How to Counter Social Engineering 101
You’ve gotten those calls - we all have. “Hi, this is Jerry from your bank. We’d like to talk to you about your account, but we need you to verify some information. What is your account number?” Or the robocall from your health insurance provider, “Hi, this is Healthy-Times Insurance. We need to advise you about your appointment/medical condition/payment, but first we need to make sure it’s you. Please provide your member number.” With Email being used in business more than ever, these scams are evolving rapidly, and they’re getting harder to identify as fraudulent.
The two main types of email scams being used in today’s environment are Phishing and Spear Phishing.
Phishing is the generic approach. Scammers will choose an online service like Google Drive or Dropbox and craft an email that looks legitimate, asking you to look at a document.
If you click on the link (“Open in Docs” in this example), it will take you to a website pretending to be the website you expect (Google, in this example) where you will be asked to put in your credentials. If you enter your login information, the response will either be a blank page or a message suggesting you entered the wrong information. In reality, this link would never have taken you to a document, you are just handing over your credentials to the scammer who sent the fake email.
Spear Phishing is similar, but the scammers will often do a small amount of research to make you, the target, feel like the email is coming from a trusted source. The scammer will go onto LinkedIn, to your website, and any other websites they can find that contain specific business information or connections. They will choose someone with authority (CEO, CFO) and pretend to be that person.
This makes the message seem more legitimate, and encourages the victim to ignore other red flags.
Let me be clear: This Will Happen To You. Everyone who uses a computer will be targeted by some form of phishing eventually. No matter how safely you surf, at some point you will encounter this. Here’s what you need to look for to avoid being a statistic.
If you suspect the source isn’t legitimate:
1) Check the sender information carefully. Often these emails will be sent by lookalike addresses (Goog1e.com Out1ook.com) or sometimes completely unrelated addresses.
2) Check the links before you click them. You can hover your mouse over any hyperlink and it will display the destination url.
3) Don’t open unexpected attached files, or attachments from questionable sources. If you can’t avoid opening such files, be armed with information. The most vulnerable files are PDF’s, and Microsoft Word and Excel documents, as they can have embedded code that will inject malware (viruses, keyloggers, ransomware). Often, infected files are easy to spot because your software warns you in time to avoid enabling the malicious code. However, scammers will often try to get you to bypass these warnings by suggesting the document is “protected” or “confidential.”
If the contact appears to be someone you know, asking for something out of the ordinary (like banking details) or suggesting you click on a strange link, do not respond to the email and do not use the contact information in the email. You should find a phone number that is known to be valid (address book, online search) and contact them to ensure they are the original sender. Email accounts get compromised every day, and even an email from a correct, known address can be a dangerous attempt at phishing. If the email suggests Pending Account Closure or Outstanding Account Balance, do not trust the links provided in the email. Navigate to the web address you know is legitimate or contact the business via a number which found on their website.
If you are unsure, always use diligence and double check. Watch out for:
-Urgency (Act Now!, 24-Hours to respond!)
-Unexpected files or links
-Generic requests (“Check this out”)
-Bad Grammar (but this is not always the case)
If you missed the red flags and gave out information, don’t panic! Immediately change your email password, and the passwords to any accounts you mistakenly entered on a malicious website.
If you open an infected document, shut down your computer immediately (even if you have to just turn if off at the switch) and disconnect it from the network.
In both cases, contact your IT professionals to help you assess and mitigate possible exposure .