Avoid falling prey to social engineering scams by first knowing the signs.
In social engineering attacks, criminals attempt to manipulate their intended victims into providing sensitive information or taking some other action that could result in significant negative consequences. Attackers take advantage of human traits and vulnerabilities to get what they’re after, which may be the target’s bank account or credit card information, their login credentials, or other data the attacker can use to commit some form of fraud. In some instances, successful social engineering attacks can yield enough information to facilitate full identity theft. Learning how to recognize these attacks can help you avoid becoming a victim.
Social Engineering Attack Methods
To interact with their potential victims, scammers use malicious websites, text messages, and most commonly, email. In some cases, they make contact with targets by phone or trick targets into calling them. Bad actors also use social media to find targets and initiate communications. At a time when many are avoiding social gatherings and are instead seeking companionship online, criminals also have increased their usage of romance scams, infiltrating dating sites to find new targets.
4 Common Signs of a Social Engineering Attack
Knowing what to look for can help you avoid becoming a victim. Watch for these 4 indicators in the messages or other communications you receive:
1. The message conveys a sense of urgency.
Scammers try to instill fear or a sense of urgency to compel their victims to do something without thinking about the potential consequences of their actions. For example, an email may appear to be from a law enforcement agency and may include a threat to arrest the recipient if he or she does not provide credit card information to pay some fine. Or a message might inform the recipient that their bank account has been compromised and direct that person to a malicious site to change their account credentials immediately before their funds are stolen.
2. The message contains a request that is unusual.
Most scammers try to get their targets to do something that is out of the ordinary, like make a wire transfer, buy a prepaid debit card and provide the card information to the scammer, provide sensitive personal data, or install an application. In some cases, hackers take control of someone’s email account, then send these types of messages to people in the victim’s contact lists. The email might appear to be from a trusted source but will ask the recipient to do something unusual.
3. The message requests that you provide login credentials or other personal data.
Scammers will call out of the blue claiming to be “tech support” and asking to remotely log into your computer. Providing account credentials that allow a criminal to do this could expose sensitive personal data. Similarly, clicking a link and going to a site to enter your bank account or other credentials could result in a significant financial loss.
4. The message includes at least one attachment or link.
Scammers usually include attachments or links in their phishing emails, hoping that you’ll fall for the bait and click without thinking. Opening those attachments or clicking on those links will infect your device with malware and/or provide the attacker with remote access to your computer, and thus, all your data and networked resources. Clicking on a link could also take you to a malicious site that may look legitimate, but is, in fact, a fake site designed to get you to enter your credentials. You should never open attachments or click on links unless you know the sender and you were expecting such attachments or links. When in doubt, get the sender on the phone – talk with them in real life – to verify that the email (and links or attachments) are legit.
5 Ways to Protect Against Social Engineering Attacks
1. Don’t act in haste.
No matter how urgent a request seems, stop and consider whether the email seems unusual (like the examples above) and consider the potential consequences. If a suspicious email appears to be from someone you know and trust, from your bank, or from some other organization you do business with, call that person or entity using a number you know to be correct and not one provided in the email or text message. If you find that the apparent sender did not send the message, provide them with details so they can investigate. Beware of the “family in need” scams where perpetrators will pretend to be a family member or contacting you on behalf of a family member who is at risk of being incarcerated or needs urgent medical care. Legitimate law enforcement and/or medical personnel would never contact you in such a manner.
2. Don’t click on unfamiliar links or open unexpected/unknown attachments.
Never – and we mean never, ever– click on links or open attachments unless you know for certain the source. A staggering number of ransomware events and other security events start with a single mindless click. If you get an email from someone you know, but with a link or attachment that you were not expecting, pick up the phone and give the sender a call on a known number first. (Don’t use the contact information in the email, as it may be fake and part of the scam too.)
3. Don’t accept unknown social media friend requests.
You should only accept friend requests from people you know. If someone you don’t know says they were referred to you by someone you do know and trust, confirm with the person cited as the referral source. It’s easy for a scammer to find someone in your office or a member of one of your social groups and cite that person to you as a referral. Don’t just blindly trust that – check it out first to be safe.
4. Take extra care on dating sites.
If you use dating sites, beware of individuals who seem to be rushing you into an online relationship, especially if they make promises to meet in person but then always cancel at the last minute. Never agree to send money or gift cards to someone you meet online, even if they claim to be in some sort of jam and need help right away.
5. Just hang up.
If you receive a suspicious phone call from someone who tries to convince you to provide sensitive information or pay some fine or fee, just hang up. If the caller claims to be representing some company or agency and you want to find out if there is an issue you need to resolve, call that entity using a number you get from the entity’s website. Rest assured that the IRS, law enforcement and other such agencies will never call you out of the blue and demand your sensitive information or some unexpected payment. If you ever get a call like that, just hang up (and block the number on your phone if you can).
Cybercriminals are deepening their bag of tricks and becoming increasingly skilled at taking advantage of our tendencies as humans to grow careless out of familiarity, to act hastily out of fear or anxiety, or to be too trusting. The steps outlined above are relatively simple and require only consistent and vigilant awareness. Following these recommendations will help you avoid becoming a victim of social engineering scams.
It’s important that you remain skeptical – and always think before you click. A little effort to verify the source of any unexpected request, link or attachment before you act can save you untold headaches, financial losses and more.
If you think you have been scammed by a malicious actor, you can contact your local law enforcement and/or report your incident to the Federal Trade Commission (ReportFraud.FTC.gov), which collaborates with law enforcement agencies to prosecute these criminals and help victims recover.
As always, BIA also can help. Our cyber experts specialize in services that address and remediate digital risks, including social media investigations, data breach discovery, and deep web/dark web investigation. We invite you to reach out today.