Sudonix

Sudonix

Understanding how simple fraud techniques work

Blog
  • phenomlabundefined

    ING_19061_33691-min.jpg.webp
    Identity theft and fraud have been commonplace for a number of years, but have taken on various different forms. Several years ago, the basis of identity theft required the perpetrator to gain as much physical information as possible concerning the intended target. With the onset of personally identifiable information attributing individuals being siphoned out of businesses, and GDPR regulation landing in 2018, I thought it would be a good idea to get an article out that identifies the most common types of identity fraud, and how easily information can be obtained - not necessarily through social engineering, but from your own rubbish.

    What is needed to commit identity fraud ?

    Such information would typically be anything that could be classed as “personally identifying” – mail for example. A utility bill could be presented as proof of identity in order to obtain services or other financial gain by impersonating that individual. Most mail we receive through the postal system these days is often junk, but the odd element will contain a wealth of information that is a gold mine to an identity thief looking to commit fraud.

    Before the onset of the internet as we know it today, an identity thief had to work for this information in ways that are seldom deployed in today’s threat landscape (but still used nonetheless). Such activity meant sorting through rubbish (or trash – dependant on your locale), with the sole aim of finding material that could be used to perform impersonation. This activity has actually become simpler and cleaner over the years, mainly thanks to new recycling laws that separate the real rubbish from what an identity thief is looking for. In actual fact, all any potential thief has to do is steal the recycling bag itself – thus not only improving productivity, but also increasing the chances of extraction dramatically. Nobody is going to be that concerned about their rubbish going missing – they threw it out, so asking for it back would raise the inevitable question as to why you disposed of it in the first place if you wanted to keep it.

    Anything with your name and address on it is an excellent start, but it isn’t enough. For this to be beneficial, an identity thief would need your date of birth. You’d think that this would be difficult to obtain. In actual fact, it isn’t. Using a variety of techniques, an identity thief can extract this information from other sources such as electoral systems, census records, and most family tree research systems. The information will be buried yet available somewhere, and it just needs to be exposed. How much time an identity thief needs to invest in this activity varies dependant on the prize – nobody wants to be knee deep in rotting produce unless there is a significant reward at the end of it.

    Why is a date of birth so important ?

    Your date of birth is often required when completing loan applications (for example), and without this, an identity thief cannot procure services or gain access to a financial source easily. It’s like the missing piece of a puzzle. Without that piece, you have most of the picture, but not all of it. Any missing components required for identity theft to be possible can also be extracted from sources much closer to you than you’d think. Using a variety of techniques – most of them social – any thief can extract the required information without too much effort. The most common approach is to leverage social media.

    The identity thief pretends that they know the individual to one of your friends or associates, and is then able to engage them in conversation. The incredible fact about social media is that people tend to post a variety of information that they probably wouldn’t if they were to think twice about it, and this vulnerability is surprisingly simple to exploit. Facebook, for example, allows you to see the profiles of any other connection your new “friend” has, and vice versa. Too much information in these profiles that is on public display is the low hanging fruit that is required for identity theft to become a realistic prospect.

    As this technique relies solely on trust, and the source of the information provides the missing pieces of their own free will and volition, no crime is actually committed. Trust is the key element for this method of extraction to succeed – and in most cases, it does.

    My post box is susceptible ? Why ?

    Another simple mechanism of obtaining information is intercepting post intended for the target. This sounds like a difficult task, and for housing estates, you’d probably have to kidnap the postman in order to gain access to the mail (just kidding). However, there have been some occasions where mail has been inadvertently given to someone else impersonating the occupier of the intended address. This practice was rife at one point, and now most postal services will not hand over mail unless they can post it through the letterbox, or leave it at a designated collection point.

    And here is the real vulnerability. In apartment blocks, flats, or shared complexes, mail is typically left in mailboxes that require a key to access. The idea being that the intended recipient holds the key, and collects their mail from the mailbox. In most cases, it is a fairly simple process to either extract mail from this box via the letter opening (it sounds crazy, but you can actually get your fingers into the slot and if someone left a parcel, a letter could be sitting on top, and be within easy reach), or use brute force to break the lock and gain access this way. In the UK, personal post boxes aren’t commonplace if you live in a house, as the doors often have letter boxes designed to deliver directly into the property - enhancing security. This isn’t necessarily the same for multi-dwelling apartments, but in most cases, each door has it’s own letterbox. I recently had a new door fitted to the front of my house, and it had no place for a letterbox. Based on this, I decided to purchase a wall mounted post box. Despite being made of metal and looking sturdy, it was simple to gain direct entry to without the keys through the opening at the top. This was designed to accept parcels and standard letters, but in most cases (for me anyway), was wide enough for a hand to reach inside and intercept mail. Not sure what I’m getting at ? Have a look at the below

    The picture above is my (hairy) hand and arm inserted into my own post box - it’s a little difficult to see the full effect, but it does give you a clear indicator of how simple this method of retrieving mail actually is. Various fraud and identity theft instances have been reported over the years, and the extraction point is often identified as the mailbox. As outrageous as it sounds, an identity thief could (and this has actually happened in the past):

    • Apply for a loan in your name
    • Intercept your post for the application form
    • Sign this as you, and return the form
    • Wait for the loan to be approved
    • Collect the requested loan amount from the account they setup in your name
    • Not repay the loan, leaving you responsible for the total amount as far as the lender is concerned.

    Once an identity thief has access to your personal information. they can then use this to create new identities to sell onto others. And it is not just the living that have been subjected to this type of fraud. The deceased are often the target of identity theft, as there is generally nobody to question or challenge this, unless a relative receives a demand for payment of an outstanding debt that has been accrued since they passed away. As simple as it sounds, a thief just needs to review the obituaries in the local newspaper to identify a potential target. This will contain the name, age, and in several cases, the date born – or a simple mechanism of retrieving this information.

    Given the relatively simple steps above, you are able to see how identity theft works. Not so complex after all, is it ? So how can we prevent it, or at the very best, lessen it’s impact ?

    • Arrange for your bank statements and utility bills to be sent to you electronically, and not by post
    • Regularly check your bank accounts for unauthorised or unexpected activity.
    • Perform frequent credit checks to ensure that you are not being denied credit or being blacklisted – either of these is a sign of recent identity fraud.
    • Do not place sensitive documents in your recycling unless they have been shredded – preferably by a cross-cut device to prevent reassembly. A bag of ribbons is unappealing to an identity thief
    • Secure your letter or post box in such a way that makes tampering very difficult, it not nearly impossible. My advice here is to abide by the law, and not make the device a booby trap if opened.
    • Do not become complacent – exercise caution when disposing of or storing sensitive documents
    • For the truly paranoid, there’s a galvanized incinerator. It sounds technical, but is really just a bin with a chimney, designed for burning paper and garden waste. You may need to check with your local authority before using one of these - there may be conditions governing their use in restricted areas as the smoke emitted can be quite unforgiving to drying laundry in neighbouring gardens / yards, or hazardous to breathe in dependant on proximity and the material being burnt.

    Deploying these simple techniques can reduce your chances being exposed to risk of identity theft, and you’ll be surprised at just how effective they can be.

    Remember - each of these techniques relies on the sole point of vulnerability - human nature. Don’t expose your identity unnecessarily.

    Author of OGProxy, Swatch, Threaded, and most of Sudonix's bugs…

    0

  • phenomlabundefined

    Goodbye OnePlus, hello Samsung

    Blog
    17
    13 Votes
    17 Posts
    114 Views
    phenomlabundefined

    @小城风雨多 I was a die-hard OnePlus user since the 6T, but my experience with the 9 series has left me extremely disappointed and I probably won’t go back now I have a Samsung S23+ which works perfectly.

  • phenomlabundefined

    How do you manage IT pros?

    Moved Blog
    3
    1 Votes
    3 Posts
    52 Views
    phenomlabundefined

    @DownPW yes, exactly my point.

  • phenomlabundefined

    Wasting time on a system that hangs on boot

    Blog
    3
    1 Votes
    3 Posts
    71 Views
    phenomlabundefined

    @Panda said in Wasting time on a system that hangs on boot:

    Why do you prefer to use KDE Linux distro, over say Ubuntu?

    A matter of taste really. I’ve tried pretty much every Linux distro out there over the years, and whilst I started with Ubuntu, I used Linux mint for a long time also. All of them are Debian backed anyway 😁

    I guess I feel in love with KDE (Neon) because of the amount of effort they’d gone to in relation to the UI.

    I agree about the lead and the OS statement which is why I suspect that Windows simply ignored it (although the Device also worked fine there, so it clearly wasn’t that faulty)

  • phenomlabundefined

    50 moments in 50 years

    Blog
    3
    2 Votes
    3 Posts
    48 Views
    phenomlabundefined

    @DownPW If you don’t mind a retro display type of Dot Matrix - why on earth would anyone want that? I get the concept, but it’s nothing more than a gimmick and adds zero value to the operation of the handset.

    Sustainable product… with a £600 plus price tag…

    “Nothing Phone”? More like “Nothing Special” 😄

  • phenomlabundefined

    ION brings clients back online after ransomware attack

    Blog
    12
    +0
    9 Votes
    12 Posts
    98 Views
    phenomlabundefined

    @crazycells said in ION brings clients back online after ransomware attack:

    you know, they believe the world revolves around them

    Haha, yes. And they invented sex.

  • phenomlabundefined

    Dodgy PayPal emails and how to spot them

    Blog
    1
    0 Votes
    1 Posts
    145 Views
    phenomlabundefined

    ing_19047_01000.jpg

    The dodgy email has been around for some time - often varying in complexity. In most cases, the attempts at spoofing one of the emails is generally very poor. Ranging from incorrect fonts, colour schemes, and overall layout, most of these are really easy to spot. However, the game seems to have been “upped” somewhat over the past few months, and yesterday evening, I received this very convincing email  - supposedly from PayPal in my inbox

    Now, to the untrained eye, this could look very convincing indeed. Should we do as they ask ? Hold it right there. Let’s break down this email by first looking at the address to see who actually sent it

    Yeah, that’s not PayPal is it ? It’s some random address a somewhat nefarious individual has created in order to make it look like it’s from PayPal themselves. In most cases, you can easily mask the fake address by placing the “real” one as the “sent from” - in this instance, it looks as though PayPal sent it, but if you dig deeper, this isn’t the case.

    Another way we can see where the message originated from is to check the message headers themselves.

    The first 5-10 lines of the message header gives us insight into the origins of the message. Here’s those very lines from the message I received

    Received: from 10.200.76.142 by atlas220.free.mail.ir2.yahoo.com with HTTPS; Thu, 9 Dec 2021 22:22:26 +0000 Return-Path: <9C1pbZ6mPTYKkb0ENR1h4vEzyvGs2GiPxdcooHot@paktron.info> X-Originating-Ip: [209.85.128.103] Received-SPF: pass (domain of paktron.info designates 209.85.128.103 as permitted sender) Authentication-Results: atlas220.free.mail.ir2.yahoo.com; dkim=unknown; spf=pass smtp.mailfrom=paktron.info;

    As you can see from the last line, the domain that **ACTUALLY **sent the message was “paktron.info”, and definitely not PayPal.

    Digging even further, we can also see that “paktron.info” uses Gmail to relay it’s emails

    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:to:from:subject:message-id:mime-version :content-transfer-encoding; bh=JDzBYqxLWbyz1euLpGy5I34M1DgaEIWD1DyTSYgKsOU=; b=TfLkxbgWVIYonMrIzqbetxzD+F1D3Tf4wHm+l4svGqQH96cM0Og7XVAQtnfe2taJ8c g4T71omH7gq2AGk3zzz09RjjyE47taZhx1p5VhZWkQ93LuAnRZvszLg+QkW59SIHqBs0 bgUzEKtJN3V4pm8YX4XR8KE6+OBRs4ma6GbnOg2n0xW5RPN6WBDihA3PyYB9Ve4GOS+H DCaOlLdJcBq7ftf3ska5Jp4vOAcM/ZTJ0hgjv8ZUf7N08a7gUTcKRnykRkwn0hYUnjlh lImEHPd8S1e4lGLFPpJVMkp1EvRgRBjcPbPIOlcSCgpeBlq2MOFdywcjbHWG2ptC5g5W rP7A== X-Gm-Message-State: AOAM531L2V7LNH6Y/goIZUfnCa5gvlMbyHFvBdrK/9PBccraWnlFrqkr zwyg/3GLjdJrLPJTVWHmgzlc2QEzzZ9tlHG4hRyBao96vaifQ9enb75yoAEM5jzUDA== X-Google-Smtp-Source: ABdhPJwpppASrcH9t3k4kQJ12BODF4ra+WqBwbTQJMjq3PIk+TIemDoplAtzOjynJsvKoSe0ECKHYHQQNxu1 X-Received: by 2002:a1c:ed0a:: with SMTP id l10mr10968558wmh.140.1639088545974; Thu, 09 Dec 2021 14:22:25 -0800 (PST) Received: from notifications-317.loccitane.com ([2a04:ecc0:8:a8:4567:234f:0:1]) by smtp-relay.gmail.com with ESMTPS id m15sm75873wmg.19.2021.12.09.14.22.25

    And to confirm this, a quick “whois” will show us that the domain registrar is in fact, Google.

    Admittedly, it has privacy protection, so it’s not “Google” per se, but the domain was registered in November 2021, and is relatively new so it pretty clear it’s purpose is solely to send malicious email given that there is no web presence for it.

    If we also look at the underlying source code of the message we received, we can also see that the “Login to PayPal” button isn’t all what it seems - in fact, it wants to send us somewhere completely different - no doubt a malicious site that looks like PayPal, but in fact isn’t.

    target="_blank" href="https://l.wl.co/l?u=https%3A%2F%2Fme2.do%2FG0YhbPsc&signature=JmhXt100uR&trackingid=JijD70jaqr27E&amp=1" style="text-decoration:none;color:#ffffff !important;white-space:nowrap;">𝖫𝗈𝗀𝗂𝗇 𝗍𝗈 𝖯𝖺𝗒𝖯𝖺𝗅 </a></td>

    It’s becoming increasingly common for attackers to “hide” malicious links inside “URL Shorteners” as a attempt to mask the real link. Clicking on this link within a sandbox environment takes us here

    And if we check the URL itself against the vast variety of malicious link checkers, we can easily see that it’s not all it purports to be

    And there you have it. It’s a known “Phishing” site - so called, because it is literally “fishing” for information that you could well readily provide thinking it was your PayPal account you were logging into. Chances are that nothing would actually happen once you submitted your details, but all you’ve dine here in fact is to provide the login ID and password of your PayPal account to an attacker.

    One of the best ways of avoiding this scenario in the first place is of course to question the email being sent. For example

    Does the email address who sent it match any of PayPal’s ? Are there grammatical errors such as poor spelling, or generally bad punctuation ? If you hover your mouse over any buttons or links, most email clients will show you the link that is hiding underneath it. Does it look like PayPal ? Is the address you’ve received the email on actually registered anywhere with PayPal ?

    Protection of your PayPal account is key. One of the strongest methods of protection is to enforce two factor authentication. This essentially extends the login requirement to a username, password, and something only you have - in this case, the 6 digit code (or push notification if you use the PayPal app itself) which is only available on a device in your possession. Even if an attacker did manage to get your username and password, they still wouldn’t be able to login without the code being provided.

    Having said that, it’s not difficult to hijack a SIM card so that any attacker wanting to obtain the two factor code via SMS could actually be in a position to do so.

    That’s a topic of discussion for another post though… 🙂

    Stay safe out there - let me know if any questions.

  • phenomlabundefined

    Sextortion Email Analysis

    Blog
    1
    1 Votes
    1 Posts
    152 Views
    phenomlabundefined

    1631812319140-iss_4109_04268-min.webp

    Sextortion emails seem to be all the rage these days with criminals. Whilst highly imaginative, they are surprisingly successful, with recipients paying to not “be exposed” by criminals, when in fact, they have nothing to hide in the first place - well, perhaps not - if you were truly innocent, then you’d simply say “knock yourself out” to any attacker… Below is my response to those burning questions

    We’ve seen “scare-mail” (the process of attempting to blackmail recipients using a variety of techniques, with the perpetrator relying on the user to pay up in order to “save their reputation”) escalate at an alarming rate over the past month. As the format of these emails is mostly the same, I thought it made sense to provide a bit more information from the most prevalent campaign we’ve seen so far. Below is the verbiage (it varies depending on who sent it), along with my advice and commentary.

    Your account is now infected! Change the password right this moment!

    DON’T. There is no need to react to this

    You may not know anything about me and you really are certainly interested for what reason you are reading this particular letter, is it right?

    WRONG. You’ve chosen me at random from a huge pool of addresses, and if I reply, you’ll know I exist, and then you’ll add me to a sucker’s list

    I’m hacker who cracked your email and devices and gadgets two months ago.

    No, you didn’t. All you’ve done is to download the APOLLO.io breach database and target random email addresses.

    It will be a time wasting to try out to msg me or alternatively try to find me, in fact it’s impossible, because I forwarded you an email from YOUR hacked account.

    No, you didn’t. All you’ve done is set the reply-to address to match the one you’re attempting to extort funds from which makes it look like you’ve hacked my account

    I build in malware software on the adult vids (porn) site and suppose that you watched this website to have a good time (think you understand what I want to say). Whilst you were taking a look at movies, your internet browser started out to act as a RDP (Remote Control) that have a keylogger which gave me authority to access your display and webcam. Afterward, my program obtained all data. You have put passcodes on the web-sites you visited, and I caught them. Surely, you’ll be able to change them, or have already modified them. Even so it doesn’t matter, my program renews needed data regularly.

    If you say so. You really haven’t though.

    What actually did I do?

    Nothing 🙂

    I compiled a backup of every your system. Of all files and contacts. I got a dual-screen movie. The first screen displays the clip you had been observing (you’ve got an interesting preferences, ha-ha…), the 2nd part shows the movie from your own web camera. What exactly should you do?

    Delete this email and move on

    So, in my view, 1000 USD is a realistic price for our very little riddle. You will do the payment by bitcoins (in case you don’t understand this, go searching “how to buy bitcoin” in Google).

    USD 1,000 ? Sounds like a bargain…. I don’t think so.

    My bitcoin wallet address: 1C242L8qAXRxudv6KBAahi81GHS5wpc8cF (It is cAsE sensitive, so copy and paste it).

    Hmm. Yes. Let’s have a look at that wallet of yours (link is safe) - https://bitref.com/1C242L8qAXRxudv6KBAahi81GHS5wpc8cF seeing as there’s nothing in there at all, you haven’t had much success, and I won’t be on your list either.

    Warning: You will have only 2 days to perform the payment. (I put an unique pixel in this message, and right now I understand that you have read through this email). To monitor the reading of a letter and the activity inside it, I set up a Facebook pixel. Thanks to them. (The stuff that is used for the authorities can help us.)

    No, you didn’t. There is no embedded pixel in this email.

    In case I fail to get bitcoins, I shall immediately direct your video files to each of your contacts, such as family members, co-workers, and many more?

    In the words of “Taken”…… “……Good Luck……”

    And there we have it. Totally fake, and designed only to incite fear and extort revenue. The only thing this message is fit for is the delete button.

  • phenomlabundefined

    The Multi-Billion Pound Catfishing Industry

    Blog
    1
    0 Votes
    1 Posts
    142 Views
    phenomlabundefined

    1631812756399-catfish-min.webp
    Anyone who uses dating agencies or even social media itself should be aware of the risk that a “catfish” poses. However, despite all of the media attention, catfish are constantly successful in their campaigns, and it seems as though everyday there is yet another victim. But why is this persistent campaign so successful ? In order to understand how a catfish scam operates, we first need to look at who they target, and why. Trust is gained as quickly as possible as the risk of being caught out very early in the process is much too high. Catfish campaigns tend to target individuals – particularly those considered vulnerable. But how do they know that these individuals are vulnerable and a healthy target in the first place ? More on that later. For now, let’s look at how a catfish will apply their skills on unsuspecting victims. By far the most common type of attack is via online dating, and seeing as there appears to be plenty of choice in terms of platforms and users adopting their services, the fruit on the tree is plentiful, and replenished at an alarming rate.

    How does a catfish select a target ?

    The more experienced catfish will have multiple targets and campaigns running concurrently. Adopting this approach as a “beginner” is actually unwise, as there is too much detail to remember in order to pull off an effective deception without raising suspicion. Can you imagine grooming a target then getting their name wrong, or other key information they may have unwittingly provided ? No. For this exact reason, the novice catfish will target one individual at a time. Whilst this doesn’t sound very enterprising, the experienced catfish, however, will operate multiple campaigns simultaneously. This produces a significantly higher yield, but it also means that the risk of exposure is greater. Based on this, each campaign is carefully tracked and “scripted” - in fact, each campaign has a written story - pretext if you will, that is simply copied and pasted in communications. This provides the assurance that the particular “story” being used does not stray off course, or arouse suspicion unintentionally. Based on official evidence, the origin of where most catfish campaigns originate from is Nigeria. In fact, it’s big business - well over USD 2bn in fact.

    Here’s a video courtesy of ABC that describes some of the techniques I have mentioned above - including the “scripted” mechanism.

    The catfish selects their target based on a number of factors – with social skills being top the list. A personality of a wet blanket is seldom effective, so the catfish must create an online persona (usually a Facebook profile) that is credible, and can be reinforced and intertwined with real life events. Such an example of this is a soldier serving in Afghanistan (there are many others, although this is an active campaign which is known to succeed). It would appear that the military lifestyle, the uniform, and the exciting stories are enough to entice a lonely individual looking for friendship and romance. A vital component of the scam is that the occupation of a soldier allows multiple periods where contact can be minimal for various “military” reasons that the catfish informs their target they cannot divulge for official secrecy reasons.

    This actually provides the perfect cover in order for the scam to progress. Time is required in order to plan the next stages of the campaign if it is to succeed. Another important element to remember is that the catfish needs to be mindful of time zones – you cannot be based in Nigeria and use the same timezone when you are supposedly stationed in Afghanistan, for example. The catfish would have collected enough intelligence about their target to remain one step ahead at all times. This typically involves research, with most of the required information sadly provided by social media. This includes dates and places of birth, interests, hobbies, and a myriad of other useful data that all adds up to the success of the campaign. The catfish uses this information to form trust with the target, and, coupled with the online persona created previously, the wheels are firmly attached. The con is on, so to speak. Using the data collected earlier, the catfish makes use of a variety of techniques in order to gain confidence and trust, with the social element being of utmost importance. Another key point for the catfish is the ability to engage in discussion, be articulate, and most of all, come across as being intelligent. Spelling is important, as is the ability to use grammar and punctuation correctly.

    Those of us who are “grammar snobs” can easily spot a deception in the form of a social media message or email owing to the notoriously poor grammar – usually always the result of English not being the primary language in use. Bearing in mind that most initial contact is via instant messaging, online chat, and email, it is important for the catfish to avoid suspicion and early detection - and in essence, remain “under the radar” at all times.

    How much effort is involved ?

    The amount of effort a catfish will put in generally depends on multiple factors. The sole aim of the perpetrator is financial, and any seasoned criminal will be looking to gain trust quickly, and will always have a story prepared. The point here is that the target needs to be a willing participant – nobody is holding a gun to their head, and they must be convinced of the integrity of their new online beau in order to part with money of their own volition. The previously constructed story needs to be consistent, and plausible if the campaign is to succeed. Once the target is engaged, the catfish is then in a position to effectively “groom” the individual, and uses the response and personality of the target to gauge when the next part of the plan should be executed. This in itself can be a fine art depending on the target. If they are intelligent, it may take a considerable amount of time and effort to reel them in. Before the catfish makes this investment, they have to be sure it will be worth it. But how ? Again, social media to the rescue. You’d be hard pressed to believe this, but money and the associated social lifestyle it provides and promotes is a key focal point of social networking, and by definition, “engineering”.

    If the target regularly posts about dining out, drinking, holidays, etc., then this is a clear indicator that they are worth perusing and exploiting, as they clearly have money to spend. Once the catfish has been able to convince the target of their sincerity, the deception then proceeds to the next level. Using the tried and tested “soldier based in another country, shortly completing his tour of duty, and leaving the army” scam, this provides an ideal mechanism to extort money from the target after they have been convinced that the individual they have been talking to wants to start a business, and needs capital etc in order to get started. Another well-known and successful ruse is to claim that they have a sick child (or children) that need urgent hospital care, and they don’t have the money to finance this. Another additional means of topping up the “fund” is the additional ruse that the soldier is not a citizen in the target country, and wants to be with his “new partner”. The by now besotted target agrees to pay for air fare, visa costs, and other associated permits in order to make their dream romance a reality – without realising that they are parting with a significant sum that carries absolutely no guarantee that it will be delivered. In fact, this could not be further from the truth. In a cruel twist, the catfish instructs their target to pay the funds into an account setup and accessible by the criminals involved, where it is collected without delay - often by a “mule” (more on this later).

    The target is completely unaware this has taken place, and only realises what has happened after their romance never materialises, the person they trusted never arrives, and a gaping hole has appeared in their finances as a result. They are now left with the inevitable emotional and financial damage this scam creates, and they must somehow come to terms with the impact – and the associated consequences. The ultimate twist of fate is that the victim transferred their money of their own free will – it wasn’t stolen from them, and, believe it or not, no crime has been committed based on this fact (it sounds crazy, and it is absolutely fraud - but that’s the law). You will also find yourself hard pressed to convince any bank that you have not acted negligently.

    Reducing the risk

    So how can you reduce the risk ? Whilst the below list should start with “…never talk to strangers…”, its not that simple. The below points are guidelines, but should be used along with your own judgement. - Never engage in discussions of a financial or personal nature with people you do not know. The internet is a dangerous place, and the anonymity it provides only makes this worse.

    If you join a dating agency, ensure that all requests for contact are fully screened by the agency themselves before being sent on to you. Most agencies now insist on home visits to new clients in order to combat this growing trend. Never agree to setup a new bank account, or transfer cash – this is a smoking gun, and should be avoided at all costs. Never allow the discussions to continue “off platform” – in other words, always use the dating agency’s systems so that any conversations are captured and recorded. This means no texts, no personal messaging systems, and strictly no contact over social media If someone sends you a friend request on Facebook, ask yourself basic questions, such as “do I actually know this person ?” and “why are they contacting me ?”. If you don’t know them, don’t accept. Try to avoid being tempted by emotional flattery. Whilst we all like praise and the feelgood factor it brings, don’t be reeled in by a catfish. This is one of the core weapons in their arsenal, and they will deploy it whenever necessary Remember – relationships have their foundations firmly rooted in trust. This has to be earned and established over the course of time – it’s not something that appears overnight.