“Nice Suit:” Why It’s Time to Get Smart About Social Engineering
Phishing Has Evolved to In-Person, Text and Other “Blended” Scams You Won’t See Coming.
A few months ago, I was walking along a Manhattan street when a woman approached me to say how much she admired my suit. She seemed pleasant and enthusiastic, and hoping to share some suit-maker recommendations, she asked for my business card.
Believe it or not, this physical world interaction was the start of a digital spear phishing scam. It’s a breed of social engineering cyber crime that targets both our professional and personal lives — and it’s on the rise.
Social engineering scams use people and things that you associate with trust and safety — like a coworker’s email or a concerned call from your doctor’s office — to access and abuse your personal information. These tactics have roots as far back as Ancient Greece, when the Trojans unknowingly welcomed the enemy into their homes under the pretense of accepting a generous gift.
Stories of increasingly creative social engineering scams are not in short supply, from tax forms “from the IRS” to notifications on Skype “from Google.” If your boss sent you an email asking for a quick review of their document, you wouldn’t think twice about clicking on it — because it’s easy to mistake “Gmail” for “GmaiI” when you’re not actively looking for it (the latter uses a capital “i” in place of the “l.”)
According to the FBI, the rate of social engineering scams has risen since the Covid-19 pandemic hit. People are more distracted, more fearful or have more urgent needs, all of which make it easier to let one’s guard down or miss red flags — and response and recovery teams are operating with lean numbers and more demand.
Here are a few social engineering scams that are becoming more complex and creative, along with tips on how to protect yourself:
Smishing or SMS phishing uses text to elicit information from recipients. An old friend you haven’t spoken to in forever texts you, “This is my new number. I wanted to let you know I’m getting married, and you’re invited. Here’s the online invitation.” You click, and have now downloaded malware that can steal the credit card information stored in your phone. In another scenario, a seemingly automated SMS from your bank asking you to confirm a suspicious charge to your card may not be from your bank. How did the scammer know the bank to which you belong? Perhaps you shared an article about that bank on social media, with a comment that you’ve always had a good experience with them — the scammers then took it from there.
Protecting yourself from smishing is easy: don’t respond to or click on any text message from someone you don’t text with regularly. Check with the source of texts requiring any kind of action, even if it gives you an option to respond with a “STOP” message. Call your bank, for example, to confirm they sent that message. Finally, don’t delay security updates to your phone.
Tailgating is an old-school tactic seeing a renewed practice, which is based on physical proximity to the victim. While most of us have learned that we should hide the numbers we punch when entering a PIN at the ATM, tailgating can happen anywhere. How many of us have held the door for someone close behind us as we entered the office building with our ID? What if they were wearing the building’s janitorial uniform, or looked like a USPS carrier delivering a package? Tailgaters take advantage of building fire drills, shuffling back inside with everyone else. For high profile organizations, the threat can get extremely serious, with past tailgating cases tied to attempted attacks on executives, stealth of proprietary equipment and other serious offenses.
We’ve all been through the employee training that stresses computer security — lock our drawers and close our laptops when we leave our desks — and don’t take that advice lightly. If several of your devices are linked, remember that they are all compromised as soon as one is.
Pretexting is a long-game social engineering tactic, devoid of the urgency that comes with other phishing tactics. Pretext scams are built over time within a specific context and are becoming just as prevalent for individuals as they have for corporations. Usually part of an organized crime effort (but not always), some real-life examples show just how effective this tactic can be. In 2013, an official with the Brazilian Army got personal information from members of an activist group via a fake Tinder profile. In another scenario, perhaps someone hanging around your block notices that each week the same cleaning service visits your home. They can find your contact information and pose as the cleaning service to say they are switching staff and will send a new person over next time. Or they could move to digital fraud, saying there’s been a price change agreement they need you to sign and ask you to confirm your email and send you a malicious link. The most effective pretexting scams are based on “positive” events — New York, in particular, is alerting residents that hackers are posing as reps from the local government paying out unemployment.
To reduce your chances of falling for this social engineering scam, follow the general rule of never providing information on an unsolicited call or email. You can also use a separate number for those who are not friends and family and only answer if it is a known number or employ a virtual Google Voice number for commercial and professional contacts. Avoid using your main debit card and direct deposit for transactions, and instead use a designated credit card that has insurance. Using a P.O. box is also effective.
No matter the avenue by which a scammer tries to work their way into your daily life, the most effective tactic is to turn the questions around. Did they ask for your business card? Ask for theirs, instead. Did they want your phone number? Look up their phone number online and call them back instead. Plug their name and company into LinkedIn and Google to see if they’re legitimate (and even then, be forewarned that some go to great lengths to create websites for fake companies). Above all, keep information to yourself — scammers can’t use information against you if they don’t have it in the first place.
Working remotely? For tips on how to protect your personal information in the age of Zoom hacks and a high volume of emails, read my blog on WFH cybersecurity.
