Welcome to A Scammer Darkly

This Week: Space, Millenials, Audio Deepfakes, and Calendar Invites.

You Go, Broz

Hello friends! Welcome to the first edition of A Scammer Darkly. I am recently returned from vacation in Croatia and Serbia, formerly run by one Josip Broz Tito, who may - or may not - have perpetrated the biggest scam not in, but on the United States. $2.5 billion ($50 billion in today’s dollars) for the entire Yugoslavian space program? JFK had a reputation as a big spender, and it seems Tito knew a mark when he saw one.

Millenials

A recent Lloyds Bank study in the UK finds that Millenials are, for once, not killing an industry. Unfortunately for them, that industry is cyber fraud.

New data shows that victims aged 18 to 34 are losing an average of £2,630 to frauds, which typically involve scammers impersonating banking staff, the police or HM Revenue and Customs.

A common American version of this is the “IRS collections” scam, where people receive threatening voicemails telling them they owe money to the government. Incredibly, quite a few people return these calls and pay these alleged debts, though according to the BBB, they average a meager $31 per victim.

As you’d expect, British Boomers are still still losing the most per scam, but are somehow less gullible as an age cohort.

People over 55 are still handing over the most money out of any age group – with £10,716 reaching the pockets of the fraudsters per scam on average – but are less likely to be duped, with a slowdown in the number of total scams.

The democratization of fraud means that anyone with internet access is a target. I eagerly await all the new flavors of scams Zoomers will fall for.

Ze Germans

Another story out of the UK, or whatever we’ll be calling them when their economy consists of trading meat pies for body bags. The CEO of an energy firm was bilked out of nearly a quarter mil by a hacker using audio deepfakes to imitate his boss’s voice.

…the mark believed he was speaking to the CEO of his businesses’ parent company based in Germany. The German-accented caller told him to send €220,000 ($243,000 USD) to a Hungarian supplier within the hour.

This is such a…specific crime. You’d need deep (heh) financial knowledge of both companies, a convincing script to fool the CEO, and a decent cover story? I applaud the ingenuity of this deepfaker, who has turned prank calls into a lucrative hobby, or a creative way to settle scores.

Once our thief got their money, they made a classic mistake, and got greedy.

Then the hacker reportedly called a third time to ask for another payment. Even though the same fake voice was used, the last call was made with an Austrian phone number and the “reimbursement” had not gone through, so the victim grew more skeptical of the caller’s authenticity and didn’t comply.

I can understand it. You’ve just successfully ripped off what could conceivably be a company you’re in some way personally motivated to rob. Surely it can’t be this easy? The urge to go back for seconds is irresistible. In your haste, you click the wrong country code in Google Voice. Drat!

I’m going to channel Neil McCauley and say, maybe there are no real victims here? Both companies were undoubtedly insured against this sort of cyber crime. Making the news as the first hacker to use voice software in a heist - that’s immortality, baby!

Calendar Phishing

The latest phishing scam doesn’t involve fake bank password reset emails or shady text messages, it takes advantage of a security hole in Google Calendar and puts the links straight into your notifications. I’ve actually received a couple of these, before I figured out how to turn it off:

Open Google Calendar's settings on a desktop browser and go to Event Settings > Automatically Add Invitations, and then select the option "No, only show invitations to which I've responded." Also, under View Options, make sure that "Show declined events" is unchecked, so malicious events don't haunt you even after you decline them.

Annoyingly, you can’t do this via your phone, and it is unclear when Google will patch it, or whether they will at all. I can’t wrap my head around why developers would build in an auto-accept feature to a calendar and turn it on by default. Which awful boss at Google greenlit this feature? What kind of person wants more things on their calendar?

What’s Next?

First off, I’d like to give everyone who read this far in my inaugural posting a big “Thank You!” I am excited about this experiment, and hope some of you will join me for the journey. You can sign up to receive this highly scamformative newsletter in your e-mail inbox, or read it on Substack, where it will be preserved for posterity, or until their VC funding runs out and they pivot to podcasts.

I may play around with the format of the posts - I’d like to periodically dive deeper into a big and wide-ranging story, or explore behavioral studies examining why people fall for scams, grifts, and cons - but all feedback is welcome. I mean that!

You can email me at scammerdarkly@gmail.com with any thoughts, withering criticism, or - most importantly - tips and stories about scams you find interesting. See you next week!