Not all cybersecurity dangers come from hackers.
Some come from a man in Florida with fake Cisco network devices. Onur Aksoy, a.k.a. ‘Ron Aksoy’ or ‘Dave Durden,’ has been charged with importing fake networking devices from China and Hong Kong, selling them, according to the United States Department of Justice, “with counterfeit labels, stickers, boxes, documentation, and packaging that made the goods falsely appear to be new, genuine, and high-quality devices manufactured and authorized by Cisco Systems, Inc. (“Cisco”).” Aksoy got away with his scam for twelve years.
Our intention as cybersecurity professionals is to keep data, privacy, and livelihoods safe from harms that come through technology, and we generally focus on phishing attacks, malware and ransomware. Aksoy serves as a reminder that phishing, smishing, and every other kind of scam comes down to the same types of social engineering tactics. Researchers understand the serious nature of social engineering, and as an article in the Journal of Investigative Psychology and Offender Profiling notes, “One of the dangers of social engineering attacks is their harmless and legitimate appearance so that targets are unaware of being victimized.”[i] Good scammers understand how people work to get them to do what they want…and how to use technology to their benefit. Unfortunately, Akroy’s victims couldn’t see through his illusion. The Department of Justice says some of those who fell for his scam were “hospitals, schools, government agencies, and the military.” While Akroy used commonly visited websites like Amazon and eBay to make millions off his unsuspecting buyers, other scammers will use an expertly cloned fake login page, your telephone number, or a well-placed email to their benefit.
With that in mind, here are five tips to help you identify a scam:
1. Just because it looks “harmless and legitimate” doesn’t mean it is. Scammers make websites look similar to brands you know and trust. To keep an eye out for scam sites, watch the address bar (URL) at the top and see if anything is misspelled.
2. If you get directed to the website of a company that you have not heard of (or are looking to buy from a company via amazon or eBay), search for that company separately and look for reviews to help determine whether it is a scam or not.
3. If someone contacts you asking for personal information, it is most likely a scam.
4. If declining to give information makes the sender (or person on the other end of the line) angry or frustrated, that’s a red flag. They may even threaten that withholding information will get you in trouble. The reality is that your employers, your bank, and the IRS are aware of the danger of scammers and would rather you be safe than sorry.
5. When in doubt, independently verify the source of the message (whether received by phone or email) by going directly to the company’s website or calling a highly publicized customer service number.
Trust is a valuable resource—don’t give out information, buy the product, or share the code unless you are 100% sure they are who they say they are. And don’t buy any products from Onur Aksoy, Ron Aksoy, or Dave Durden. They are cheap frauds.
[i]Bullée, J. W. H., Montoya, L., Pieters, W., Junger, M., & Hartel, P. H. (2018). On the anatomy of social engineering attacks: A literature-based dissection of successful attacks. Journal of Investigative Psychology and Offender Profiling, 15(1), 20-45. https://doi.org/10.1002/jip.1482