The Language Of Cybercrime | Connecticut Public Radio
WNPR

The Language Of Cybercrime

Nov 18, 2019
Originally published on November 19, 2019 8:21 am

Scammers are always looking for more effective words. Most Americans have learned to be on their guard, and they're likely to suspect an overly aggressive phishing phone call from a fake credit card customer service agent speaking accented English.

One solution is digitized voices. There's still a live person on the other end of the call, but he isn't talking. Instead, he's playing audio from a computer, picking prerecorded phrases from a menu as the conversation progresses.

It sounds convincing until you ask a question he doesn't have a canned response for. The resulting hesitations undermine the natural feel of the conversation.

Online scammers use a similar technique. When texting or emailing their marks, they often work from "scripts" of prewritten American English boilerplate. The most effective conversational gambits are saved and distributed to other scammers in the network, and they cut-and-paste the scripts into their grifts at crucial moments.

Ronnie Tokazowski, a senior threat researcher with email security company Agari, has been watching scammers building their scripts.

"Some of the scripts will say, 'If your victim doubts you here, say this,' " Tokazowski says. "We've seen upwards of 28 levels of engagement before your scammer has to work to come up with something [to say]."

He has also been in a position to intercept real conversations as scammers use their scripts on victims. He shared this one with NPR:

Don't see the graphic above? Click here.

In this romance scam, the bits of prepared script appear in a slightly different font, apparently because the scammer didn't take the time to strip out the formatting as he copied-and-pasted from his script. "I dropped a tear in the ocean, the day that I find it is the day I'll stop loving you," cloying as it seems, may have already worked on somebody else.

Tokazowski suspects the scammer was grooming this victim to become part of a larger cybercrime network, perhaps as a "money mule" — people who set up bank accounts to launder money scammed from other victims. But a few weeks later, things took a grim turn.

Don't see the graphic above? Click here.

"Whenever we find victims like this, we try to pass it over to law enforcement as quickly as we can," Tokazowski says. Unfortunately, in this exchange, he says, Agari didn't have enough information to identify the victim or find out how the scam ended. But he says the fact that the victim apparently attempted suicide, then kept talking to the scammer, illustrates the power of these scripts to get inside people's heads.

"People think [scam victims] are a dumb person who doesn't have the education to tell the difference between one thing or another," he says. "But they're hitting them on an even deeper emotional level than we currently understand right now."

Experts say scammers often seek to present themselves as their victims' best ally. Take this email, written by thieves who this year hacked multiple online accounts belonging to a businessman named Gregg Bennett. They made off with half a million dollars' worth of his bitcoin but were frustrated that they hadn't managed to get more. So still in control of some of his online accounts, they offered their hand in friendly extortion:

Don't see the graphic above? Click here.

Bennett ignored them and avoided further losses. But he still has to laugh at the gall of that helpful-sounding subject line.

Copyright 2019 NPR. To see more, visit https://www.npr.org.

RACHEL MARTIN, HOST:

Romance scams are the type of cybercrimes most people are sure they would never fall for. But the FBI says victims reported losing $211 million in 2017. And last year, losses jumped to over $350 million. As NPR's Martin Kaste reports, the scammers have turned manipulating people into a science.

MARTIN KASTE, BYLINE: It's an old grift - older than the Internet. You make a long-distance love connection, but soon you're being asked for money. To understand why it still works, it helps to talk to a victim.

TEXAS MOM: Hi, I'm a single, working mom in Texas.

KASTE: And for our purposes here today, that's what we're going to call her - Texas Mom. Few people in her life know this story, and she wants to keep it that way. It started about three years ago, after her divorce, when she tried online dating. She found a match, a guy with a nice picture and an Austin area code. There was just one thing.

TEXAS MOM: Before I ever spoke to him, he said, well, I have an accent. And I'm like, well, you know, that's OK. And then he told me, you know, the Italian story.

KASTE: He said he'd grown up in Milan. And she could look past the accent, given the way he talked to her.

TEXAS MOM: Just very complimentary, understanding and someone who had a real interest in me, which was new to me.

KASTE: Now, it's important to point out here that Texas Mom knew very well that this could be fake. She was a little suspicious when a job took him out of the country right before they could meet. And her suspicion grew. And he contacted her from South Africa. He said he'd been hacked, couldn't get access to his money and had an emergency expense at work. Could she help him?

TEXAS MOM: I started crying, and I said to him, I've heard stories about scammers. And he's like, oh, no, no, no. Forget it. Forget I even asked. And he really tried to make me feel better, but I was very upset.

KASTE: And yet she didn't cut things off. She eventually sent him money - again and again. He had unexpected travel expenses. He was being fined by abusive government officials. It was one thing after another.

TEXAS MOM: It's that gambling scenario. It's like, OK, now, if I give him a little bit more, I can get that back. That's what you keep telling yourself, and that's what he keeps telling you.

JOHN WILSON: It's hard to comprehend. And yet, when she explains it, it starts to make sense as to how somebody could fall for this.

KASTE: John Wilson is field chief technology officer with Agari, a cybersecurity company. And he's impressed by the amount of research that goes into these romance scams.

WILSON: The folks that get roped into these things are very carefully selected. They know, demographically, the people that are going to be most susceptible. They have these playbooks that we've seen.

KASTE: The playbooks are scripts, conversational gambits for a variety of situations that might come up in conversations with victims, which scammers have refined over time. When a certain kind of sweet talk works, they make a note of it and share it in their network. Looking back, Texas Mom seems almost fascinated by what happened to her.

TEXAS MOM: You know, the best way I could describe it is that you have two brains when you have this excitement or these feelings of love or passion - because you know it's wrong, and you've read stories about it, and people are telling you. You would tell your best friend, you're crazy, don't do it. But then, you do it.

KASTE: And there's another piece to this manipulation. The victims start to lie to friends and family to cover what's happening. They start to participate in the deception. Texas Mom remembers how she went from bank to bank, borrowing money to send to South Africa. One of the bank's suspected she was being conned and made her talk to a fraud investigator.

TEXAS MOM: The fraud investigator on the phone said I would strongly advise you not to do this. And I sat there and I said, OK, I won't do it. And they're like, OK. Wow, you're really smart. And then I went somewhere else and did it.

KASTE: And when the victims start covering for the scammers like this, there's a danger that they'll take the next step and become accomplices.

NOWELL AGENT: We have found several individuals who started off with a romance scam.

KASTE: This is the FBI supervisory special agent in charge of the criminal cyber squad in Houston. His name is Nowell Agent (ph).

AGENT: So Agent is my last name.

KASTE: Which makes him special agent Agent - just to get that distracting detail out of the way. Anyway, Agent spends a lot of time tracking cybercrime networks. And that often means tracking money mules. Those are the people here in the U.S. who set up American bank accounts for foreign scammers. Basically, they're helping them to move money stolen from other Americans. Agent says, sometimes, the accounts are owned by victims of romance scams, who take a chance doing this to try to get back some of the money they lost.

AGENT: They're going to get a percentage of the money that goes through their account. So even though they were suspicious, and even though they felt that there was something malicious going on, they were also making money.

KASTE: Other times, the romance scam victims are blackmailed into being money mules. Here's John Wilson, again, with Agari.

WILSON: Very often, the victim has perhaps sent compromising photographs, may have moved money once or twice or something. When they say they want to get out, that's when they may be reminded, hey, I have pictures of you. You moved this money through your bank account. You're part of this now.

KASTE: But in the case of Texas Mom, this did not happen. She bucked the trend and never became a money mule. Instead, she got a warning. Late last year, Wilson's company, Agari, was investigating a gang of scammers based in South Africa. And they saw that the gang was talking to a woman in Texas. Wilson says they had to step in.

WILSON: You know, we took a big risk. There was a very good chance that this woman was simply going to tell her, quote-unquote, "boyfriend," hey, I got this really weird call today. There's this company that thinks you're so-and-so. And, you know, what do you make of that?

KASTE: But Texas Mom believed them. She says these strangers - these cybersecurity guys provided the confirmation that she needed.

TEXAS MOM: I had to know that they were a scammer. And this was finally the evidence that proved that to me.

KASTE: And then, a rarity in these cases, some justice was done. Agari connected her with the Secret Service, which alerted the South African authorities, and they set up a sting. She sent her fake boyfriend one last loan, and the police there arrested a group of Nigerians as they picked up the money. Still, the damage was done. All told, she says she sent her fictional friend nearly half a million dollars.

TEXAS MOM: The person really did break my heart because I believed everything that they told me. I had to change the way I thought about myself.

KASTE: The money's probably not recoverable, and she's mired in debt. Uncomfortable as it is for her to talk about what happened, she decided she should because she figures other people are being conned right now with the same playbook. And they're probably also hiding the truth from themselves and others the same way she did. Martin Kaste, NPR News.

SOUNDBITE OF DJ KRUSH'S "DUST TRAIL") Transcript provided by NPR, Copyright NPR.