Cybersecurity responsibility of legitimate businesses
Scams seem to be everywhere recently. Phone scams, email scams, crypto scams, you name it.
Here in Japan, public transport and government offices are filled with posters and ads warning about scams.
Many of these ads center around noticing suspicious patterns.
Unfortunately, many legitimate businesses employ practices similar to the scams we are constantly warned about.
Let me give a few examples from my own experience.
Please give us your credit card information
A suspicious message
I recently moved into a new apartment. During negotiations with the real estate agent, I suddenly received an SMS. The message read something like "Hello, we are *building owner*. Please access the following URL to register your credit card."
I was not told that I would get a payment request, or indeed that my phone number had been shared with the owner of the building. This is the kind of message that I would usually ignore immediately. But as I was indeed moving into an apartment owned by the company, I decided to investigate.
Doing my research
I googled the content of the SMS and found an article on the building owner's website warning about scam messages with the exact content of the SMS that I had received!
So I contacted the real estate agent and complained that I had received a scam message, thinking that their system might be leaking personal information or something to that effect. But to my surprise, the agent called and told me that the message was legit, and that I should register my card using the provided URL.
Now, I could have just accepted their answer at this point. But given that there was literally an article warning about this exact message, I wanted to gain some sort of proof of the authenticity of the communications. They seemed to be confused about what the problem was and tried to tell me that I was "Just not used to the apartment rental system in Japan", even though I have rented apartments in Japan before (without suspicious SMS messages).
Doubling down
I decided to stand my ground, if nothing else, then at least just to prove a point. They then sent me an email from the same address that I had been communicating with earlier with a document showing the message and how to register my card. I told them that I would like to get confirmation from the company that supposedly sent the message, which they initially told me was not possible. But after a while they returned and told me that an employee of the company that owned the building would contact me to verify the message. As promised, I got a call from the building owner, who told me that the message was legit.
At this point, I finally felt that I had enough peace of mind to register my card, and I moved into the apartment with no further issues.
Send the payment to this account.
On this occasion, I was booking a stay at a guest house. I had sent a form from their website with my information. The next day I receiced an email saying that to secure my booking, I needed to pay the full amount.
They provided a link to a document explaining how to make the payment. The document instructed me to make a direct bank transfer to send the money. Now this is not so strange for a small business, but there were several factors that made the instructions seems suspicous.
- The account was in the name of a business that seemed totally unrelated to the guest house.
- The account was in the US, even though the guest house was in Asia.
- The instructions specified that I was not allowed to mention the guest house in the bank transfer reference.
- The emails were sent in the middle of the night relative to the location of the establishment.
I wrote back and explained my suspicions. But they could not provide any assurance besides "It's legit, please trust us". I ended up sending the money anyway, deciding that I'd take the risk rather than cancelling my trip.
The place turned out to be legit, and I had no problems during my stay.
Conclusion
If the normal processes of businesses require the customer to ignore red flags, people will eventually get desensitized to them, which I'm sure scammers are very happy about.