When Apurva Ganti, senior, received an Instagram message from former student Keshav Tripathi asking for $100, she was somewhat cautious.
“I did ask for video proof, and I don’t know where the scammer got it, but the scammer literally got a video of Keshav saying ‘I am Keshav Tripathi,’ so that’s what convinced me,” Ganti said. “I did kind of mindlessly go for it; it’s really embarrassing.”
Using numerous disorienting and urgent-sounding messages, the scammer tricked Ganti and took control of her account for 5 minutes. Once Ganti realized the full scope of the issue, she utilized Instagram’s account recovery feature, by sending in a video of herself, and regained control.
“I was able to get into my account and lock him out, and then I put in two-factor authentication,” Ganti said. “The scammer was able to message practically every single person that I followed.”
The Threat Landscape
While Ganti was able to retrieve her account, many aren’t as successful. 46 percent of Americans admit to having their password stolen in the last year, with social media accounts being the most frequent targets for password hacking, according to a 2024 Forbes study.
Only 5% of all reported scams involve people 19 years old or younger, according to the Federal Trade Commission (FTC), but certain metrics, such as social media scams, involve a much larger percentage of teens and very young adults.
Steve Weisman, professor at Bentley University, said based on FBI reporting, the actual number of people being scammed across the demographics is likely far greater.
“My inclination is that teens are probably even less apt to report scams,” Weisman said.
While cognitive studies show that a decline in skepticism with age has caused older demographics to commonly fall victim to scams, Weisman said teens are also prime scam victims due to a distorted feeling of being “bulletproof” and put too much faith in digital technology.
Weisman has appeared on many national news stations as a scam detection expert and is the founder of Scamicide.com, a blog and website dedicated to scam detection and education.
Every day for 12 years, more than 4,700 “Scams of the Day” on Scamicide explain what the latest scams are and always how you can protect yourself, Weisman said. They let people know what they can do and what to be on the lookout for.
“Scam artists are the only criminals we call artists, and they really are very adept at psychology,” Weisman said. “A lot of scams appeal to fear and greed.”
Despite the constantly changing scam landscape, Weisman said he believes that “new scams” are all evolving from older scams. For example, the once prevalent Nigerian prince inheritance scam is very similar to a 1600s scam called the “Spanish prisoner.”
“What I see more than anything else is whatever people are interested in, the scammers will turn it into a scam. Cryptocurrency is the basis of a lot of scams now,” Weisman said.
Expert Insight
Weisman said the fastest growing form of identity theft is called synthetic identity theft.
The idea is you steal one person’s social security number, you steal another person’s name, you steal another person’s address, and you create a fake person,” Weisman said.
People under 18 are particularly vulnerable targets of synthetic identity theft because they likely won’t be aware that their information, like their social security number, has been stolen until they are older and looking for a car loan or financial aid for college. Weisman said the best way to prevent this is to freeze your credit if you are under 18.
Another highly dangerous scam that has increasingly targeted teens in the last few years is sextortion scams. Weisman said it’s been found that there are criminal cybergangs in Nigeria that focus on sextortion.
“They meet someone online and are lured into sharing nude photos or activities, and then they’re blackmailed with that,” Weisman said. “There have been teens who’ve committed suicide over that, so that’s a real problem for younger people.”
Whether it’s a social media message, email, text message or phone call, one can never be certain who is actually contacting them, Weisman said. This is due to all of the widely available techniques, like spoofing and phishing, that make it very easy to look like a trusted source.
Weisman said it’s essential to always confirm legitimacy and safety if asked to make a payment, click a link or share personal information.
In cybersecurity, they call it the ‘zero trust model,’” Weisman said. “You’ve got to unfortunately build that in because that’s what today’s world is like.”
Student Perspective
Landon Buscher, senior, became interested in cybersecurity as a sophomore by participating in a competition through Cyberstart America and receiving the “Cyber Scholar with Honors” award. Last summer, Buscher was an intern at McCarthy Construction and developed an automated threat intelligence system for the company.
Buscher said hacked social media accounts are common on Discord. This occurs when someone receives and clicks on a link from a friend’s hacked account. This link directs them to a “login page” to obtain their login credentials and take over the account.
“When you are getting messages from friends that have a link in them, especially if they’re telling you to do something ‘right now,’ then you should really make sure that’s a legitimate URL,” Buscher said.
Buscher said scholarship scams are increasingly prevalent and specifically targeting high school students.
“Thankfully, the majority of them do go into your spam folder, but I’ve gotten several of them,” Buscher said. “It offers these massive scholarships and looks very reputable, but if you look at who the email is actually from or hover over one of the links in the email, you can see that it isn’t very legitimate.”
Suspicious links can be copied and pasted into VirusTotal, a free website that uses numerous threat intelligence programs to determine if a link is likely to be a scammer seeking personal information, or phishing.
Most social media platforms like Instagram don’t allow hyperlinks in direct messages (DMs), which makes account theft more difficult but far from impossible.
Buscher said new scams using artificial intelligence (A.I.) is something everyone is vulnerable to, no matter their age. Buscher met an individual over the summer with a high-level position in a Fortune 500 company who identified their frightening experience with an A.I. scam to him.
“This hacker had cloned this employee’s mom’s voice using A.I. to make it sound as though her account had been hacked and she needed money urgently to get it back, and you trust your mom’s voice,” Buscher said. “But it turns out it wasn’t a real call at all. Her mom was actually downstairs in the kitchen in the same house as her.”
District Cybersecurity
Chief Information Officer Bob Deneau is responsible for RSD’s cybersecurity department by conducting threat investigations and maintaining the district’s complex digital protection system.
Deneau said phishing emails are often the root cause of cyberthreats, especially as they’ve become more sophisticated and harder to spot, with less spelling and grammar issues, in recent years.
“Google’s algorithms do a pretty good job of recognizing things that they deem as phishing based on settings that we’ve set up,” Deneau said. “Many times, those messages won’t appear in an inbox. They’ll go directly to your spam.”
Deneau said if the Rockwood technology department is alerted to a known malicious email that was sent to a large number of students and staff, they have the ability to remove that email directly from everyone’s inbox.
“Chromebooks tend not to have as many of the security concerns as say our windows devices or our server environment, so for those, we have additional endpoint detection software that can shut down malicious files [autonomously],” Deneau said.
RSD has a third party service that monitors the entire district network 24/7 and brings any threats or anomalies to the department’s attention.
“Whether it’s an email for lower-level things, or whether it’s a phone call at 3 am if they feel like there’s something that needs immediate action,” Deneau said.
Deneau said firewalls and content filters also play an important role in district cybersecurity.
Using information from government agencies and third party vendors allows RSD to stay alert and on top of the constantly evolving landscape of digital malice.
“When cybercriminals discover some sort of weakness in a product, they’re going to try to exploit that as an entry point into your system, so it is a constant battle,” Deneau said. “It is a tall task in an environment as complex as ours, but that is why we have the technology staff here to do that.”
Due to a requirement from RSD’s cybersecurity insurance, the district sends out monthly emails to staff devices designed to look like a phishing email. If a staff member were to click on the link in the email, they would be directed to a page explaining the email’s purpose and how to avoid scams in the future.
One of the best ways to strengthen cybersecurity and lower risks is to educate people, Deneau said.
While Ganti was able to get her Instagram account back from the scammer, Meta’s automated threat detection system blocked and deleted her account a month later. Since the account was tied to her phone number, Ganti has been unable to make a new one.
“Just don’t click on any links, and also, get off social media,” Ganti said. “Don’t do what I did. Be smarter than me.”