many brands using it as a customer service channel, as well as a way of regularly communicating with customers. As a result, it’s also an increasingly attractive platform for cybercriminals, who want to steal money, obtain personal information or plant malware (malicious software) on your device.
So let’s look at the latest WhatsApp scams and the tactics cyber crooks are employing.
This WhatsApp scam preys on our instincts to help someone we love who’s in trouble. A message will come through from an unknown number (always a red flag) starting with ‘Hi Dad’, ‘Hi Mum’, ‘Hi [name],’ or similar, allegedly from a family member, friend or colleague.
The message will firstly establish a reason as to why they’re using a different number – their phone’s run out of battery or has been lost – and this is their friend’s number or their new number. Quickly, they’ll ask you for money to help them out of a situation. Before you even think about responding, call the person that’s supposedly sending the message on the number you have saved for them, and never send any money to someone whose identity you’re not 100% certain of.
A sophisticated next step – which may follow an unsuccessful ‘loved one in distress message’ – is a voice memo apparently from the person in question. This is used in an attempt to prove they’re really who they say they are, and will sound exactly like the person it’s meant to. Some victims report the voice memos or calls being very distressing – for example, your loved one being kidnapped or tortured, and begging for help.
Here’s the trouble: that voice is a deepfake, produced through generative AI tools and using publicly available voice samples of the person in question – for example, public videos from work events or social media. Despite the relatively new access to generative AI, we’re already hearing chilling stories of voice scams that impersonate targets’ loved ones.
Again, contact the person who is allegedly asking for money via their regular number to give you peace of mind. For additional protection, you might even want to agree on a secret code word with your closest loved ones, and never share the code word electronically.
A message from an unknown number arrives, saying they’ve accidentally entered your number to set up WhatsApp on their new phone and can you send them a security code that’s been delivered to your phone, as it’s actually theirs. They say their ‘real’ number (not the one they’re messaging from) is one digit away from yours, hence the mistake.
Ignore. It’s a scam, and the security code you receive (you will receive one) is actually yours for your account – which the scammer wants to take control of.
Popular on WhatsApp as well as other social channels, these tend to involve messages informing you that you’ve won a prize and you need to click the link to accept it are popular. But you haven’t won (sorry). There’s nothing to win, because it’s yet another scam tactic.
Unsolicited messages offering you the possibility of employment or an easy way to make money are popular on WhatsApp. Even with the growing popularity of WhatsApp as a customer service tool, almost no businesses are going to message job offers to random people.
However, even if the sender claims to be a recruitment contacting you to discuss an opportunity, never click on any links or provide any information until you’ve confirmed the sender’s identity through other means. This includes independently confirming their number through other channels, such as LinkedIn, email or a phone call. Do your research into whether the person’s claims are true before revealing any details about yourself or your career.
This one is common on many social platforms, and is a long-game scam that relies on you responding to an unsolicited message (Hi!), and striking up a conversation over a period of time. The scammers are looking for people who may be susceptible to some interest being shown in them – flattery soon follows and, as trust builds, a request for money may follow. A sick relative, cash flow struggles or a trip to see you are two commonly used reasons – but you’ll never see the money again.
A trickier one to identify, perhaps. A message that appears to come from WhatsApp Support includes a link to help secure your account. It will only do the opposite. Don’t click.
Others may ask you whether you’ve conducted a recent activity, which, of course, you won’t have. To secure your account, you’re told to enter a code that’s been sent to you. This code will be to access your account, not secure it, and by sharing the code you’re giving hackers access to your account. If you’re concerned, initiate contact with genuine WhatsApp Support.
Some WhatsApp users have reported receiving messages saying they’ve been selected to get a free upgrade to WhatsApp Gold, a new exclusive version of WhatsApp with new features. This doesn’t exist – the link will take you to a spoof website that will ask for your details and possibly install malware (malicious software) on your device.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.