Image of a man on the phone with a scammer after receiving a fake virus infection message on his computer.

Shield Your Business: How to Outsmart Social Engineering Scams

by Apr 29, 2024Cybersecurity Corner, Small Business Bulletin0 comments

Understanding Social Engineering Scams

Have you or a family member ever been contacted by someone claiming to be from your credit card or insurance company? Was the person able to confirm basic information, but for “security” purposes needed you to confirm sensitive information such as your social security number, security question, or password? If this seems familiar to you, I’m sorry to say that you or your relative was a victim of a social engineering scam.

In today’s digital age, where almost everything about an individual can be found at the click of a button, we must be more conscious, and more careful in how we use and disseminate our information. Social engineering attacks aren’t purely cyber-attacks. It is about the psychology of persuasion: it targets the victim’s mind with the intent of getting them to lower their guard. 

Start-ups and small businesses, in particular, are prime targets for these attacks. Smaller businesses are often not well equipped with a large cybersecurity response IT team, which makes them seem like easier targets. According to the 2021 report by PurpleSec, approximately 98% of cyberattacks involve a form of social engineering. Perpetrators play on the trust that was built between their victims and the named establishment that they are misusing.

In this article, we’ll delve into the sneaky realm of social engineering frauds, exposing typical tricksters employed and providing crucial advice on how to protect your company from these dangers. As we examine and expose the different tactics of the trade we’ll be arming you with the knowledge to counteract the con artists. From spear phishing attempts to phishing attacks, we’ll examine the most common tactics used by fraudsters to deceive their targets. Knowledge alone isn’t enough; we’ll also discuss the application of knowledge and the crucial role that employee training plays in helping to protect your business.

Common Types of Social Engineering Scams

Social engineering in cybersecurity is the activity of influencing someone into handing up critical information. As a result of the growing popularity of these scams, we’ve all encountered them in some shape or manner.

The main ingredient in a social engineering scam is the victim, you. While avoiding these scams isn’t overly difficult,  the problem is that many individuals aren’t aware of the signs that accompany the different types of social engineering scams. Many people don’t even know that they are being drawn in, hook line, and sinker. To avoid getting caught in the frequently used methods let’s review some cases:

Phishing Attacks

Phishing is the practice of cybercriminals tricking victims via email compromise into divulging private information for their own malicious intent. This is one of the most frequently used attacks.

There are many different types of phishing attacks:Someone researching people online to prepare for a whaling attack

  • Email Phishing
    • Attackers pose as trustworthy entities and send bogus emails with the intention of forcing recipients to divulge sensitive information like passwords or bank account details. These emails are usually littered with spelling and grammar errors while accompanied by a sense of urgency. Often there is no specific recipient of the email. 
  • Spear Phishing
    • This is a targeted phishing tactic where the attackers create communications tailored to specific individuals or businesses. They typically gather intimate information about the target to boost the credibility of the phishing attempt. This tactic usually employs the trust of an individual or business in the form of fake emails from a credible source requesting information above their pay grade.
  • Vishing (Voice Phishing):
    • Attackers use phone calls to deceive people into providing sensitive information or engaging in specific actions. They may imitate reputable institutions such as banks or government agencies.
  • Smishing (SMS Phishing):
    • SMS phishing works similarly to email phishing. Attackers send fake messages with links or ask for sensitive information, it is common for them to imitate credible organizations.
  • Clone Phishing:
    • The attacker creates a replica of a legitimate business website or email, making only minor changes that the regular person wouldn’t pay attention to. These changes often include misspelled emails, incorrect domain addresses, hyperlinked text, and slightly different fonts and colors for websites.
  • Whaling or CEO Fraud:
    • This tactic is aimed at prominent individuals or executives within organizations. Attackers impersonate CEOs or other leaders to trick employees into transferring money or exposing sensitive information. An example of this is the gift card scheme. This is when the attackers impersonate the CEO in a customer meeting, instructing employees to purchase gift cards under the guise of being for the customer.  Again, this tactic often leverages the trust within an organization as such it is important to be aware of the rules and regulations surrounding the use of personal emails as attackers often try to imitate individuals through false personal emails, they may also send messages via an incorrect domain address.
  • Search Engine Phishing:
    • Hackers build phony websites that are tailored to show up as trustworthy results in search engines. When users click on these links, they run the risk of unknowingly entering sensitive information like login passwords. The websites are usually poorly made but with how far we have progressed they too may have been upgraded. The websites also usually offer once-in-a-lifetime opportunities and or discounts such as free products, free vacations, investment opportunities, job offers, etc.

In 2021, AdvisorSmith conducted a survey of 1,122 small business owners and their managers to better understand their experiences with the rise in cyber attacks and how they are handling them. The result? 41.8% of small businesses that responded to the survey experienced cyberattacks sometime during that year. Phishing attacks were the most common; 23.7% of all the attacks reported were phishing attacks. Spear phishing was more successful than other forms of phishing.

More small businesses than ever were concerned about cyberattacks – a reported 69% were worried they may be attacked within the next year. Many tried to think ahead and protect themselves with 72% implementing cybersecurity measures, but only 15.9% regularly train their employees on cybersecurity, which is considered to be the best measure to prevent employees from falling for phishing scams.

Tech Support Scams

Have you seen the movie Beekeeper with Jason Statham? Do you remember how in the movie Statham’s character gets revenge for a victim who committed suicide after losing everything in a Tech Support scam? Would you be able to live with yourself after losing everything because you were tricked? Of those surveyed by the Financial Industry Regulatory Authority (FINRA) in 2015, (47%) nearly half stated they were too trusting, and 61 percent blamed themselves for the crime. Most expressed feeling hurt, remorseful, deceived, powerless, and ashamed.

In tech support scams, con artists impersonate customer service or tech support agents from respectable, well-known tech firms. They might contact their targets via phone, email, or text message, offering to fix problems like hacked bank accounts or emails, computer viruses, or software license renewals. They finally take control of victims’ computers and money when they persuade them that their bank accounts have been compromised and they must transfer their money.A picture of cryptocurrency being transferred

Victims are frequently instructed to move their money from bank or brokerage accounts to cryptocurrency exchanges via wire transfers or to move the contents of their cryptocurrency wallet to a different wallet to protect it. Scammers often fabricate realistic support websites to trick cryptocurrency owners into contacting them directly and giving up control of their accounts or providing login credentials. According to an article published by FBI Boston’s Setera on October 18, 2022, the number of individuals falling for this tactic is steadily increasing and so are their financial losses. 23,903 people nationwide reported losing more than $347 million in 2021 as a result of tech support scams, a 137% increase in losses over the previous year. Nearly 60% of victims said they were older than 60 and victims in this age group suffered 68% of the reported losses. 

In the real world, there is no beekeeper to get revenge or to help us get back our money. Social engineering scammers are rarely if ever caught reasons include but are not limited to the: 

  • Underreporting – Many victims are embarrassed or ashamed, some may not even realize that they were scammed.
  • Global Nature of the Scams – Attackers can operate from anywhere across the globe which creates flexibility for them to work remotely but it is harder to trace them if they know how to effectively cover their cyber footprints.
  • Advanced Technology – Attackers often use sophisticated techniques to cover their tracks, including forging phone numbers, employing anonymizing software, or using cryptocurrencies to launder money. It can be more difficult for law enforcement to locate and capture them as a result of these technical obstacles.

Real-Word Examples and Case Studies

The Twitter Phishing Case of July 2020

Several Twitter employees fell prey to spear phishing assaults in July 2020, which gave the malicious personnel access to the administrator’s tools. To get user credentials from remote Twitter workers, these perpetrators pretended to be Twitter IT managers and sent emails and called the remote workers. The cybercriminals were eventually able to access the administrator’s tools by using these compromised accounts. They were able to use it to reset the Twitter accounts of numerous high-ranking socialites and companies, including Elon Musk, Barack Obama, Jeff Bezos, Apple, Uber, and many more, to post fraudulent messages requesting donations in Bitcoin. Due to the massive following of the accounts that were hacked many of their followers went ahead and donated as requested. Fortunately, the messages were soon noticed by the media and removed from Twitter. This attack served to emphasize the importance of implementing cybersecurity protocols and user education against these tactics.

The impact of this incident went beyond initial repair measures. An inquiry launched by New York Attorney General Letitia James and the FBI emphasized the gravity of the situation, stressing potential legal repercussions for Twitter and its security policies. Criticism of Twitter’s security standards grew in the aftermath of the breach, raising concerns about the effectiveness of safeguards in place to secure user data and avoid repeat instances

This episode serves as a sharp reminder of the widespread impact of social engineering schemes. It not only jeopardized the security and integrity of Twitter’s platform, but it also demonstrated the vulnerability of even well-established corporations to such deceitful techniques. The consequence of this hack emphasizes the critical need for strong cybersecurity policies and user education campaigns to reduce the danger of such attacks in the future.

If a high-profile company like Twitter could be breached, can you imagine what could happen to smaller companies or corporations without a designated cybersecurity team?

Uber Scam Call Gone Wrong

On March 25, 2024, an Uber driver was killed after being shot for doing her job. Loletha Hall was completing a package pickup at the home of William Brock, but unbeknownst to Hall prior to her arrival Brock had received a phone call demanding a large sum of money. The scammers were impersonating local court officials, but their attempts weren’t enough to fool Brock. They then began to demand a ransom for a supposed relative of his that they had taken hostage. They then requested an Uber to go to his home and collect the money.Image of someone picking up a package on a doorstep

Hall arrived at the house unaware of what was happening and encountered Brock, armed. Brock, thinking that Hall was an accomplice, shot her. She succumbed to her injuries while being tried in the hospital.

This case might seem unique, but it’s just one example of the many dangers of social engineering scams. What if this was you or your employee who went to the wrong place at the wrong time?

Hall’s family is now mourning her loss, Brock has been charged with protecting himself against the wrong person. Is it fair? An attack categorized as a cyberattack transcended the realms of 1’s and 0’s and claimed a life and it was one of the victims who took the fall.

Importance of Employee Education and Training

As previously mentioned, there is no beekeeper in the real world and as such we must safeguard our information ourselves. Knowledge is Key. As small businesses and corporations, if you can’t afford a dedicated cybersecurity team to handle breaches, at a minimum, you should educate your employees about the current threat landscape. A trend in all the social engineering tactics mentioned before is the exploitation of the victim’s trust as well as a lack of awareness. If your employees know what to look out for they will be less likely to fall victim.

Employee cybersecurity education should include:

  • Regular Assessments and Phishing Simulations
    • This increases the employees’ ability to protect themselves and the company. It also helps to create a feeling of accountability and responsibility for upholding a safe environment and develops a culture of safety throughout the organization. You can even gamify it and increase excitement by offering small prizes to whoever scores the highest during the assessments.
  • Mandatory review of the organization’s cybersecurity and incident response plan
    • This can be as simple as a two-page document, but the purpose is to ensure your employees know what to do at the first sign of a potential cyberattack. It provides a roadmap for employees efficiently outlining who does what, when, and why. It also delegates access and authorization as well as the consequences for not following the rules. If employees know about this document and regularly review it, then when your business does experience a cyberattack, the effects are likely to be more limited in scope and your business will be able to recover more quickly.

It is always good to have a few people on the team who know how to handle potential breaches, even if that isn’t their full-time role. As Joseph R. Bonavolonta, special agent in charge of the FBI Boston Division, said:

 “Cybercriminals are constantly coming up with new ways to rip off unsuspecting consumers…”

Be careful with your information.

Company Training Suggestions

  • Phin Security
    • Phin Security focuses on cybersecurity awareness and training in the information security arena. The company provides automated security awareness training, simulated phishing attacks, and reporting and analytics to manage client security.
  • GCA Cybersecurity ToolKit
    • The GCA Cybersecurity Toolkit, supplied by the Global Cyber Alliance, is a comprehensive package of free materials and tools to assist enterprises in strengthening their cybersecurity defense. From email security to DNS protection, the toolkit offers practical advice and solutions for reducing cyber dangers and increasing online safety.
  • PRYOR Learning
    • Pryor Learning Solutions is a major provider of professional development and training programs, offering a wide range of courses and seminars on issues critical to career advancement and corporate success. Pryor focuses on both individual and corporate training needs, providing comprehensive learning solutions through live seminars, on-demand courses, and personalized training packages.
  • HUNTRESS
    • Huntress is a cybersecurity business that specializes in sophisticated threat detection and response technologies, with an emphasis on endpoint protection. Their services attempt to proactively detect and neutralize advanced cyber-attacks, assisting businesses in maintaining a secure and resilient IT infrastructure. Their security awareness training is fun and engaging and is then re-enforced via simulated phishing attacks that are built by Huntress security analysts to look just like real phishing attacks they see every day.

Social engineering schemes pose a continual threat to businesses, requiring more proactive defense strategies. Recent episodes, such as the Twitter phishing case and the fatal Uber scam, highlight the importance of strong cybersecurity measures and employee education.

To mitigate risks, firms should prioritize regular assessments, incident response planning, and extensive personnel training. Businesses may effectively prevent social engineering attacks and protect sensitive information by cultivating a culture of security and utilizing resources such as the GCA Cybersecurity Toolkit and other similar training programs to educate employees.

References 

What Is Social Engineering in Cybersecurity? (2024, February 22).

Cisco. https://www.cisco.com/c/en/us/products/security/what-is-social-engineering.html

Ohio man, 81, fatally shoots Uber driver, 61, after scammers target both of them, officials say. (2024, April 15). NBC News. https://www.nbcnews.com/news/us-news/ohio-man-81-charged-fatal-shooting-uber-driver-mistakenly-thought-was-rcna147827

Avoiding Social Engineering and Phishing Attacks | CISA. (2021, February 1). Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks#:~:text=In%20a%20social%20engineering%20attack%2C%20an%20attacker%20uses,and%20even%20offering%20credentials%20to%20support%20that%20identity

Fallon, N. (2021, June 3). 4 Social Engineering Scams to Be Aware of. CO- by US Chamber of Commerce. https://www.uschamber.com/co/run/technology/common-social-engineering-scams#:~:text=Small%20businesses%20are%20frequently%20targeted%20in%20social%20engineering,today%E2%80%99s%20cyberattacks%20involve%20some%20form%20of%20social%20engineering

Limited, S. (2023, February 6). Impact Of Social Engineering Attacks on Businesses. SiteLock.

https://www.sitelock.com/blog/the-impact-of-social-engineering/

Chen, P. (2021, November 1). Small Business Cybersecurity Statistics: 42% attacked in last year. AdvisorSmith.

https://advisorsmith.com/data/small-business-cybersecurity-statistics/#:~:text=Nearly%20half%20%2841.8%25%29%20of%20all%20small%20businesses%20were,that%20these%20small%20businesses%20suffered%3A%2023.7%25%3A%20Phishing%20attack

Picchi, A. (2020, July 17). Twitter says hackers targeted 130 accounts in Bitcoin scam hack. CBS News.

https://www.cbsnews.com/news/twitter-hack-130-verified-accounts-targeted-bitcoin-scam/

 

Recent Comments

No comments to show.

0 Comments

Submit a Comment