Selfie Scam: how criminals use social engineering to bypass facial recognition

Digital scams have been becoming ever more sophisticated over the last few years. One of the things that most concerns information security experts is the so-called Selfie Scam.

This form of fraud uses social engineering to deceive victims and gain unauthorized access to bank accounts, personal data, and to even make fraudulent transactions.

To avoid falling victim to this type of illegal act, it is crucial to understand how it works and how to protect yourself. Let’s take a look!

How does the selfie scam work?

In the selfie scam, criminals are able to bypass identity verification through facial recognition—an authentication mechanism increasingly common in banks, fintechs and online services.

It all starts when scammers discover victims' personal data through either online leaks or by analyzing data exposed on the internet. From that point, equipped with some information, they make initial contact with the victim via phone or app message, and then impersonate a financial institution, company or even a government service.

The approach 

The reason for initial contact generally follows two key strategies:

• Prize scam: scammers claim that the victim was awarded a prize or gift. According to the Brazilian Federation of Banks (Febraban), common tricks include basic food baskets or social security benefits.

• Account issue: the victim is being pressured to urgently address an issue related to their account in order to avoid potential losses or difficulties.

The criminals' next step is to use the collected data to gain the victim's trust. During the communication, they mention full names, document numbers and even bank details to convince the person that the requests are legitimate.

The application of the scam

Claiming a need to update the victims registration details or verify their identity, thieves ask the victim to send a selfie holding an official document (such as their ID number or driver's license). In some cases, they also ask for a video in which they need to follow specific instructions, such as blinking or saying a certain phrase.

With the personal information and the selfie with the document in hand, the scammers are able to impersonate the victim and open or access bank accounts, apply for credit and make transfers—all in the name of the person who has been deceived.

How can you protect yourself from the selfie scam?

To make sure you don't fall for this and other scams, adopting proper digital security practices is vital. Recommended protection measures include:

• Be wary of unexpected contacts: legitimate banks and businesses don't request selfies or videos via messaging apps or social networks. 

• Verify the source: if you receive such request, contact the institution directly through their official channels.

• Never share sensitive data: avoid sending photos of documents or selfies to strangers or through unverified channels.

• Monitor the accounts regularly: be aware of suspicious transactions and, at the slightest sign of any irregularities, contact the institution involved immediately.

• Educate yourself and warn colleagues and family: the more people know about the scam, the more difficult it will be for criminals to pull it off.

The selfie scam is a real and growing threat that takes advantage of victims' trust and lack of information to gain access to sensitive data. As with other forms of social engineering, the best defense is awareness.

Keeping an eye on how the scam works and adhering to good security practices can prevent criminals from causing financial and personal harm to individuals and businesses. The key to fighting digital crime is having everyone actively involved!

Would you like to strengthen your company against the selfie scam and other forms of social engineering? Hacker Rangers uses an innovating gamification system to promote a cybersecurity culture among its employees. Try the platform free for 15 days!