Social engineering is all about abusing trust. Many of the phishing attacks found online have the goal of stealing money using tactics such as requesting money for some bogus lost relative. The average “Millennial” has seen this spam however the people behind these scams are taking a all time low approach by targeting elderly family members who are more likely to fall for these tricks.
This post will cover a scam that some of my coworkers have claimed was targeted at their family. In summary, attackers are levering social media to identify relatives of people, reaching out to their grandparents and asking for money while pretending to be a grandchild in trouble.
Looking at the handful of people that have had this scam take place, the target age for the kid to be researched for this scam is 15-22 years old. Attackers are crawling their social networks with the goal of identifying a young person linked to a grandparent that has contact methods publicly available. The attacker will call the grandparent and say they are “insert town of record Police Department for the grandson/daughter“. The fake officer gets on the phone and identifies a drug related crime that the grandchild is being charged with and specifies the grandchild is afraid to tell their parents. Next they put the fake grandchild on the phone, who comes on with a rushed and muffled voice asking for help and not to tell their parents. The fake officer gets back on and identifies a Bank of America or Wells Fargo account where the bail/release money must be wired that day.
In the stories I’ve heard, the grandparents agree and wire the funds without questioning the situation. So the best defense is educating your elders. Here are the trends on this attack
- Make sure that your elders know that they should never accept a call like this at face value and to contact you immediately
- They’re praying on instincts that the Grandparent wants to protect their Grandchild and they’ll face charges if they don’t act immediately.
- They don’t ask for more than $9000 – and depending on the push back they may accept less.
- The money is wired and removed from the account immediately, essentially untraceable
Another thing you should do is identify what contact information is public for your children and elders. It may make sense to remove or limit who has access to mailing addresses, phone numbers and email accounts. For example, Facebook permits controlling such data to different trust levels such as only Family verses friends or friends of friends
Hope this helps you avoid being a victim of such as tasteless attack.