In the spring of 2011, Audrey Elrod, a 45-year old divorcee and junior-college dropout, was lonely and struggling to make ends meet.
Aside from the $344 she received in unemployment benefits each week, she paid the bills by re-selling packages of toilet paper and peddling prescription drugs. She shared her 676-square-foot apartment in the decrepit West Virginian town she grew up in with a roommate 12 years her junior.
So (not surprisingly) when she received a flattering Facebook message that began “How beautiful your picture, Audrey” from a handsome man named Duke McGregor, she did not delete it. Six months later, she was selling her jewelry and liquefying her retirement account for McGregor, whom she had never even met in person.
Unfortunately, Elrod’s story isn’t unique. Last week, Action Fraud reported that 3,543 people had been targeted by romance scams in 2014-15, with a total financial loss of more than £33 million. American victims of online romance scams, according to the Internet Crime Complaint Center, lost more than $87 million in 2014.
What is unique about Elrod, however, is that she went public with her scam. Too often, victims of fraud that only impacts them (and not anyone else) choose not to report their losses to authorities. Ashamed, they feel the cost to their reputation of getting duped is far greater than keeping the incident under wraps.
This is becoming a concerning trend not only for individuals, but also for enterprise businesses. Often, employees fall for spearphishing scams that spoof an executive’s identity and request bank transfers. According to Verizon’s 2015 Data Breach Investigation Report, more than 23% of recipients open phishing emails at some point, and 11% open the attachments—an unsettling number, especially for businesses with hundreds or thousands of employees. But if these attacks only affect the company—e.g. the attack didn’t result in loss of anyone else’s financial or personal information—they often will go unreported.
“23% of recipients open phishing emails and 11% open the attachments”
Fraud complaint data vastly underestimates the scope of the cybercrime problem. The 2015 Identity Fraud Study by Javelin Strategy and Research found that fraudsters stole $16 billion from 12.7 million US consumers in 2014. But the Federal Trade Commission’s database of consumer complaints found that consumers reported only a fraction of that estimate. The database received 2.5 million total fraud complaints in 2014 and these consumers only reported paying about $1.7 billion in losses.
Furthermore, there’s no real incentive for companies or individuals to report fraud losses. Banks are under no obligation, according to Conservative MP Mark Garnier, a member of the Commons Treasury Select Committee, to reimburse victims who are conned into making fraudulent transactions: “Some banks may make a pragmatic decision to refund some of their customers where they have clearly been defrauded. However, when this happens, it is important to bear in mind that they are under no obligation to do so,” he said. The Royal Bank of Scotland says that 70% of its customers who fall victim to a scam do not get a single penny back.
Cybercrime is more ubiquitous than we’ll ever know. But we can’t rely on employees and regular people to recognize it. We are all are human. Even the most savvy among us are susceptible to sophisticated scams that manipulate our innate vulnerability.
Authentication standards enable us to see people for who they truly are. By incorporating authentication into filtering rules, we can spare people and companies the cost and embarrassment of being victims of fraud.
In the email channel, that means driving global adoption of the latest authentication standards like DMARC and partnering with email providers and takedown vendors to mitigate attacks that evade authentication.
For a glimpse into the phishing tactics cybercriminals are using today, check out The Email Threat Intelligence Report.