Cyber issues arise from irresponsible, negligent, intentionally harmful, or malicious online conduct. They can involve either people, businesses, or property. Here is a non-exhaustive list of common everyday cyber-threats.

Online fraud against a person or business includes credit card fraud, debt elimination, parcel courier email scheme, employment/business opportunities, escrow service fraud, identity theft, ransomware (extorsion), investment fraud, lotteries, phishing, spoofing, ponzi / pyramide schemes, reshipping, spam, third party receiver of funds and others.

Property crimes include cracking and hacking, DDOS attacks, malware, password theft, piggybacking, cybersquatting, wardriving and others.

 

 

Privacy and Security Breaches, Crimes Against a Person or Business

Identity Theft is a most flourishing online crime. It involves stealing someone’s personal information, such as Social Security Number, Mother’s maiden name, name of first pet, Street you grew up, etc., for the purpose of impersonating that person to make purchases, loans, claim a tax credit, etc. using the stolen credentials or worse to frame a person for a criminal act they didn’t commit.

The recent adoption of health pass applications facilitates identity theft, as it provides countless opportunities for everyday people (not law enforcement) to request to see anyone’s proof of vaccination and government issued ID under a variety of pretexts. Another means of obtaining personal information is for perpetrators to pose as public health officials, contacting individuals to book fake appointments for boosters over the phone or email. Personal information can also be extracted by hacking QR codes, while inoculation selfies posted on social media are an often overlooked vulnerability with severe consequences. As the New York Times puts it in their discussion on vaccine passport vulnerabilities “Identity theft is like a puzzle, made up of pieces of personal information,” and the most important piece of that puzzle is your date of birth, opening the door wide to uncovering several other pieces of the puzzle.

Identity Theft comes rarely alone. One set of data leads to another set of data to the point where a perpetrator can literally “copy” a person’s entire identity, lifestyle habits, and digital footprint for the purpose of committing fraud. The more a perpetrator knows about a person, the more they can tailor various types of fraud to that person, or incriminate a person for fraud committed by someone else. It is important to note that all these crimes are synergistically boosting one another. It begins with just a leak or one instance of wrongful appropriation of personal information and expands from there. ID fraud often implies one or a combination of the following (presented in alphabetical order).

• Auction Fraud or fraudulent selling, for example the Romanian Auction Fraud, a category of its kind where the seller appears to be a legit business from the US or Canada and creates a scenario where the buyer is asked to send money to a business associate or family member in Europe. The money is sent through Moneygram or Western Union which can be picked up anywhere in the world
• Credit Card Fraud represents the unauthorized use of someone’s credit card online. Recent data breaches and negligent leaks of customers’ personal information by financial institutions are contributing to this type of fraud.
• Debt Elimination involves websites advertising elimination of a person’s debt. The borrower fills out the application providing all their personal information and is asked by the debt elimination company to send a deposit for several thousands of dollars with the borrower’s application. In return, the debtor receives a fake “loan document” to present to their bank or mortgage company. The borrower will be cheated out of their deposit and still owe the money.
• Email Spoofing is the forgery of an email header so that a message appears to come from someone other than the true sender (called the spammer). The recipient is misled to think that the email is legitimate and from the true sender. Oftentimes, the email will include a virus or link to pornographic content.
• Employment Fraud targets users who publicly post their work experience, along with other sensitive and personal information on sites like LinkedIN, Monster, ZipRecruiter, Facebook, Indeed, Craigslist, Kijiji, or CareerBuilder. These sites are a favourite playground of cybercriminals posing as fake employers, because people feel safe giving away personal information for work. Here is a breakdown by the Edmonton Police Service of this popular scam and how to prevent it. In addition, the circulation of school transcripts and CV’s means candidates have little control over where their personal data ends up, exposing candidates to legal ramifications, as noted here by Law.com (a UK perspective). In our practice we have encountered issues with recruiters posing as law firms, to obtain personal information so they can later start billing candidates for unsolicited legal services. Others have asked candidates to pass psychometric exams administered by third parties in the USA that collect a fee to communicate the test-results to the potential employers. Vulnerable law students frequently often fall prey of such scams.
• Escrow Services Fraud is committed by individuals who usurp the names of well-known companies such as eBay, PayPal, Amazon.com, or Apple to convince consumers that their money will be protected, while requesting that consumers send money by unconventional methods. Here is a good overview by Minnesota’s Attorney General.
• Investment Fraud comes disguised as an offer using false of fraudulent claims to solicit investments or loans, or providing for the purchase, use, or trade of forged or counterfeit securities. One famous example of investment fraud was committed by Bernie Madoff. A recent investment fraud reported by the FBI’s Internet Crime Complaint Center (IC3) involves Standby Letters of Credit (SBLCs) where fraud actors are fabricating business and financial industry connections, and access to international commodities markets in order to sell fictitious SBLCs, which have resulted in significant financial loss to victims (see Ponzi)
• Lottery Fraud is a well-known scam beginning with an unsolicited email with a message a person has won or has been selected to receive money from an international lottery. The consumer is often asked to provide an array of personal information to collect the promised funds.
• Mystery Shopper Job Scams: If you have to pay an upfront fee to become a mystery shopper, that’s always a scam. Here is an overview by the US Federal Trade Commission.
• Nigerian Letter, also known as the West Africa Scam, is a spinoff from the lottery fraud, often called 419’s, which is a section of the Nigerian Civil Code that these schemes violate. With this scam, the perpetrator will send an email asking for the reader’s help to transfer money to Canada (or the US) promising a huge financial payout—if you pay some fees.
• Phishing (pronounced fishing) is a way to trick users into revealing personal or financial information through a fraudulent email message or website. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a link that can initiate installation of malware, or ransomware to take control over the user’s website, device, and/or mainframe. A phishing email or text message could direct the user to a banking website. In 2021 we saw a lot of phishing incidents of websites impersonating financial institutions like Desjardins or Toronto Dominion Trust, asking users to enter their account number and password.
• Ponzi and Pyramid Scheme. First, Ponzi is a type of Investment Fraud where a person promises a too-good-to-be-true return of an investment. Similarly, a Pyramid Scheme is an operation in which the operator takes money from one investor and uses a part of the proceeds to pay dividends to other investors, and keeps the remainder for personal use. Pyramid Schemes are perpetrated online and by email.
• Ransom Attacks, Online Extortion comes in many sizes and forms. The most common is a case where someone hacks into a company’s website or mainframe, and then refuses to give control back to the company unless a payment is made.
• Reshipping is akin to employment and business fraud and it picked up during the pandemic. It occurs when a person is offered at home employment and their job is to package and ship products to the employer overseas. Unknown to the supposed employee, the goods they are packaging and shipping were purchased with fraudulent credit cards, so they participate in shipping stolen merchandise.
• Shoulder Surfing is not an online fraud per se, as it implies the physical presence of a perpetrator literally looking over your shoulder to extract personal information, for example your pin number at an ATM machine or similar information if you do mobile banking on your phone.
• Skimming refers to the capturing and stealing personal payment information from credit cards through the use of a small skimming device designed to read a credit card’s microchip or magnetic strip information. The most inconspicuous way this happens is through electronic payment when touching/swiping a card in a physical location. Skimmers are devices that attach to point of sale devices (POS). They are used to capture credit card and bank information. Skimmers can also be placed on ATM machines.
• Spam is sending unsolicited email or messages to bulk email. however, spam can also be used to provoke attacks on company and government computers with viruses or botnets.
• Third Party Receiver of Funds resembles Reshipping. The scammer posts a a work from home opportunity that consists of posting payments for the company. The business has a fake client send the employee payment for his or their work. The checks are made out to the employee who directed to deposit the checks in their personal bank account less commission and then transfer the remainder overseas. The email receiving the transfer link is from a fake ID, often making the perpetrator untraceable.

Technology Facilitated Intimate Partner Violence

Cyber Stalking is a very common intimate cyberviolence and can qualify as criminal harassment under the Criminal Code in Canada. Like Revenge Porn, cyber stalking is commonly perpetrated by a former intimate partner, and can consist of the whole spectrum of cyber crime against a person or property (enumerated above and below) due to a privileged access to personal information in intimate relationships. The end of an intimate relationship is when the most damaging intimate partner violence begins, can last for decades, or quickly escalate and result in a femicide. Law enforcement however is just one ingredient in the solution to this problem. Data protection and encryption, counter-spying, anonymization, restriction of social media use, and entire lifestyle changes in how technology is used and accessed by victims are among the solutions to be seriously considered.

Revenge Porn is not widely recognized as a cyber crime, but it represents the most common type of intimate partner violence facilitated by technology, where a disgruntled ex (in 90% of cases a male) posts unauthorized photos, videos, or recordings of an ex-partner (almost exclusively woman or girl) for commercial or non-commercial purposes.

Eradicating this type of gender-based cyber-violence is our utmost priority in order to reduce the stigma that it produces on victims and society at large. We have over 10 years experience in takedown protocols, automated solutions, and tailor-made solutions, for the successful performing of massive takedowns of non consensual content on a global scale.

Smart House Tampering is a type of cyberviolence perpetrated by a sophisticated intimate partner against a less sophisticated one (for example a stay at home mom). This technique allows the perpetrator to control from a distance the electricity, lighting, heat, garage doors, sound system, surveillance system etc. of a smart house and make them malfunction at strategic times during the day or night. Not having control over your own house is a serious vulnerability. Taking exclusive control of a smart house is the first step in finding safety. Regaining exclusive control is possible without going to court. It is the equivalent of changing the lock on a physical door, to avoid surprises. However, involving the family courts in these cases is important. Often courts fail to automatically extend a restraining order to cyber-intrusions as they seem to textually interpret contact under strict physical parameters, so tech-facilitated intrusion and remote-tampering must be drafted into the order specifically. Prevention is key, on that you can read Anticipating Smart Home Security and Privacy Threats with Survivors of Intimate Partner Abuse.

Spyware, a mobile phone offered as a gift by an intimate partner is often red flag, as the phone would be equipped with stealth applications intended to track and record calls, monitor emails and text messages, film and localize in real time the recipient of the gift. A possessive partner may also install spyware on a partner’s personal computer, or work computer. If you notice that your phone suddenly loses battery power for no particular reason, get your phone scanned for spyware. Sharing devices with intimate partners is strongly discouraged as it creates unnecessary long term cybersecurity risks that outlive the end of intimate relationships. For an introduction into the harmful effects of intimate partner surveillance, read Cornell University’s study The Spyware Used in Intimate Partner Violence.

Spyware also has beneficial uses. One of them is to track children, provided they have a phone. Another good one is to track yourself for your own safety and keep up with your daily activities, exchanges, and influx of information. Spyware can give you a sort of an instant memory and increase your efficiency. So long as you control the spyware on your device and, for safety, grant limited control to a trusted person who is not an intimate partner, in case something happens to you, then the phone would record, film, and document any incidents of violence, physical or psychological, that an intimate partner could inflict. This could provide an invaluable set of data for law enforcement. The most important factor is who controls the spyware.

Crimes Against Property

• BlueSnarfing is the unauthorized access of information from a wireless device through a Bluetooth connection, often between phones, desktops, laptops, and PDAs. This allows access to calendars, contact lists, emails and text messages, and on some phones, users can copy pictures and private videos. (formerly Podslurping = doing the same as Bluesnarfing but through the use of an ipod where to the casual observer the person is simply listening to music)

• Cybersquatting is the fraudulent registration of a domain name or a slightly altered version of a trademark or company for the purpose of driving and redirecting traffic to illegal sites that steal users’ personal information. It is similar to impersonation of business profiles/pages on social media. This is an extremely frequent issue. Our humble estimate is that it has or will happen at least once to any business or non-profit. Luckily, there are tools to detect and address cybersquatting.

• Hacking is the unauthorized use and entry into a network by either a person or a device.

• Logic Bomb is a Trojan Horse that gets activated at a determined date or event in the future.

• Malware involves a program designed to do harm. This could include computer Viruses and Worms, or Trojan Horses.

• Piggybacking is the use of an unsecured wireless connection to surf the internet, to commit theft of internet bandwidth and communications theft.

• Password Sniffers, a program that goes through a network to capture user passwords. It has legal and illegal uses.

• Trojan Horse, a virus with harmful or malicious code that is found inside what the user believes is harmless data or a program. the Trojan Horse’s goal is to gain control of the user’s computer or to harm its programs and data.

• Virus, a computer program that, when installed, causes harm to a computer.

• Wardriving is the act of driving around and using tech to identify unsecure wireless networks. The hacker may be able to access that network, gather sensitive data, and commit identity theft or engage in other malicious activities.

• Worm, a self-replicating virus that resides in the computer and duplicates itself but does not alter files.

This is a developing story, as there are many many many more cybercrimes against persons, businesses or property. And many more are being invented and deployed right now.