【中英双语】网络骗局的招数，你了解多少？

Cyber Thieves Are Getting More Creative

媒体经常提及错误信息，通常是在政治背景下，并且与假新闻同日而语。虽然这些都是严重的问题，但一个更大、更个人化的危险通常遭到了忽视：网络犯罪分子是如何利用虚假信息从企业和个人那里实施盗窃的？

Misinformation is frequently mentioned in the media, usually in the context of politics and viewed synonymously with fake news. Although these are serious issues, a bigger and more personal danger is often overlooked: How cyber criminals use misinformation to steal from companies and individuals.

虚假信息的一个定义是：“虚假或不准确的信息，尤其是为欺骗刻意而为之的信息。”可是，当虚假信息与大量真实、准确的信息，特别是只有少数人知道的信息掺和在一起时，它可能最有具效力和欺骗性。通过利用网络攻击来窃取真实信息，犯罪分子可以将其与少许虚假信息混杂在一起，给公司和个人带来重大的财务影响。

One definition of misinformation is: “false or inaccurate information, especially that which is deliberately intended to deceive.” But misinformation can be most effective and deceptive when it is combined with large amounts of true and accurate information, especially information that is only known to a few. By exploiting cyberattacks that steal true information, criminals can combine that with just a bit of misinformation to result in major financial impacts for companies and individuals.

下面我举几个例子。由于这些情况非常敏感，受影响的企业只同意在匿名的条件下向我解释这些情况。这是一种普遍要求，也是为何人们会认为公开报道的网络攻击只占实际网络攻击的一小部分。

I give several examples below. Because these situations were very sensitive, the organizations affected only agreed to explain the situations to me under the condition of anonymity. This is a common requirement, which is why it is believed that publicly-reported cyberattacks only represent a small fraction of actual cyberattacks.

利用电汇

Exploiting Wire Transfers

我们大多数人都听说过窃取信用卡号码的骗局。在大多数情况下，你可以质疑或撤销不当的信用卡收费，所以你最终不会损失任何金钱。可是，电汇存在一个关键的区别：电汇通常是即时到账且不可撤销。也就是说，电汇一旦被使用，钱就不见了，尤其是在这种欺骗行为未被即时发现的情况下。网络犯罪分子已经以各种方式利用了这一特点。

Most of us have heard about scams that steal credit card numbers. In most cases, you can challenge or cancel improper credit card charges, so you don’t ultimately lose any money. But there’s a key difference with wire transfers: they’re usually immediate and irreversible. That is, when a wire transfer is used, the money is gone, especially if this deception is not discovered immediately. Cyber criminals have taken advantage of this feature in various ways.

一个例子是犯罪分子进入了某公司的计算机系统，然后花时间阅读电子邮件并了解内部程序。犯罪分子知悉了哪些官员有权向财务办公室发出电汇指令，以及程序是什么。然后，他们伪装成这些官员，在几天内逐一发出电汇指令，向罪犯的账户汇入资金，有些金额超过了50万美元。

One example involves criminals getting into a company’s computer systems, where they then spend time reading emails and learning internal procedures. The criminals learn which officials are authorized to issue wire transfer instructions to the financial office and what the procedures are. They then masquerade themselves as these officials, one-by-one over several days, issuing instructions for wire transfers, some for more than $500,000, to the criminal’s accounts.

我访谈过的一家公司意识到这一代价高昂的问题后，制定了程序，要求核实此类电汇是否确实是由得到授权的人员申请的。这包括直接与得到授权的人通电话并核实交易的细节。不幸的是，这种合理的程序通常是在犯罪已然发生之后才落实到位。

After this costly problem was realized at one company I spoke with, procedures were put in place to require verification that such wire transfers were actually requested by authorized personnel. This involved speaking on the phone directly with the authorized person and verifying the details of the transaction. Unfortunately, such sensible procedures are often only put in place after a crime has already been committed.

因电汇欺诈而可能损失钱财的不仅仅是企业。高级住宅购房者也是热门目标。在大多数购房交易中，一个关键步骤是通过电汇将大量资金转账到产权公司或第三方存管公司，该公司会持有这些资金，直到房产的产权转移到新业主手中，然后——也只有在那时——第三方存管公司才会将这些资金转给卖房者。

It’s not only corporations that can lose money via wire fraud. Executive home buyers are popular targets. A key step in most home buying transactions involves the transfer of a substantial amount of money by wire to a title or escrow company that holds onto the money until the title for the property has been transferred to the new owner and then — and only then — the escrow company transfers those funds to the home seller.

在这种情况下，犯罪分子会使用一个多步骤的过程来获取他们的利益。首先，他们闯入房地产经纪人、律师或产权代理人的计算机系统。他们可能会花几周、甚至几个月的时间来了解即将进行的交易、该公司的办事程序以及包括电汇指令样本在内的各种细节。由于最后一刻可能会出现复杂的情况，购房者通常会被奉劝提前一两天进行电汇。产权公司通常是提前一天发送指令，因此网络犯罪分子会提前两天发送指令。这些指令看似来自产权公司，因为它们是基于真正的指令，但目的地信息遭到篡改。他们仅仅在一批真实信息中隐藏了一丁点虚假信息。

Criminals use a multi-step process to reap their gains in these situations. First, they break into the real estate agent, attorney, or title agent’s computer systems. They may spend weeks or even months learning about upcoming closings, the company’s procedures, and details including samples of wire transfer instructions. Since there can be complications at the last minute, home buyers are often encouraged to do the wire transfer a day or two in advance. The title company usually sends the instructions one day in advance, so cyber criminals will send the instructions two days in advance. These instructions appear to be from the title company, since they are based upon the real instructions, but the destination information is altered. They have buried just a bit of misinformation in a batch of true information.

一年内以此方式被盗的资金有数亿美元。事实上，根据联邦调查局的数据，2020年房地产业和租赁行业有13000多人成为电汇欺诈的受害者，损失超过2.13亿美元——自2017年起算，增长了380%。你可能会发现自己陷入这样一种处境：你已卖掉之前的房子，用收到的现金加上你的积蓄，在不同的城市买了一套更新、更好的房子。你可能正在驱车前往新城市的半路上，准备第二天搬进新家，这时你接到房地产经纪人的电话，问你的付款在哪里。在多次疯狂的通话之后，你意识到你的钱被盗了，你现在无家可归，身无分文。

Hundreds of millions of dollars have been stolen this way in a single year. In fact, more than 13,000 people were victims of wire fraud in the real estate and rental sector in 2020, with losses of more than $213 million — an increase of 380% since 2017, according to FBI data. You could find yourself in a situation where you had sold your prior home and used the cash received plus your savings to buy a newer, better home in a different city. You might be in your car halfway to the new city to move into your new home the next day when you receive a call from your real estate agent asking where your payment is. After many frantic calls, you realize that your money has been stolen, and that you’re now homeless and broke.

个人和企业都可以采取各种措施来减少以电汇方式实施网络犯罪的风险。首先，在电汇之前，始终要通过电话与应该收款之人确认电汇指令。可是，务必要确保你能够确认自己确实是在与正确的对象通话——犯罪分子可能在你收到的指令中包含了一个假电话号码，所以务必要事先使用官方网站核实正确的号码，或者直接与某位能够核实正确信息的熟识人士交谈。

There are various things that both individuals and companies can do to reduce the risk of cyber crime via wire transfer. First, always confirm the wire transfer instructions on the phone with the person who should be receiving the money before wiring the money. But, be sure that you can confirm that you are actually talking to the right person — the criminals might have included a phony phone number in the instructions that you received, so always verify the correct number in advance using an official website, or by speaking directly to a known source who can verify the correct information.

窃取工资

Stealing Paychecks

许多企业提供的系统允许员工维护和更新他们的个人信息，如家庭住址、电话和银行账户资料，以便直接存入他们的月薪。犯罪分子闯入了一些高薪员工的账户，并在发放工资的前一天，修改了银行账户资料。然后，在第二天，他们又将银行资料改回正常状态，因此不会有人发现出了什么问题。他们连续好几个月使用这种伎俩，直到一位高管收到一张支票资金不足的通知，这才意识到他的银行没有收到理应到账的月度款项。（我猜这些高管都没有每月查对他们的银行账户余额！）。这说明了经常检查你银行账户的重要性，以发现异常或错误活动，尤其是要确认预期的存款正在存入。

Many companies provide systems that allow employees to maintain and update their personal information, such as home address, telephone, and banking details for direct deposit of their monthly paycheck. Criminals have broken into the accounts of some well-paid employees and, the day before the payment was to be sent, changed the bank details. Then, the day after, they changed the bank details back to normal, so nothing would be noticed to be out of order. They continued this scheme for several months until an executive got a notice of insufficient funds on a check and only then realized that the expected monthly payments had not been received by his bank. (I guess none of these executives were balancing their bank accounts monthly!) This illustrates the importance of checking your bank account frequently enough to detect unusual or erroneous activity, especially to confirm that expected deposits are being made.

诱骗员工帮助“老板”

Tricking People Into Helping the “Boss”

我们中的大多数人都听说过这样的经典骗局：公司的首席执行官（CEO）要求首席财务官（CFO）把资金送往某个地方。如果你不是CEO，你可能会认为这种骗局与你无关，但事实并非如此。

Most of us of have heard about the classic scam where the CEO of the company asks the CFO to send funds somewhere. If you are not a CEO, you might assume that such scams are not relevant to you, but that is not the case.

这种骗局的一种形式在大学校园里尤其盛行，那就是让某位工作人员收到一封看似来自上级的电子邮件，通常来自系部主任。该工作人员会被告知这样一个故事：“我刚刚意识到，我今晚要去参加我侄子的生日聚会，而我整天都要开会，所以我没有时间买礼物。你能不能帮我一个小忙，买一张100美元的礼品卡，然后把背面的数字用电子邮件发给我？”正如一位受害者所感叹的那样：“这不仅是来自我的一个同事，而且它是以我的系主任的名义来的。”在我听说的一个案例中，有一个系每10名教师中就有8人上当受骗。还是那句话，重要的是要核实信息是否真的来自你的老板。

One form of this scam, especially popular on university campuses, is for a staff member to receive what appears to be an email from a superior, typically the department head. The staff member is told a story such as, “I just realized that I am going to my nephew’s birthday party tonight and I am in meetings all day, so I won’t have time to buy a gift. Could you do me a small favor and buy a $100 gift card and email me the numbers on the back?” As one victim lamented: “It was not just coming from one of my colleagues; it came in the name of my department chair.” In one case that I heard of, eight out of 10 faculty in a single department fell for the scam. Once again, it is important to verify that the message is really coming from your boss.

小心谨慎为何十分重要

Why It’s Important to Be Cautious

所有这一切的重点在于，尽管以假新闻形式出现的虚假信息是一个问题，但将大量真实信息与一丁点虚假信息掺杂在一起，可能会产生毁灭性的结果。上述例子只是最近的一些事例。如前所指出的，我们可以采取一些措施来消除或至少大大减少此类犯罪，但这些程序和预防措施现在就需要落实到位，而不是在犯罪发生之后。

The point of all of this is that although misinformation, in the form of fake news, is a problem, combining lots of real information with just a tiny bit of misinformation can be devastating. The examples above are just some recent examples. As noted, there are things that can be done to eliminate or at least dramatically reduce such crimes, but those procedures and precautions need to be put in place now, not after the crime.

不过，请注意，网络犯罪分子具有惊人的创造力，而且通常掌握了大量关于你的信息。更多狡猾的伎俩可能正向我们走来，因此，不断了解新诡计、小心谨慎并做好防范十分重要。

But note, cybercriminals are amazingly creative, and are often armed with lots of information about you. More treacherous schemes may be heading our way, so it is important to continually learn about new schemes, be cautious, and prepare your defenses.

斯图尔特•马德尼克是麻省理工学院斯隆管理学院信息技术学约翰•诺里斯•马奎尔（1960）教授（Norris Maguire （1960） Professor），麻省理工学院工程学院工程系统学教授，以及麻省理工学院斯隆学院网络安全联盟主任：改善关键基础设施网络安全的跨学科联盟（the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity）。自1979年与人合著《计算机安全》（Computer Security）一书以来，他一直活跃在网络安全领域。

时青靖 | 编辑