Social engineering scams have become the method of choice for today’s cybercriminals. Rather than seeking to fracture the security frameworks companies have put in place, social engineering simply asks users to hand over the keys. If the scam successfully hides the attacker’s identity, it typically allows them to sidestep security measures completely.
Statistics show the average company is targeted by over 700 social engineering attacks every year, and falling victim to such an attack can be extremely costly. In 2024, successful social engineering attacks cost companies an average of $130,000.
Among the wide variety of approaches cybercriminals take to social engineering, the selfie scam is on the rise.
“The selfie scam is a form of fraud that uses social engineering to deceive victims and gain unauthorized access to bank accounts and other personal data,” explains Vinícius Perallis, CEO of Hacker Rangers. “The selfie scam allows criminals to bypass identity verification through facial recognition — an authentication mechanism increasingly common in banks, fintechs, and online services.”
Perallis and his team at Hacker Rangers provide cutting-edge cybersecurity solutions to clients worldwide, helping them prevent social engineering and other common types of cyberattacks from succeeding. Their platform makes cyber awareness fun and engaging for employees by using an innovative training approach that leverages gamification. Hacker Rangers empowers companies to enhance in-house cybersecurity programs with training exercises that keep employees up to date on the latest cybersecurity threats.
The following explores how to identify a selfie scam and the steps needed to prevent it from being successful.
What is a selfie scam?
Social engineering scams like selfie scams aim to acquire a user’s access credentials and other personal information. For example, if they target a company’s employees, they might try to obtain a username and password to the company’s network. If successful, they can use the access credentials to corrupt or download company data.
Scams targeting consumers frequently seek to gain access credentials, credit card information, or other sensitive personal data. If the scams work, attackers may gain access to the victim’s bank account or use personal information to establish fraudulent online accounts.
“Whether targeting employees or personal users, social engineering schemes seek to position the criminal as an official agent, such as an IT employee or customer service representative, to gain the target’s trust and manipulate them into providing information,” Perallis says. “Victims are often led to believe that providing this information will benefit either themselves or their company.”
A selfie scam takes the same approach with the aim of obtaining a photo or video of the victim that includes an image of an official document such as a driver’s license. Here’s how they typically play out:
- Scammers discover personal data exposed through online leaks or public internet sites.
- Scammers use the data to contact targets via phone or direct messaging and impersonate a financial institution, government agency, or another official or corporate entity.
- Scammers gain their target’s trust by using data they have collected, such as full names, document numbers, and other personal details, to project an air of legitimacy.
- Once scammers convince the target that the contact is legitimate, scammers will claim they need to verify identity or update access credentials, asking for a photo or video to facilitate the process.
- Once received, scammers can use the photo or video to bypass identity verification through facial recognition.
How can users avoid selfie scams?
As Perallis explains, the most crucial step in avoiding selfie scams is knowing they exist. Any request that involves the steps outlined above should not be assumed to be legitimate.
“Legitimate requests from an official representative of an organization will most likely come via email or through the organization’s official app rather than a messaging platform or social media network,” Perallis says. “Make it a rule to never share sensitive data through unverified channels.”
Users who doubt the legitimacy of a request for information should contact the organization to verify the source by visiting the organization’s official website to get a customer service number and calling to confirm that they are actually seeking the information. In virtually all cases, the organization will appreciate your vigilance.
Individuals and organizations should also increase their awareness of security breaches that could fuel selfie scams. For example, Google’s “Password Checkup” service allows users to see whether any passwords in their Google Password Manager have been compromised. Those that have could be used as part of a selfie scam, which means any unusual requests regarding those passwords should be viewed as questionable.
“Sharing your knowledge of selfie scams with others can also decrease the threat they pose,” Perallis shares. “Make sure fellow employees or those with whom you share joint financial accounts know how to identify and repel the scam, and encourage them to alert you or the appropriate officials at your organization if they believe they’ve been targeted by a selfie scam.”
The threat of social engineering scams like the selfie scam has grown exponentially in recent years, creating significant risks for organizations and individuals. Those who are aware and stay alert will be best positioned to avoid becoming victims.
