MARK RIEPE: I'm Mark Riepe. I head up the Schwab Center for Financial Research, and this is Financial Decoder, an original podcast from Charles Schwab. It's a show about financial decision-making and the cognitive and emotional biases that can cloud our judgment.
The production team noticed that there's been an uptick in coverage about cyber scams recently, so we wanted to address that. Unless you live completely off the grid, in which case you're probably not listening to this right now anyway, you're a potential victim. So it's important to learn about this topic.
Cybercriminals are more advanced than ever. They leverage the latest technology and use psychology to exploit their targets. And even the financially savvy among us are not immune. Here are some statistics.
In 2023, cybercrime costs victims $12.5 billion[1]. That's up 21% from 2022 and more than 198% from 2020. This has become a bigger issue because criminals have more methods at their fingertips like AI, hacked passwords, and the dark web. They're also using more soft skills to lure their victims. They research their targets and identify vulnerabilities. They look for people who are isolated, romantically lonely, or cognitively impaired, to name a few.
To get an expert's opinion, we reached out to Lisa Lang. Lisa is a senior manager with the Financial Crimes Awareness Team at Schwab. Her most recent role at Schwab was as a financial crimes investigator for approximately six years, during which some of her cases resulted in criminal actions involving prison sentences, regulatory fines, and censures for the offenders. On top of holding multiple FINRA licenses and an MBA, Lisa is a Certified Fraud Examiner and a member of the International Association of Financial Crimes Investigators.
LISA LANG: Cyber fraud has evolved pretty significantly, certainly in the past eight to ten years. It used to be that fraudsters would be in a basement designing their own coding, creating their own malicious software, and that's just no longer the case. Fraudsters can very easily go onto the dark web and purchase malicious software. They can purchase email addresses and phone numbers very easily and pretty much be up and running with a couple of hours and also get tips and tricks from the dark web.
MARK: As I mention in the intro to every episode, this podcast looks at psychological biases, and so do cyber criminals.
LISA: The tactics are moving towards more of a scam-based interaction where they can prey on people's fears, they can pull on people's heartstrings to get them to engage in discussions and then actively manipulate them.
MARK: First is the overconfidence bias. This bias is the one where we think we know more than we do. Basically, if you think you're too smart to be scammed, the overconfidence bias makes you vulnerable because you may not take the necessary precautions.
The second that they use against you is the authority bias. This one is where we tend to attribute greater accuracy to the opinion of an authority figure. We tend to trust an authority figure such as a financial institution. Scammers impersonate them and convince their victims to hand over money and sensitive information.
The third is the scarcity bias. This is where we believe that something we want or value is in short supply. Scammers pressure their victims with time-sensitive offers. The goal is to make the victim make a quick decision without researching or thoroughly questioning the situation.
Finally, number four is the reciprocity bias. This is where someone gives you something for free. We then feel obligated to give them something in return. For cyber criminals that something is often personal information. That's not an exhaustive list by any means, but those four are good to keep in mind.
LISA: Fraudsters know that financial institutions are running algorithms and logarithms to look for things like suspicious logins or suspicious or out-of-pattern transactions. So they are more and more often contacting victims to try to get them, essentially, to do their dirty work for them.
MARK: Now here are some specific examples to see how this can play out in practice. A frequent situation is fraudulent tech support. It goes like this.
LISA: So fraudulent tech support really is concerning because organizations like Google and Microsoft are being impersonated, but also financial institution personnel are being impersonated.
So for example, I may receive a text message on my cell phone that appears to be with a financial institution that I do business with. It may say that there's a fraud alert on my account, or there is some concerning activity, and I should call someone back or click on a link.
When I do those things, I'm then engaging with someone that I don't know that is a fraudster, who's going to try to access my computer remotely. They may ask me to get into my financial accounts. Meanwhile, they're capturing my keystrokes with my user IDs and passwords. They may be running sessions in the background that I can't see where they're moving money out of my accounts.
MARK: So how do you fight this? First of all, never ever give remote access to someone who contacted you. Second, never call the phone number they give you. A legit firm is likely to have a publicly listed phone number from an official company website. And third, be skeptical of tech support that you didn't ask for.
A second major fraud is called SIM swapping. SIM stands for Subscriber Identity Module. It's the memory chip in your phone, tablet, or smartwatch. It stores your contacts, texts, and more. With SIM swapping or hijacking, the cyber criminal uses phishing or other trickery to get access to your SIM. They might also be able to buy it on the dark web.
They then pretend that they are you. They contact your mobile carrier, say your phone is lost or damaged, and ask that your number be reassigned to a new SIM card.
LISA: The reason that fraudsters do this is because they know that financial institutions rely on things like confirmation codes. So if I were to log into my account, I want to send a wire. That process is then going to send me a confirmation code that I have to enter before that wire is confirmed. So if a fraudster can get control of my cell phone, they can get into my financial account. They can get in and send money.
MARK: Then they reset the passwords for banking, email, social media, and your other online accounts. It can take months to rectify the damage and regain control of your accounts and your identity.
LISA: The frightening part about SIM swapping is that people generally don't know when it's occurred. So they all of a sudden are not getting as many text messages or phone calls as they typically do, and they just think it's kind of odd until perhaps someone reaches out to them and suggests in another communication method that there's something going on with their cell phone.
MARK: Here are some steps to take that will help. If your phone stops working, contact your carrier immediately. This is a sign your number has been reassigned to another SIM. If you want to be proactive, ask your mobile carrier about SIM card protection. This usually involves getting a password or a PIN. Scammers hate this because they can't make changes to your account.
OK, here's another scam that's in the news lately because it preys upon victims of natural disasters.
As I record this, people are still dealing with the aftermath of the devastating fires in Los Angeles, but fires are just one type of natural disaster. Hurricanes, floods, tornadoes, earthquakes, blizzards, droughts, those are just a few examples of the disasters that can set the stage for crooks to prey upon people who are already victims.
Criminals set up fake charities and collect donations, preying upon our desire to help those in need. Scammers will pose as contractors and demand payment upfront for their work and then never complete the work. Then there are the government relief scams. Scammers pretend they're government officials, then say that they need personal information about you or payments to process aid requests.
To protect yourself, be sure to verify the credentials of anyone who asks for personal information or money. This applies if you're a victim of a natural disaster or if you want to make a donation to a charitable organization.
LISA: So I would say if someone finds themselves to be the victim of a scam, they should first and foremost also not be ashamed or embarrassed to report the activity. You would be surprised the people that fall for scam activity.
I've known personally lawyers and MBAs and people who are executives of firms who work in financial institutions who you would think would not be subject to this kind of activity. It is across the board, and while our older population is largely targets for this type of information due to their accumulated wealth and potential for onset of diminished capacity, but all age groups, demographics, and genders are really targets at this point.
So for example, we are seeing romance scam victims as young as 19 years old at this point. And individuals in their 30s and 40s are becoming victims of investment scams involving exceptionally large losses.
So this is an everyone problem. And we need everyone to really start shifting that mindset to not respond to unsolicited contact.
MARK: This has been a grim episode. Ignoring the risk won't make it go away. Always be skeptical when you get an unsolicited communication. Always enable multi-factor authentication. Use strong, unique passwords. Stay educated on scam practices. And if you're feeling pressured to act quickly, just stop. Nothing is ever that urgent.
LISA: And if it really is something that that someone is interested in, take five minutes and do some research. Contact someone that you trust who might not be in that emotional state of mind when you're initially contacted to get a second opinion. Whether that's your financial consultant, whether that's a family member or a friend or someone that's not directly involved in those discussions.
MARK: And finally, be careful about what you put on social media.
LISA: Take a good look at how much information you're sharing online, not only about yourselves but about people that you know because that can often be an entry for a fraudster to do research on you as well as your friends and family members to potentially scam them as well.
We really need to move about the world with the sense that your information is out there and the best way to protect yourself is to be aware of not engaging in unsolicited contact, and also setting up methods to make you aware if there's something questionable going on.
Blocking your credit so people can't open new accounts or new credit cards or take out lines of credit in your name because a credit check is required, but if your credit is blocked then people won't be able to run your credit, or setting up account alerts where your financial institutions will notify you if there's a transaction in your account that you don't recognize.
Or even they'll notify you if your e-mail address was changed or your phone number was changed—things like that where you can be notified of something that's happening and get on top of it relatively quickly.
Really, at the end of the day, it needs to be a partnership between potential victims and their financial institutions to engage in as many preventative and awareness methodologies as possible across the board.
MARK: If you want to learn more, we also have some resources on Schwab.com, which we'll list in the show notes. And if you want to go to Schwab.com right now, feel free to do so and search for the term "fraud prevention." The IRS website and the SEC also have information on identity theft, phishing, and tax scams.
That's it for this mini-sode. Thanks for listening. I'll be back in a couple of weeks with another show. In the meantime, if you'd like to hear more from me, you can follow me on my LinkedIn page or at X @MarkRiepe. That's M-A-R-K-R-I-E-P-E.
And if you like the show, we'd be grateful for a rating or review on Apple Podcasts or comment on the show if you listen to it via Spotify. We always like new listeners. And if you know someone who might like the show, please tell them about it and how they can follow us for free in their favorite podcasting app. Personal recommendations are especially effective.
For important disclosures, see the show notes and schwab.com/FinancialDecoder.
[1]Internet Crime Report 2023, Federal Bureau of Investigation Internet Crime Complaint Center (IC3), 04/04/2024.