When it comes to computer-enabled crimes, identity theft is only the first part of a deception scheme to fraud end extort victims. In this article, we will explore virtual stings and other related online crimes that choose their victim more specifically, be it individuals or businesses.
What are virtual stings?
- A virtual sting is a targeted deception: the victim is deliberately targeted and the context of a connection (like an email) is framed to deceive the victim. While virtual stings are enabled online, the perpetuators often try to move the location of the fraud offline.
Most virtual stings revolve around some form of social engineering. Many of them focus on obtaining money from businesses.
Business Email Compromise (BEC)
BEC is a form of spear-phishing or whale-phishing where the offender impersonates a trusted person and uses email or social media communications to deceive victims into revealing confidential business information or sending money to the offender.
- Spear phishing is a targeted cyberattack that uses deceptive emails, texts, or phone calls to steal sensitive information from a specific individual or organization. Unlike regular phishing, which casts a wide net to a large audience with generic messages, spear phishing is highly personalized and focuses on a single target or a small group.
- Whale phishing, also known as whaling, is a highly targeted form of spear phishing that specifically focuses on high-level executives or high-profile individuals within an organization, such as CEOs, CFOs, COOs, and other C-suite members. These attacks are designed to deceive these influential individuals into taking actions that compromise security, such as authorizing large financial transfers, revealing sensitive company data, or granting access to secure systems.
Authorized Push Payment (APP) scams
- A push payment is a transaction initiated and authorized by the payer, who actively sends funds to the recipient's account. This means the payer controls the transaction, determining the amount, timing, and destination of the funds. Push payments are commonly used for one-off transfers.
In an APP scam, the offender targets and socially engineers the victim into agreeing to make a ‘legitimate’ push payment from their own account to the fraudster’s account.
The scam can be initiated by targeted phishing emails saying that it’s important to get in touch with the bank at the given number, or it can be initiated with direct phone calls (vishing), asking victims to transfer money into a new bank account or pay a bill for goods and services.
Online gambling scams
With an estimated revenue of US$449.67 billion in 2025 (source: statista.com), online gambling has grown in popularity thanks to its accessibility. Scams include fake online casinos that mimic legitimate sites to steal personal and financial information, rigged games that manipulate outcomes to ensure player losses, and non-payment of winnings where casinos refuse to payout legitimate wins.
Fraudsters also engage in bonus abuse by creating multiple accounts to claim promotional offers, using stolen credit cards for deposits, and employing phishing tactics to harvest login credentials.
Click frauds
Click fraud (or Internet advertising fraud) occurs when a pay-per-click online ad is deliberately accessed to inflate an advertising bill. Internet sites that display ads receive a small fee from the advertiser each time the ad is viewed.
Individually, they are minute payments, but they aggregate in a high-volume environment. Unscrupulous website owners employ individuals to bulk click on their ads, sometimes outsourcing to third-world countries where labour is cheap.
Premium line switching frauds
- A drive-by download is a type of cyberattack where malicious software is unintentionally downloaded and installed onto a user's device without their knowledge or consent. This can occur simply by visiting a compromised or malicious website, requiring no user interaction such as clicking a link, pressing download, or opening an email attachment. The attack exploits security vulnerabilities in web browsers, browser plugins, or operating systems that have not been updated.
Victims would find themselves infected with a virus (a ‘rogue dialler’) that would transfer their existing telephone service from the normal domestic rate to a premium line service. Modern versions of this scam are now targeting mobile phones.
Short-firm frauds
Short-firm frauds exploit online auction reputation management systems. Designed to protect bidding websites such as eBay, reputation management systems enable purchasers to rate vendors on their previous sales.
A side effect of this system is short-firm fraud, where the vendor’s reputation is artificially built up. Once a good vendor rating is acquired, a very expensive item is sold offline to a runner-up in the bidding war, and the vendor disappears once the money is sent.
Next, we will explore virtual scams.