Inheritance scam, improving cybersecurity protection and what to do if you get scammed

Susan Jones received a letter from a law firm that told her that she might be the recipient of a long-lost relative’s multimillion-dollar inheritance. To process the claim, she wired the firm a deposit, her Social Security number (SSN) and bank account numbers, but she didn’t receive any correspondence after that. Two weeks later, her bank account had a zero balance.

This case is fictional, but it represents fraudsters’ attempts to steal personally identifiable information (PII) with a new inheritance scam, reported by the Federal Trade Commission (FTC) in a consumer alert.

Fraudsters initiate the inheritance scam by sending letters from fake law firms that tell potential victims they might be heirs to substantial inheritances. If a recipient is identified as an heir, they must split the fortune with the law firm and designated charities. Victims are told to wire money to cover fees and send their SSNs and bank account numbers to the “law firms.”

The fraudsters tell victims to reply via email immediately and not share the letter to avoid the risk of family members and friends uncovering the scam. This common strategy — a page out of the fraudsters’ playbook — increases their return on investment. (See “Contacted about a long-lost relative’s inheritance? Hold on a minute,” by Joseph Ferrari, FTC, Aug. 10, 2022.)

The FTC offers advice:

• Don’t respond. Keep your money — and your information — to yourself. Never send money or information to a stranger who promises big rewards. That’s always a scam.
• Pass this information on to a friend. You probably throw away these kinds of letters. But you probably know someone who could use a friendly reminder.
• Report it to the FTC at ReportFraud.ftc.gov.

Educate members of your local community, report the scam to local law enforcement authorities and media outlets.

The FTC publishes alerts like this when it receives a large amount of victims’ complaints on a particular scam. That’s why it’s so important to report scams to the FTC as soon as they emerge so the agency can track trends, educate the community and share the information with law enforcement.

Improving cybersecurity protection

Phishing schemes, typically delivered via email messages, are a major ploy of cybercriminals to breach organizations and compromise their data. Brian Stone, writing on TechRepublic, cites Kaspersky study data that “nearly all (91%) of cyberattacks [begins] with an attempted phishing email …” (See “Have you ever found phishing emails confusing? You aren’t alone,” by Brian Stone, TechRepublic, June 30, 2022.) Many cyberattacks lead to ransomware problems in which organizations ultimately pay huge sums of money to unlock their files. 

Organizations, none of which are immune to ransomware attacks, must constantly back up files that contain sensitive information. And because phishing schemes are so lucrative, cybercriminals are always improving them to confuse and trick victims. To help improve data security and keep safe, organizations must continually educate their employees to identity and eliminate potential data breaches before they occur. 

Organizations develop phishing simulation procedures as a component of ongoing cybersecurity training programs. Trainers periodically send fake email phishing messages to employees. This training will help to reduce the confusion and panic that employees face when fraudsters attack systems.

Employees are often more likely to click on spear-phishing email messages directly to them purportedly from their supervisors or others in their organizations. The internal victims normally trust (or fear!) the senders, so they’ll often click on attachments and begin ransomware fevers.

And Stone wrote, citing phishing simulator data from Kaspersky’s Security Platform, that “16% to 18% of employees will click an email template sent by an adversary that appears on the surface to be delivery issues or tech related errors.” The subject line of the five most clicked-on emails found by Kaspersky in its phishing simulator program were:

• Subject: Failed delivery attempt (18.5%)
• Subject: Emails not delivered due to overloaded mail servers (18%)
• Subject: Online employee survey (18%)
• Subject: Reminder: New company-wide dress code (17.5%)
• Subject: Attention all employees: new building evacuation plan (16%)

“The employees [in the Kaspersky study] skimmed these subjects on a surface level, as they appeared to be coming from reliable sources such as the company’s HR department or Google, but these were carefully crafted email templates attempting to pass off as legitimate,” Stone wrote. Additional phishing subjects that garnered clicks, according to Kaspersky, were reservation confirmations from a booking service (11%), a notification about an order placement (11%), and an IKEA contest announcement (10%). (See “Have you ever found phishing emails confusing? You aren’t alone,” by Brian Stone, TechRepublic, June 30, 2022 and “Kaspersky reveals phishing emails that employees find most confusing,” Kaspersky, June 27, 2022.)

A good cybersecurity training program includes education of employees to spot suspicious subject lines in email messages and other typical signs of fraudulent email messages, such as grammatical errors, sender addresses and unknown links. Employees should be taught to report any suspicious email messages to their IT departments so they can share with other employees and avoid becoming victims. Organizations should also provide updated antivirus software for employees’ devices. 

What to do if you’ve been scammed

Scammers are very good at what they do and can be very convincing. Their delivery methods to grab your money and PII include text messages, telephone and email. Your money might be gone forever, but don’t give up. It’s worth trying to contact the company you used to send your money to get it back. 

The FTC provides help to regain your money, PII or access to your computer or phone:

Did you pay with cryptocurrency?

• Cryptocurrency payments typically aren’t reversible. Once you pay with cryptocurrency, you can only get your money back if the person you paid sends it back. But contact the company you used to send the money and tell them it was a fraudulent transaction. Ask them to reverse the transaction, if possible.

Did you send cash?

• If you sent cash by U.S. mail, contact the U.S. Postal Inspection Service at 877-876-2455 and ask them to intercept the package. To learn more about this process, visit “USPS Package Intercept: The Basics.”
• If you used another delivery service, contact them as soon as possible.

Did you give a scammer your Social Security number? 

• Go to IdentityTheft.gov to see what steps to take, including how to monitor your credit.

Does a scammer have remote access to your computer?

• Update your computer’s security software, run a scan and delete anything it identifies as a problem. Then take other steps to protect your PII.

Did a scammer take control of your cell phone number and account? 

• Contact your service provider to take back control of your phone number. Then change your account password. Also check your credit card, bank and other financial accounts for unauthorized charges or changes. If you see any, report them to the company or institution. Then go to IdentityTheft.gov to see what steps you should take.

Did you give a scammer your username and password?

• Create a new, strong password. If you used the same old password anywhere else, change it. (See “What To Do if You Were Scammed,” FTC, Consumer Advice.)

I’m here to help

Please use information about these scams in your outreach programs and among your family members, friends, and co-workers. 

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help with or if you would like me to research a scam and possibly include details in future columns or as feature articles. 

I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a distinguished professor of accounting and research at a university in the U.S. Northwest. He’s a member of the Accounting Council for the Gerson Lehrman Group, a research consulting organization, and a member of the White Collar Crime Research Consortium Advisory Council. He’s also the vice president of the ACFE Pacific Northwest Chapter and serves on the ACFE Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.