A text messaging scam that began in Europe and that is now impacting Australians will likely target North Americans soon. Known as the “Hi Mom” scam, this social engineering attack involves the use of impersonation.
Scammers send messages, most often using WhatsApp, posing as the children of their intended victims. The messages typically indicate that some sort of emergency exists and that funds are needed immediately to resolve the issue. Once the victims transfer the money, there is little likelihood that they will ever get it back. We go over the ins and outs of this popular WhatsApp scam, and teach you how to protect yourself.
How the Scam Works
Criminals perpetrating this scam usually collect enough information about their targets in advance to sound convincing when they make contact with them. These details often come from social media posts. Parents and their children typically post enough information about one another and their daily lives on social media to allow a potential scammer to collect useful data. If a son or daughter posts details about things like car troubles, home remodeling projects, or a need for a new appliance, for example, that information can be useful to an impersonator when contacting a parent for fraudulent financial assistance.
The scam starts with a parent receiving a WhatsApp or text message from someone claiming to be their son or daughter. Because the number from which the message originates is not the number of the child being impersonated, the message may begin with something like, “I dropped my phone and broke it. This is a temporary number.” Alternatively, the impersonator may indicate that the phone was stolen or lost or give some other reason for the unrecognized number.
Once a scammer has engaged a targeted parent in conversation and provided adequate personal details to convince the victim that they are the son or daughter they claim to be, they then come up with a fake emergency and ask the parent to send money to resolve it.
Most of the perpetrators of this scam operate from countries other than those where their victims reside, so if funds are sent, it is unlikely that they will be recovered or that the perpetrators will be brought to justice.
One Victim’s Story
A mother we’ll call Barbara reported to Australian authorities that she was a victim of the “Hi Mom” scam. She and her daughter had a lengthy conversation via WhatsApp one morning and all appeared to be going well. They discussed the daughter’s ongoing home remodeling project.
Later that same day, Barbara received a WhatsApp message that appeared to be from her daughter, who we’ll call Kathy, but the sender’s phone number wasn’t Kathy’s. The impersonator said she had dropped her phone into water and it stopped working, so she had borrowed a friend’s phone to contact her mother about a serious problem she was having.
Fake Kathy said she lost access to her online banking account when her phone was damaged and that she had to pay her home renovation contractor that same day. She needed money right away to ensure that the bill was paid on time.
The scammer included enough personal information about Kathy, Barbara, and Barbara’s husband to convince the victim that the request was legitimate. During the WhatsApp conversation, the scammer discussed the home renovation project and how stressful the work had been. Barbara told authorities that it seemed as if the criminal had been privy to her previous (legitimate) conversation with her real daughter that same day on WhatsApp.
The scammer, posing as Kathy, asked Barbara and her husband to send just under $13,000 to pay the bill that was due immediately, promising to pay the money back as soon as she regained access to her bank account. Barbara transferred the money to the criminal. Once the transfer went through, the impersonator sent thanks and heart emojis to Barbara.
As with other social engineering scams, once a willing victim has been identified, that victim is very likely to be targeted again – often very quickly. In this case, it only took two minutes for the scammer to ask Barbara to send more money. When Barbara’s husband raised their bank account’s daily transaction limit to facilitate sending another payment to the fake daughter, it triggered a fraud alert at the bank that stopped the second transfer of over $10,000. Fraud investigators from the victims’ bank notified the scammer’s bank, but Barbara and her husband have thus far not been able to recover the money they initially sent.
This is a typical example of what the “Hi Mom” scam looks like and the damage it can do.
Australian Scam Statistics
The Australian Competition and Consumer Commission (ACCC) reported that social engineering scams like this one cost Australians $1.8 billion in losses in 2021. That’s more than double the total for 2020, and not all victims report that they have been scammed. Some are too ashamed to admit they’ve been scammed. The ACCC estimates the actual figure for 2021 to be over $2 billion.
Within the first seven months of 2022, over 1,150 Australians reported falling victim to the “Hi Mom” scam. They were defrauded out of a total of $2.6 million. Again, not everyone admits to being victimized, so these numbers are likely much higher.
Older Individuals are Prime Targets
Per ACCC deputy chair Delia Rickard, the prime targets of the “Hi Mom” scam are older female parents. According to Rickard, over two-thirds of identified victims were women over the age of 55.
How You Can Protect Yourself and Your Family
Most of the data used by impersonators in this scam are sourced from social media posts. Reviewing the privacy settings of your social media accounts and tightening the security settings will limit who can see what you post. Be careful about what you say on these sites – impersonators will use seemingly harmless personal details to convince you that they are who they claim to be.
Other information used by “Hi Mom” scammers and other cyber criminals comes from data stolen by hackers and identity thieves. Some data comes from information brokerage sites where online tracking information is combined with data from public records and other sources to build and sell personal profiles on individuals.
A virtual private network (VPN) application will help to protect your personal information while online. A VPN encrypts the data traveling to and from your devices while masking your location and identity. You’ll find more information about how to protect your data and manage your online privacy in our 12 Tips article.
If you receive a suspicious message from someone claiming to be a relative or acquaintance, contact the person by phone using a number you know to be correct and verify that they are, in fact, the sender of the message. Alternatively, try asking the sender a trick question to verify his or her identity. For example, you could ask, “how is your cat” when you know the person has no cat. If the sender replies that the cat is doing well, you’ll know it’s an impersonator. You could also ask a personal question that only the real individual could answer.
If you are a WhatsApp user and you’re concerned that many “Hi Mom” messages utilize this platform, you may want to consider switching to an alternative platform that better protects your privacy.
If You Think You’re a Victim of the “Hi Mom” Scam
If you believe you’ve been scammed into transferring funds to a cybercriminal, contact your bank immediately. In some instances, quick reporting will enable your bank to stop the transfer. Once the money leaves your account, your chances of recovering it are slim.
Australians who believe they may be victims of this scam or other online fraud can file a report at ScamWatch.gov.au. If you think you may have provided sensitive personal information to a scammer, contact IDCare.org as soon as possible for assistance.
In the United States, victims of this and other online scams can file a complaint with the Federal Trade Commission. You can also report Internet crimes and scams to the Federal Bureau of Investigation at ic3.gov.
- How Secure is Your Car? Tips to Stop Car Key Fob Hacking - December 17, 2022
- Cybercriminals Raking in Millions with “Hi Mom” WhatsApp Scam - December 17, 2022
- EU Websites Charging Visitors to Reject Tracking Cookies: A Practice Expected to Spread - December 17, 2022