Anatomy of a Scam
Know Your Crook
0x432e
March 28th, 2022

Bottom Line Up Front

For all the myriad ways a scam can be dressed up and presented - from simple Nigerian Prince emails to complex investor schemes - the vast majority of them are ultimately designed to achieve only one of three goals: trick you into sending them money; trick you into sending them enough information for them to take your money; or trick you into giving them login credentials to online accounts. Knowing and understanding these goals makes it significantly easier to identify scams, and avoid falling victim to them.

Overview

For as long as money has existed in any form, there have been people trying to obtain it dishonestly. Even in ancient Greek times, there are records of tax collectors weighing household grain to be taxed on rigged scales, fooling families into overpaying taxes, the excess of which went into the collectors pocket. As financial systems have grown and evolved over the centuries, so too have the methods and techniques used by scammers to exploit those systems. It should come as no surprise, then, that the rise in popularity of cryptocurrencies and DeFi have led to a massive rise in fraud and financial crime.

Last year, consumers lost an estimated $5.8 billion USD to fraud, not including additional losses from identity theft. Crypto and DeFi investors fared significantly worse, losing an estimated $14 billion USD to various fraud schemes. Losses in both categories rose nearly 70% from the previous year, highlighting the speed of innovation among scammers. So, what can you do to protect yourself from falling victim to what is essentially a $21 billion industry? Start by understanding what scammers want.

Three Objectives of a Scam

For all of the different ways a scam can be presented, and for all of the different attack vectors a scammer can use, with very few exceptions they will have only one of three objectives:

  1. Trick you into sending them money
  2. Trick you into sending them enough information that they can take your money
  3. Trick you into sending them credentials to your online accounts, especially email and social media accounts

The core objective in each of these, and even in the rare exceptions, is clear: to trick you into giving them money, or information (including usernames, passwords, and seed phrases) that they can ultimately monetize. While these goals may seem obvious, scammers often do a good job of burying their objectives within compelling narratives. Let’s explore some examples.

Send Me Money

This goal is pretty straight forward: the scammer, through one means or another, wants you to send them money. Sometimes, the ask is pretty blunt (despite the source - more on that later):

Send me money and I'll send you double back. Sounds legit...
Send me money and I'll send you double back. Sounds legit...

Other times, things are a bit more subtle:

These are text messages from a scammer I was leading on. He had slid into my DMs saying that he wanted to help me out financially. His offer was an interesting one: he’d send me his bank account information, from which I was supposed to withdraw enough money to pay off my (supposed) credit card debt, plus an additional amount to donate to a few charities he recommended. On the surface, this seemed to flip the usual script. After all, he was giving me money first, right? Well, not exactly.

The bank account info he sent was for a small carpentry business in Oregon. I reached out to the business shortly after receiving the texts, and they (unsurprisingly) had no knowledge of any charitable outreach by the owner. So, what was happening?

As it turns out, the bank account information for this small company had been somehow stolen by the scammer. Rather than draining funds himself, he decided to try to get someone else to do it for him. The scammer wanted me to drain funds from the bank account, use some on myself, and send the remainder to him via his “recommended charities”. If I did so and a criminal investigation was launched, I would be the one on the hook for theft and wire fraud, while the scammer would be long gone.

Despite all the hoops and altruistic narratives baked into this scam, at its core the goal was simple: trick the victim into sending the scammer money. Everything else was icing on the cake.

Send Me Info So I Can Take Your Money

Ok Twitter users, time for a little experiment. Regardless of how many or few followers you have, send a tweet with the words “Metamask” and/or “Trustwallet” in it, and see who replies. No need to hashtag anything or @ any accounts, just a plain text tweet will suffice. Chances are, within a few seconds of sending the tweet, you’ll have numerous responses that look like this:

A slew of helpful people and seemingly official accounts sympathizing with your troubles, and urging you to put in a ticket with their “support teams”. So, what do these help tickets look like? For the most part, it’s exactly what you’d expect:

A form asking for an email address to contact you at, type of issue you’re having, and so forth. They even have official looking Metamask branding and language. But, once you get to the bottom of the form:

Ahh, there it is: “Enter the (12 or 24) seed words linked to the affected Metamask wallet”. The request is immediately followed by an assurance that the form is “secured by a Metamask encrypted cloud bot”, whatever that word salad is supposed to mean.

In the crypto world, seed phrases are the keys to the kingdom. With a seed phrase, a person has unlimited access to your wallet, and can transfer any and all funds out of your wallet with impunity. Giving someone the seed phrase to your wallet is equivalent to giving a person your house keys, car keys, drivers license, debit card, social security card, and passport all at once. That is to say, NEVER DO IT.

Outside of the crypto world, few things are as critically vulnerable to exploitation as a wallet’s seed phrase. But, there are other common pieces of information that scammers will target, including bank account information, social security numbers, and account passwords. Generally speaking, unless you are on a verifiably official website, never, under any circumstances, enter or share any sensitive information. If you receive an email or DM about some critical issue with your account (whatever account that may be), open a browser and navigate to the site yourself, rather than following a link in the message you received.

Let Me In To Your Account

This third goal is more of a supporting function to the first two. By gaining access to your email and social media accounts, a scammer can not only increase the reach of their scams, but improve the credibility of their delivery, which makes them more likely to succeed. Let me explain.

If I was a scammer, and I wanted to fire off a scam pitch to as many people as possible, I might randomly generate or pick a few thousand email addresses and social media account names to send my pitch to, and hope for the best. Basically, cast a wide net, and see what I catch. But, anyone that receives my message would have no clue who I was, and chances are my message would be scoped up by a slew of spam filters and therefore never be seen. So, how could I get around all that?

Well, one common way is to borrow credibility from someone else.

Imagine if a scammer gained access to your Twitter or email account. A random DM asking for money from a completely unknown person would more than likely be ignored, but if it was a DM from a close friend, or someone you follow? Well then, you might be more inclined to help them out.

Scammers prey on this implicit trust, and exploit compromised accounts to target their contacts and followers. This is also why popular social media accounts, especially unverified ones, often have dozens of impersonators:

This was the first of several pages
This was the first of several pages

The Takeaway

After all is said and done, scammers want your money, and if you don’t give it to them directly they’ll find some other way to take it. Everything else is smoke and mirrors. Knowing and understanding this is your first line of defense. If a situation seems even the slightest bit off, ask yourself two simple questions:

  1. Who started the conversation: Did they email/DM/reply to me, or did I reach out first?
  2. Are they asking me to send money somewhere, or for any information that they could use to access my money?

If you were not the one to initiate things, be very cautious with any information you provide, or any links you are sent. Always keep potential motives in mind, and you’ll be ahead of the game.

Have a question, comment, tip, inside info, or anything else? Email KnowYourCrook@ProtonMail.com

Subscribe to Know Your Crook
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
EgBXPzd7jI4pwLa…ZxtckRU_B6gw_6A
Author Address
0x432eECA27232499…1a70eAe886404f4
Content Digest
GqDo96zOK4CGkyL…iDgK-J66S9VG1_E