Census Scams and ‘Grandparent Scams’

Not all phishing is by email – indeed, when it spills over into social engineering by phone, it’s often referred to as vishing (voice phishing).

And, as Benjamin Franklin might have said had he lived a couple of centuries later than he did, nothing is certain but death, taxes, and phone scams. I’ve talked here about tech support scams many, many times, of course – and unfortunately will certainly see a need to do so again – but there are other scams around, less publicized but no less persistent. One I hadn’t been aware of – well, I don’t spend all my waking hours scamwatching – is the census scam described by Sid Kirchheimer in an article on Census Scams: Hard to Detect, Easy for Fraudsters. The scam described involves a phishing email that directs potential victims to a web site that purports to collect data for the yearly American Community Survey.

The US Census Bureau describes the ACS as ‘…a mandatory, ongoing statistical survey that samples a small percentage of the population every year — giving communities the information they need to plan investments and services.’ Kirchheimer tells us that it does ask ‘very personal questions about your income, where you work and how you get there…’ However, it appears that scammers have taken the opportunity to push the envelope:

…when a Missouri couple recently received a mailing supposedly sent by the Census Bureau directing them to a website to complete an ACS, they became suspicious based on some of the questions: “How much money is in your bank account?” “When do you leave for work?” “What time do you get home?”

Clever. Based on questions that the ACS really asks, but fishing for information the ACS wouldn’t need, but that might be very useful to a criminal. Fortunately, in this case, the couple recognized that the ‘survey’ had crossed a line, and stopped answering. And when they received a phone call demanding that they complete the survey or face a jail sentence, they called the police. (There are circumstances under which you might be fined for not responding to a Census information request or for giving false information, but that’s a little different.)

census

Well, responding to the survey is mandatory, in accordance with Title 18 U.S.C Section 3571 and Section 3559 and Title 13 U.S.C. Section 221. But completing it online isn’t: indeed, this episode makes it very clear that you shouldn’t be completing online surveys or acceding to instructions from telephone callers unless you’ve verified that the site or caller is the Real Deal. According to the Census Bureau:

If someone has contacted you about the American Community Survey and you’d like to verify that the phone call or visit is legitimate, you can call your Census Regional office. You can find contact information for your regional office at http://www.census.gov/regions/.

This isn’t, in fact, the only survey conducted by the Census Bureau: it does conduct a full-scale census more or less equivalent to the UK’s 10-yearly Census, which is also mandatory. The next US Census is due in 2020, and the next UK Census is due in 2021, though scams relating to the 2011 Census were noted even after the Census was completed. It probably isn’t particularly useful to try to predict in detail what scams might attach themselves to either at this point. However, the UK Statistics Authority agreed last month (January 2015) to implement the Beyond 2011 Programme’s recommendations to continue with a decennial Census, but that it should be conducted primarily online. That might make some people a little nervous – does it mean that the Census will become less secure? – but in fact phishers and 419-ers make frequent use of fake sites claiming to be an online facility that doesn’t exist, so the risk doesn’t necessarily increase. The challenge will be to implement a suitably secure yet easily-accessible online mechanism, but also to ensure that everyone required to complete the Census is fully aware of the safe way in which to do so, so that they aren’t in danger of falling for scams like the one described above.

Londoning is a scam I’ve talked about here several times in the past as here and here: here’s a brief summary that I’ve used before, abstracted from a longer account.

Someone, apparently someone you know (a friend or a family member) contacts you to tell you that they’ve been stranded without money abroad somewhere, usually after being mugged at gunpoint. At one time, Americans were frequently being contacted in this way by friends or relatives apparently in London, which is why the scam is sometimes referred to as Londoning or The London Scam, though potential victims in the UK were more likely to hear that the mugging victim was somewhere more exotic, like Lagos. And, of course, they need you to send you some money.

However, the scam isn’t always email-borne, and it sometimes seems to be very specifically targeting older people, to the point that it’s sometimes known as the Grandma scam, though I’m not sure that Grandmas are more susceptible to it than Grandpas. And it seems to be very commonly reported in the US. Sometimes the caller claims to be the grandchild: you’d think that it would be difficult for a scammer to maintain the pretence of being someone the victim knows well, but in one example I came across, it was reported that a mother was told by her ‘son’ that he had been in an accident, and thought that his injuries accounted for the fact that he didn’t sound like ‘himself’.

In other reports, the caller claims to be a doctor or hospital official or policeman, telling the victim that they need to make a wire transfer to pay medical fees or a fine on behalf of his or her relative. In such cases, the scammer will usually make it sound very urgent that the money is transferred urgently (they love Western Union transfers to countries where US law enforcement has little influence…), presumably in the hope of preventing the victim from trying to contact their relative through other means – such as a known-to-be-authentic phone number – before the money has made its one-way trip.

It is, of course, all too common for scammers of all sorts to persuade victims to commit without giving them time to think about what they’re doing. Sometimes they use the carrot approach: “this great offer is strictly time-limited…” In other contexts, this is known as salesmanship. ;)

Sometimes, however, they use the stick, threatening some dire consequence such as jail, financial disaster, or a computer meltdown.

There are two important rules of thumb you can apply which will help you recognize scams like the ones cited above.

  • It’s harder to ‘spoof’ on the telephone than it is on email, where a determined scammer can convince an unwary victim that he’s anyone he likes, mailing from anywhere he likes. But spoofing is clearly possible. After all, we expect a caller’s voice to be distorted, while it’s all too easy to claim to be someone else calling on behalf of someone who can’t be brought to the phone. I don’t mean to suggest that you should ask for a password every time your son or daughter rings to say hello. But if the caller is asking for money or for personal and financial information, perhaps you should be more sceptical. If the caller claims to be calling on behalf of a friend or relative, there is bound to be some way in which you can check their claim (for instance by trying to contact them directly). Watch out, also, for a caller suggesting ways in which you can validate their claims – for instance, by ringing a number that they will give you – which don’t really prove anything at all.
  • Just because someone says he can have you jailed or sanctioned in some other way – like the tech support scammer who says he’ll cut off your internet access if you don’t let him onto your PC – it doesn’t mean he really can, especially if you have no proof that he’s the person he claims to be. And if he is in some such position of authority, he should certainly be aware of (and accommodate) your need to validate his claims. Of course, not everyone in authority is scrupulous about not abusing their position.

Fortunately, not all seniors are the gullible idiots that most scammers and all too many young people assume them to be. But every time someone is victimized because their being in some way vulnerable is used to justify making them a victim – whether it’s of fraud, violence, or just ridicule – everyone’s humanity is diminished.

David “Now where did I put my pension book?” Harley 

Author David Harley, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.