Cybercriminals use social engineering every day to attempt to hack into people’s personal information. Social engineering preys on the human condition to gain trust, manipulate people and get people to willingly give out personal information. In general, there are three major ways that cybercriminals use social engineering to steal your info.
This is one of the most prominent ways that information is stolen. This side of social engineering has been around nearly as long as emails have, and it’s guaranteed that anyone with an email account has seen at least one of the many phishing scams that come from cybercriminals.
Perhaps a Nigerian Prince would like to wire you a ton of money because his inheritance is wrapped up in the bank for some reason. All you need to do is pay a few fees to receive the money and you get to keep a portion of his millions.
Totally legitimate right? Or maybe the bank needs you to confirm your account number and social security number because of an “account breach”. Why not, right? The bank is a legitimate business, it must be real, even the email looks real.
Better yet, wouldn’t you love to be a secret shopper? Receive a check for $1000, cash it, and perform a job. Innocent enough, right? Not after you wire initial fees and attempt to cash a bad check.
These are just some of the ways social engineers prey on unsuspecting and trusting people. If sending money or willingly giving up information isn’t involved, then there is usually malware within the email. The links in the email will deploy malware to infect your computer files and obtain information about you. It’s amazing how prevalent these scams are
Posing as Someone You Know
Another email scam involves cybercriminals posing as someone in your company, particularly the CEO or someone high up in the financial department. They send an email that looks like it’s from your boss asking you do something really quick or process a PO immediately. Usually, something about the email address will be a bit off, if you’re paying attention.
Letters are swapped around or a .net becomes a .com at the end of the email. As soon as you open it or click on a link, malware infects your computer.
This scam is usually highly effective because it gets sent to everyone in the company, and people often take it as important because it came from the “boss”.
The most obvious way to pose as someone you know is through copycat Facebook profiles. Cybercriminals use this prominent scam to trick people into thinking they are receiving a friend request from someone they know. The profile will often contain a few photos from the original person’s profile, so it looks a tad more real. As unsuspecting friends add this profile, it begins to look more legitimate because of similar friends and associates.
This profile can ask for money or send links containing malware to infect your computer, or even corrupt your Facebook profile by gaining access to personal information.
Finally, a newer way for cybercriminals to target people is through advertisements. Considering ads are pretty much everywhere online now, creating ransomware ads is incredibly easy and a bit difficult to spot among the hundreds of ads people see every day.
For this type of social engineering, cybercriminals literally deploy ad campaigns showcasing a product or a service. When you click on the ad, it downloads malware or ransomware onto your computer. Most of the time these ads are for anti-virus software, or a pop-up will come on your computer saying your computer has been infected and instruct you to click the link to clean the virus. Tricky, tricky cybercriminals.
The key to spotting these three general social engineering styles is to become educated on them and keep an eye out for anything that seems off. If something seems strange or wrong, avoid it until you are certain it is safe. Try not to click on any links inside of emails unless you confirm and absolutely trust the sender.
If you’re asked to click a link and update account info, type in the web address to the real site rather than click the link. If you get a friend request from someone, look over their profile and ensure its real.
Check out their friends, photos, and posts to ensure they aren’t fake. Check to see if you already have that friend on your list. Finally, don’t trust any anti-virus pop-ups or ads. Stay safe out there!
Security Awareness Training
Through a Managed Service Provider (MSP) there are other solutions that can be implemented to improve your business’s chances of experiencing a data breach. As mentioned in many of our other blogs, human error is one of the greatest causes of a cyberattack. Although unintentional, one wrong click and your employees could potentially expose you to some kind of malware. You could lose money, sensitive information, and your reputation.
So, what is the best way to help your team avoid these attacks? There are a number of extremely effective managed security solutions but Security Awareness Training directly coach your employees.
This solution involves sending fake phishing emails to your company members. If one of them clicks a malicious link or downloads an unknown file they will be re-directed to a landing page explaining why this would cause a breach and how they can avoid the mistake in the future. These employees will also continue to be phish tested until they pass.
Although a layered approach is best, this is one important solution that helps you and your team members.
If you’d like to learn more about social engineering and other managed security solutions, contact The TNS Group today.