What is Social Engineering?
One of the most common methods of fraud is social engineering. This refers to a calculated deception that targets people in order to obtain sensitive information relative to their business, identity, or finances.
There are two main categories of social engineering: (a) Mass Fraud, which is mostly comprised of basic techniques meant to scam a high quantity of people; and (b) Targeted Fraud, which is a highly-specialized method of fraud that singles out a specific individual or company.
The majority of these schemes follow the same general path. It begins usually with gathering information on a topic or target. Once enough information about the target has been obtained, scammers can focus on developing a false sense of security and trust with their target. In cases of mass fraud, this could look like replicating the design of a Netflix customer service email, or in targeted fraud establishing enough of a friendly rapport with an individual over the phone that they feel comfortable providing more and more information. Once this has been established, scammers can exploit any of the identified vulnerabilities and ultimately execute the scam.
Social engineering works because it preys on our instinct to trust.
Let’s say you are at work and receive a call or email from a “colleague” asking for some sort of account number or other piece of information related to the business. If you haven’t had any training on your company’s confidentiality policy, you might not think twice about providing this person the information they ask for. After all, they might seem trustworthy, or talk about things in a way that would give you no reason to suspect they aren’t a fellow coworker. That’s because they have meticulously studied how to prop up the illusion.
These types of attacks are common; all you need to do is look at the news to find examples. Just recently it was found that hackers connected to the Russian government were impersonating US State Department employees and sending emails with downloadable attachments. These attachments would then install software that could provide the hackers access to internal systems.
These fraud attempts aren’t just work-related. They can target you at home, too.
The Internal Revenue Service (IRS) of the United States just issued a warning about a new tax related scam. A surge of emails recently have been impersonating the IRS and using “tax transcripts” as bait to trick users into opening documents that contain malware. The malware behind this scam, Emotet, has been historically associated with posing as financial institutions in order to encourage people to download the malicious attachments. The IRS has recommended that if you have received one of these emails to delete it or forward it to email@example.com.
So how can you protect yourself?
Individuals can take the time to be vigilant of unfamiliar calls and emails. Sometimes social engineering won’t be a singular attempt. It could be repeated calls over years that slowly harvest the information needed to execute a scam. When in doubt, you can double check with the source, and avoid providing personal information. Meanwhile, companies can develop a guide for handling sensitive information to avoid blunders with fake employees. With sufficient training, employees can be taught to recognize different types of fraud and have an established plan for handling it should they come across it.
This article was written by Kristina Weber of Centry Global. For more content like this, subscribe to our blog and follow us on Twitter @CentryLTD!