Monthly Consumer Tips
SOCIAL ENGINEERING is the act of tricking people to obtain their personal or confidential information.
The types of personally identifiable information (PII) criminals want varies. Typically, these bad actors try to trick you and your accountholders into giving them your passwords or financial information. They also want you to unknowingly install malicious software, known as malware, to gain control over your computer.
Anyone can fall into the trap of cleverly designed social engineering tricks. Learning how to spot all types of social engineering attacks is the first step to avoid being tricked.
Types of Social Engineering Attacks
Phishing: Phishing attacks occur when scammers send emails to “fish” for information. These messages are intended to look identical to ones from trusted sources like organizations and people you know.
The message attempts to use your emotions against you to instill fear, excitement or urgency into revealing sensitive information by clicking on links to malicious websites or opening attachments that contain malware.
Once the malware is installed, criminals can redirect you to their controlled site to trick you into giving up your information. This is also known as “pharming”.
Vishing: This is when a legitimate phone number has been spoofed. This trick is commonly used on businesses. Scammers will contact a company’s front desk, customer service, HR or IT and claim to need personal information about an employee.
Smishing: Smishing is like vishing, but the scammer sends text messages instead of calling. Scammers purchase spoofed phone numbers to blast out messages containing malicious links.
In-Person: This occurs when a scammer tricks an employee to let them into an area they don’t have access to.
Also known as "piggybacking", scammers may be dressed as delivery drivers, say they forgot their ID or pretend that they’re “new” to enter a restricted area. Once inside, they can spy on people, access workstations and more.
Tips to Protect Yourself
Carefully check emails for errors.
If you receive a suspicious email, check for spelling and grammar mistakes. Also, be on the lookout to make sure any hyperlinks or the sender’s email address is the same spelling as the company they are representing.
Be suspicious of any messages you’re not sure of. If the email looks like it is from a trusted source, do your own research. For example, use a search engine to go to the real company’s site or a phone directory to find their phone number.
Think before you click.
Phishing emails use an enticing and emotionally charged subject line to trick you into getting what they want. If you have a strong reaction to an email or online offer, take a minute to check in with your better judgment before proceeding.
Credible representatives will never make you feel threatened or demeaned, nor will they pressure you to act quickly. If an offer is too good to be true, look for the catch.
Don't open email attachments from questionable sources. Even if you do know the sender and the message seems suspicious, it's best to contact that person directly to confirm the authenticity of the message.
Verify the identity of anyone who you don’t know personally.
If you’re unsure of a person’s true intentions, it’s best to act upon your suspicions. Even when the sender appears to be someone you know, check with your friend or coworker before opening links or downloading attachments.
Also, be suspicious of any unwanted requests for your personal information. You can directly contact the bank or credit union they are impersonating to confirm whether the contact was legitimate.
It only takes one human error to become a victim of a socially engineered attack. And this vulnerability is the reason criminals are using social engineering techniques more often.
SHAZAM, Inc. and ITS, Inc.