Incoming millennial fraud tidal wave

Fraudsters are targeting emerging millennials — those generally between the ages of 18 to 34 — because of their alleged lax social media habits and optimistic natures. Learn how you can thwart perpetrators by concentrating on this large vulnerable demographic.

Janet was a typical 17-year-old who liked online gaming and social media. When one of her friends told her about a website called Twitch, which specializes in broadcasting real-time play from games such as League of Legends, Janet found an outlet to share her enthusiasm for gaming with her friends and others with similar interests. She loved the Twitch community where she could communicate through direct messaging to other account members.

Janet wasn't surprised when she received an occasional rude comment from another member because she knew it was common for young women in an online environment. Usually the offenders eventually drifted away or site moderators removed their accounts. However, one member — who went by the screen name Obnoxious — was different than the others. And Janet would later find out how truly dangerous he was.

Janet and other girls around her age started to notice they couldn't get onto the Internet or that their data stream on Twitch was extremely slow. Obnoxious sent private Twitch messages telling them he was executing DDoS (distributed denial of service) attacks on their accounts.

Obnoxious would direct-message an affected user and offer to stop the attack if she would speak with him online. At first, Obnoxious engaged in normal conversation, but he became more aggressive over time. He started requesting fan photos (pictures of the girls holding signs with "Obnoxious" written on them) to stop his hacking attacks, but he later asked for naked pictures instead. When some girls refused, Obnoxious threatened to post all of their personally identifiable information (PII) online.

The girls didn't know that Obnoxious had amassed a large quantity of their PII from the information they'd posted via social media and other means. Obnoxious, armed with this PII, contacted and duped customer service representatives at Internet service providers and Internet companies into providing passwords and other account information by giving the girls' dates of birth, addresses and Social Security numbers. This gave Obnoxious even more access to the girls' personal profiles.

Obnoxious' behavior became more threatening and brazen. He initiated unexpected pizza deliveries to girls' homes, posted nude photos online of the girls he'd extorted and even revealed the true identity of a young transgender woman. When Janet stopped responding to Obnoxious, he sent texts to her friends' cell phones telling them to coerce Janet to re-establish contact. When she didn't comply, Obnoxious did something Janet never expected.

In an early January 2014 morning, Janet's father awakened her and told her to come downstairs. As she stood at the top of the stairway, police SWAT team members aimed their guns directly at her. Instantly, she knew this was Obnoxious' doing. He'd called the local police department and told them that he'd killed people at Janet's residence and was holding someone hostage as they spoke. The police didn't realize that a 16-year-old kid from Canada had "swatted" them.

As Janet later learned, Obnoxious had perpetrated similar hoaxes against many other victims. Eventually, after more than two years he was charged with crimes. A judge sentenced Obnoxious to jail after he pleaded guilty to 23 counts of criminal harassment, public mischief and extortion. He will have served 16 months before he gets out of jail in March when he turns 18. (See The Serial Swatter, by Jason Fagone, Nov. 24, 2015, The New York Times Magazine.)

A polarizing question

When you hear about "millennials," also known as "Generation Y," what's your reaction? Do you cringe or do you smile? Do your eyes roll thinking about their alleged feelings of self-entitlement, or do you breathe a sigh of relief knowing their technological expertise has helped you work through important problems? And if you're a millennial, do you think you're all that different from those in other generations?

Though there's some debate on the exact years, millennials were born between the early 1980s and early 2000s. They might constitute a polarizing generation. Some chastise them as selfish, others celebrate them as tech-savvy. No matter what you think of them, millennials are entering the workforce, starting companies and brandishing their growing disposable income.

The ACFE, in its 2014 Report to the Nations on Occupational Fraud and Abuse, estimates that approximately $3.7 trillion is lost to fraud worldwide.

Millennials are estimated to have $200 billion of direct purchasing power and $500 billion of indirect spending power, according to The Millennial Generation Research Review, published by the U.S. Chamber of Commerce Foundation in 2012.

As the upper end of millennials progress in organizational hierarchies, and if many of the two-thirds of millennials who are interested in entrepreneurship decide to open their own businesses, financial decision-making authority will increasingly fall into their hands, according to the Chamber of Commerce Foundation report. As a result, millennials are going to be increasingly targeted and potentially exploited.

Over-optimistic millennials?

Some of the behavioral characteristics that are common to millennials also might make their generation susceptible to fraud. Kit Yarrow, a consumer psychologist and expert on Generation Y purchasing patterns, is worried about millennials becoming victims. "I think Gen Y's optimistic nature leaves them more vulnerable to scams," Yarrow says in the article, MTV's ‘Teen Mom': Victim of Financial Fraud, by Kimberly Palmer, Sept. 8, 2010, U.S. News & World Report. "Compared with other generations, Gen Y feels like things will turn out well and imagines the best. This makes them less vigilant in general."

Because they've known the Internet from childhood, millennials use their electronic devices to work, communicate, shop and socialize.

And despite millennials growing up with events such as 9/11, the Chamber of Commerce Foundation survey results concurred with Yarrow that millennials are more optimistic than other generations. In 2012, 41 percent of millennials were satisfied with the way things were going with the U.S. economy, as compared to other generations whose highest score was 30 percent.

An overriding sense of "believing things will work out for the best" can easily lead to an optimism bias in decision-making, according to the 2010 research paper, Affective Decision Making: A Theory of Optimism Bias, by economists Anat Bracha and Donald J. Brown.

"[D]ecision makers have some freedom in choosing their probabilistic beliefs [believing in the probability of a certain outcome], and they are often optimistic—they appear to choose beliefs that are biased towards favorable outcomes," according to Bracha and Brown's paper.

So based on Bracha and Brown's conclusion, I conjecture that when fraudsters present millennials with fraud schemes, their natural optimism could lead them to overestimate the likelihood of favorable outcomes. If millennials give little or no consideration to potentially negative results, they could be susceptible to con artists' grand imagery, which makes them more amenable to handing over their money without doing necessary due diligence.

According to a common stereotype, millennials are often considered narcissistic. However, four-fifths of respondents in a national college freshman survey rank their inner drive "above average" and more students than ever consider themselves gifted, according to Are Millennials ‘Deluded Narcissists'? by Jenna Goudreau, Jan. 15, 2013, Forbes.

Millennials' overwhelming self-confidence might prove irresistible to scammers. The International Organization of Securities Commissions, in a 2015 report, said that overconfidence was identified as a significant factor in determining whether someone would become the victim of a fraudulent scheme. (See Majority of fraud victims are ‘overconfident educated middle-aged males,' by James Langton, May 6, 2015, Investment Executive.)

According to the National Institute of Health, the incidence of narcissistic personality disorder is three times higher for people in their 20s than for the generation now in their 60s. (See Millennials: The Me Me Me Generation, by Joel Stein, May 20, 2013, Time.)

Technically savvy but lax social media habits

Millennials' most predominant characteristic might be their technological expertise. Because they've known the Internet from childhood, millennials use their electronic devices to work, communicate, shop and socialize. However, despite their knowledge and comfort with technology, millennials in England are surprisingly lax when it comes to protecting their PII, according to new online "YouGov" research commissioned by Equifax, the credit information provider. (See Generation Y the Most Concerned About Bank Account Fraud – Yet Take the Most Risks, Oct. 23, 2015.)

According to the research, they routinely store PII such as PINs and online passwords on their smartphones — a surprising lapse in judgment for the generation most concerned about being the victim of bank fraud.

According to the Equifax research survey, 54 percent of the millennials also admitted to using the same password for more than one online account, which is 14 percentage points higher than England's overall average. Using the same password for multiple sites allows a criminal to access more than one account, which increases the chances of larger financial losses.

In 2014, 12.7 million U.S. consumers were identity theft victims, which caused losses of $16 billion, according to a 2015 Identity Fraud Study report by Javelin Strategy and Research, sponsored by LifeLock. (See Identity theft: 4 trends to watch, by Jean Chatzky, Fortune, March 4, 2015.)

A millennial's stolen phone can potentially provide a criminal with password access to credit card accounts, bank accounts and other PII that fraudsters can use to target friends and associates through proven spearfishing techniques.

Fraudsters gaining access to business networks via employee mobile phones is becoming an even larger problem. Mobile security company, Lookout, conducted an informal survey of informational technology personnel and found that 75 percent experienced data breaches in their companies, which were attributable to employees' use of mobile devices in the workplace. (See Is your phone safe for work? by Robert Hackett, Oct. 15, 2015, Fortune.) Millennials who rely on their mobile phones for access to work-related files can drastically increase organizations' fraud exposure.

Another surprising fact about millennials is that 72 percent of them have admitted to accessing bank accounts and conducting transactions via their smartphones while utilizing public Wi-Fi service, according to the same Javelin 2015 Identity Fraud Study. In addition, 60 percent of millennials have made a purchase using their smartphones — compared to 25 percent of baby boomers. (See 5 Ways Millennials Are in Danger of Bank Fraud, by Lucy Mueller, June 28, 2015.)

Many of us have become accustomed to texting friends, paying bills and buying things over the Internet and mobile phone networks. What most people don't realize is that many public Wi-Fi outlets don't take basic security measures to protect their users.

In 2008, the Better Business Bureau reported that fraudsters had set up 20 ad-hoc public Wi-Fi networks at Chicago's O'Hare Airport to illegally gather unsuspecting users' PII.

Hackers use Wi-Fi as an easy bridge to quickly access PII by creating fictitious servers, illegally accessing Bluetooth devices or simply surreptitiously taking over devices' functions. Fraudsters then use PINs, passwords and PII for many illicit purposes, according to Revealed: How criminals can easily ‘suck information' out of smartphones using public Wi-Fi networks, by Thomas Burrows, Jan. 19, 2015.

With more than 25 percent of millennials performing sensitive transactions on potentially unprotected Wi-Fi outlets, scam artists have an abundance of information to harvest.

According to the Chamber of Commerce Foundation's study, millennials are also early adopters of new technologies. Early versions of software and hardware normally have exploitable holes in their operating systems and coding. Twitter revealed it was a victim of an unauthorized 2013 cyber intrusion in which hackers accessed information on more than 250,000 user accounts. Almost all of the compromised accounts belonged to early adopters of the technology. [See Twitter Hack Mostly Hit Early-Adopter, Well-Connected Users (And Probably President Obama), by Andy Greenberg, Feb. 4, 2013, Forbes.]

Need to stay connected feeds social engineering

More than 75 percent of millennials have some kind of profile on a social networking site, according to the Chamber of Commerce Foundation study. Twenty percent of that group revealed they've posted a video of themselves online.

Millennials seem to have a psychological need to stay connected to their friends via social media. Some live in fear of missing out on something fun or important if they don't constantly check their friends' statuses. According to a survey by web analytics company SDL 1,800 millennials across the globe check their smartphones at least 43 times per day. (See the June 4, 2014, Entrepreneur article by Catherine Clifford.)

The words we write, the pictures we post, the clicks on "like" and "dislike" buttons, and other information we post online provide countless clues to our personalities, occupations, family statuses, and email addresses and passwords. Fraudsters can easily use this information for social engineering to manipulate you and your friends to provide sensitive data.

First Data, in its 2011 white paper, Four Evolving Fraud Threats You Cannot Afford to Ignore, by Beth Summers, cites the 2010 Symantec report "The Risk of Social Networking."

"Attackers use social engineering tricks to post enticing messages on behalf of an infected user, such as pleas for financial assistance," Summers writes. "Curious friends follow the link, and get infected with malware and unknowingly spread the message further. With people willing to click on any link from those in their private network, it's easy for attacks to succeed." Fraudsters use millennials' need for self-expression against them.

Fraudsters are also launching more social engineering attacks by taking advantage of marketers' increasing use of targeted advertising. Facebook, Twitter and other social media sites collect intelligence to analyze your interests and behaviors by keeping track of what you liked or disliked; what you ordered online; what news stories, advertisements and other sites you visited; and what links you clicked on, according to Why Social Media Advertising Is Set To Explode In The Next 3 Years, by Sonny Ganguly, March 17, 2015, Marketing Land.

These sites then create actionable profiles with this information, which they sell to advertisers looking to reach particular markets. Therefore, social media sites encourage registered users to provide as much PII as possible. Also, 86 percent of millennials exhibit their brand preferences online, according to the Chamber of Commerce Foundation study.

These targeted marketing efforts have been very successful. Magnetic, a technology company, conducted a 2015 study in concert with Retail TouchPoints, which revealed 41 percent of consumers who received a highly relevant digital advertisement or email indicated they spent slightly or significantly more with that retailer than with others who didn't take into consideration their previous interests.

Don't trust anybody under 34?

Even with knowledge about how social engineering can be utilized for nefarious purposes, millennials continue to publicly post information about themselves. They're doing this despite being a generation who distrusts nearly everyone else, according to the study, Declines in Trust in Others and Confidence in Institutions Among American Adults and Late Adolescents, 1972–2012, by Jean M. Twenge, W. Keith Campbell and Nathan T. Carter, 2014, Psychological Science, 1-12.

We'd assume this distrust would be a detriment to fraudsters. However, some academics have come to a different conclusion. Rebecca M. Nash, Ph.D., Martin Couchard, Ph.D. and Aili Malm, Ph.D., examined a mortgage fraud case that spread undetected in British Columbia defrauding 2,285 investors for a total of $240 million. Drawing on the paper's conclusions, we can say that a con artist can easily overcome the mistrust hurdle if he's able to establish trust with one millennial who's willing to share PII with his or her peers. (See Investing in people: The role of social networks in the diffusion of a large-scale fraud, ScienceDirect, a for-profit site.)

The paper's authors write that prior literature (Survey evidence of diffusion of interest and information among investors, by R.J. Shiller and J. Pound, 1989, Journal of Economic Behavior, 12, 47-66) "showed how personal, social ties emerged as the main influence for investors, whether such opportunity ended up being legitimate or not. Examining what convinced stocker purchasers to buy, Shiller and Pound … found that it was mostly because some of their trusted friends have done it already."

Millennials are more susceptible to this phenomenon as they seek peer affirmation in much greater numbers than previous generations. According to the Chamber of Commerce Foundation study, "Seventy percent of millennials are more excited about a decision they've made when their friends agree, compared with 48 percent of non-millennials."

If a criminal can get one member of a social circle to trust him or her — online or in person — the peer influence will likely validate the viability of the investment to the members of the social network even though the investment is fraudulent.

According to Nash, Bouchard and Malm, this important level of trust can spread easily over a social network. Akin to infinity fraud, opinion leaders in social groupings can easily become bridges in the network and influence others to invest in their well-hidden schemes. Their actions unknowingly maintain frauds by introducing new money into established Ponzi schemes.

Fraud examiners have seen similar patterns in traditional (offline) social circles in the past, but the speed of diffusion — "the process by which an innovation is communicated through certain channels over time among members of a social system" (from "Diffusion of Innovations," fourth edition, by E. M. Rogers, Free Press) — is greatly enhanced and broadened through the Internet via existing and new social networks.

Batten down the hatches — here comes the wave

Millennials have experienced a convergence of technology and global access to real-time information. This has clearly affected how they think, work and socialize. Whereas older generations without such technology were forced to socialize in limited groups and in person, millennials (and others) can enjoy close relationships and frequent interactions with friends and associates who live thousands of miles away.

Millennials now represent the largest share of bodies in the workplace and the percentage will grow exponentially in the near future. (See Millennials surpass Gen Xers as the largest generation in U.S. labor force, by Richard Fry, May 11, 2015, PewResearchCenter.)

Experienced fraudsters are beginning to notice millennials' unique generational characteristics. According to Federal Trade Commission (FTC) statistics, the percentage of millennials as victims is increasing steadily. (See the FTC's Consumer Sentinel Network Data Book, February 2015.)

As a fraud examiner, are you prepared for the incoming millennial fraud tidal wave?

Bret Hood, CFE, is an FBI supervisory special agent for the FBI Academy's Leadership & Communications Unit. His email address is: salukis32@gmail.com.