We’re in the thick of the spookiest of seasons. Halloween carries the playful spirit of trickery and retribution! Getting swept up in the sport of getting even – whether on October 31st or online – can go too far. A house on the block didn’t pass out candy? Out come the eggs and toilet paper! Catch a con artist in action in your inbox? Reply with an infected file.
While retribution is tempting, it always comes with dangers that far outweigh any satisfaction revenge will bring – both legal and otherwise.
Once you know how to spot a scammer, it can be tempting to turn the tables and
Recently, Florian Lukavsky, director of application security services at SEC, turned the tables on a whaler, and with his own technical expertise and coordinating with local law enforcement, succeeded. Whaling is a close relative to phishing in that targets are conned into wiring money or divulging personal information via email from a seemingly legitimate but slightly off source. Whalers target business executives with direct access to company funds. A whaler will pose as a CEO or high level board member and request money be wired to a fraudulent account to pay off an invoice that does not exist. Over the past three years, the FBI reports, the prevalence of whaling has risen 270%, with these con artists amassing $2.3 billion from their scams.
When a whaler targeted Lukavsky, he responded with an infected PDF, which he claimed was transaction confirmation. The PDF contained malware, which harvested personal information including billing information, social media handles, and the scammer’s computer’s windows credentials, which Lukavsky passed along to the police he was working with.
There are two reasons why Lukavsky’s cyber heist worked:
- He’s a software expert.
- He worked directly with law enforcement.
Let’s take a look at how this situation would have unfolded if one or both of these two factors were not in play.
What if Lukavsky had sent an infected PDF to the scammer’s computer without working with law enforcement? He would be guilty of committing a serious crime. Altering another’s computer in any way, or securing access to someone else’s machine is a crime, even if the person whose computer you infected was trying to do the same to you. In the United Kingdom, the Computer Misuse act forbids secure access to the machine of another person. In the United States, the Computer Fraud and Abuse Act functions in the same way. You could actually find yourself charged with the same crime that you dodged being the victim of by turning the tables on a con artist. At the same time, scammers are aware that this might happen and for this reason they often conduct their crimes through the computers of others they have successfully conned. As in other forms of vigilante justice, innocent users get caught in the crossfire.
Beyond running into legal trouble and endangering the hardware of innocent bystanders, when you try to trick a con artist you run the risk of retribution. You’re dealing with a criminal who makes his or her way through harming others. This person knows enough about you to target you, and with just that much information, more can be uncovered. When you counterattack a con artist, you are attacking someone who has already targeted you and you have no idea how much personal information they have about you, including your physical whereabouts. Your work or home address, places that you frequent, or other people who you trust that could be impersonated to lure you into dangerous situations are all vital pieces of information a scammer may have access to. When you retaliate, you risk escalating the situation beyond your control.
So what can you do to deal with a con artist?
Revenge is a terrible idea. Instead, as soon as you suspect you’ve been approached by a scammer, break off contact immediately. There are also proactive measures you can take, such as posting a public service announcement or ad on craigslist that calls out particular ads that are actually scams. If you are a member of a forum, group, or organization targeted by a scam, speak up. Share tips on social media, forums, or in other ways with your peers about how to spot a scam. Education is the best form of defense. You can also always report a scam to law enforcement or an investigator.