Social engineering is nothing new, but it is much more common as so many are telecommuting, distance learning and shopping on-line due to the COVID 19 pandemic.
Social engineering attackers use stress inducing methods to prey on us. The stress that we’re all already feeling during the pandemic creates a foundation that makes it easier for attackers to take advantage of us.
By definition, social engineering is a psychological attack where the attacker manipulates you in a variety of ways to take some action that you shouldn’t. The most common methods of attack are by email (phishing), text (SMiShing), and telephone calls (vishing).
A caller may tell you that your social security number has been hacked or that a family member is in trouble and needs your financial assistance. At face value calls like these can send you into panic mode and that’s what the attacker is hoping for. The caller’s goal here is to get financial and personal information that they can use to steal your money or identity. When you’re panicked, you may not take time to think before you act.
Some common email scams include a seemingly innocent email from a coworker (usually a superior) asking that you take care of something for him or her. When you get an email from the CEO, your first tendency is to act quickly – after all, it is the big boss. Again, that’s what the attacker is hoping for.
Another email example is some kind of notice or invoice from common carriers like UPS, USPS, or FedEx that needs your attention and will ultimately be looking for information that you shouldn’t be providing. Between holiday shopping and the general tendency to shop on-line because of the pandemic, these are particularly common right now.
You may receive a text providing a link and telling you that your bank account has been breached. You might be instructed to click the link to get more information. The only one getting more information is the attacker thanks to whatever malware that link turns loose on your phone.
Tell-tale signs of social engineering scams:
- A sense of urgency that makes you feel like immediate action is required
- A request for private information
- A text that indicates some kind of security breach or compromise
- An unusual email address from the sender.
- A coworker or some other professional or government entity, would have an address that reflects their business (@otelco.com, @us.gov, etc.)
- WARNING: sometimes the email address will even look legitimate so look very closely for a misspelling or other barely noticeable deviation
- Emails with unfamiliar attachments or links are very dangerous and designed to make you click the link or open the attachment. These can be delivery methods for harmful viruses and malware.
- Something that looks too good to be true, probably is. As much as you’d like it to be true, you probably haven’t won thousands of dollars in some drawing or contest that you didn’t even enter.
- Curiosity can get the better of you when an email from a delivery service appears. Is it a package that you sent? Better yet, is it a gift on its way to you?
How to protect yourself from Social engineering attacks.
First of all, if a call or email seems even a bit unusual, take a deep breath and think for a few seconds:
- Does the Social Security administration even have my phone number or email address?
- Does the Post Office, UPS, or FedEx have my contact information – at work too?
- Did I send or am I expecting a package?
- Does the sender’s email address look legit?
- If it’s a phone call, what does the caller ID say?
- Are any of my close family members or friends traveling where they might need my assistance, wouldn’t they call me themselves?
- Why would my CEO be writing to me from a Gmail account on a Sunday afternoon or at 3 AM?
- If your bank or credit card company had concerns about your accounts or identity, would they text you, or would they want to talk to you so that they could confirm your identity with all those security questions you set up?
The bottom line here is don’t take any action or engage with a questionable phone caller, text, or email.
What about that nagging question of “What if this is legitimate”?
Here are a couple of safe ways to figure it out.
- Contact the entity yourself using a published phone number or contact email from their website that you access from your browser, NOT by clicking in the email they sent you.
- If you’re concerned about a family member, call them or another member of their household.
- If you really think your boss’s boss’s boss is trying to reach you, first make your IT department aware of the suspicious email you received, and send an email from your official work account to your boss’s boss’s boss official work account to ask if he or she was really looking for you. DO NOT forward the suspicious email unless your IT department asks you to do so.
Just a couple of months ago, we provided a list of tips for protecting yourself from scams. Check it out to make sure you’re doing all you can.
The Do Not Call Registry can help reduce unwanted phone calls
The Federal Trade Commission (FTC) also has some great information about different scams.