Best Practices to Identify and Avoid Social Engineering Scams
During a busy holiday shopping season, a large retail corporation’s payment system was breached through the use of a malicious phishing email, compromising the personal information of nearly 70 million customers. Since that incident, the frequency of cybercrime attacks, particularly those involving social engineering schemes, has continued to grow and has created a serious risk management concern for individuals and businesses alike.
Virtually anyone who spends time online — whether on social media, shopping, paying bills, or simply accessing email — can be a potential victim of a cybercrime attack. Cybercriminals are using increasingly sophisticated scams designed to manipulate individuals into divulging personal and confidential information.
These scams include posting fraudulent links to well-known websites or sending emails from known individuals or companies that have fraudulent links or attachments that contain malicious software known as malware. The intent is for you to fall for these scams by divulging your personal information that the cybercriminals can then use to access your computer and accounts for their own benefit and financial gain.
When it comes to social engineering scams, basic awareness of the tactics used can go a long way in keeping your personal information secure.
Even the most security-savvy computer users can be vulnerable to social engineering scams, so it’s important to keep apprised of the types of threats that are prevalent today, and the extra measures you can take to avoid becoming a victim.
Protect yourself from the common social engineering scams.
This tactic involves using a fraudulent email to trick the recipient into opening a malicious attachment or visiting a malicious website. Phishing has been around for many years and remains a common scam for hackers because it continues to work.
Cybercriminals may act as representatives of familiar, trusted organizations — such as government agencies, financial institutions, or popular social media applications or file sharing sites — to gain your confidence and encourage you to follow the email’s directives, such as divulging sensitive information.
This particular attack has continued to evolve through the use of “spearphishing,” which personalizes an email so that it appears to come from a known person or organization. Additional tactics include “whaling,” which is a spearphishing attack that targets corporate leaders and high-profile individuals.
The majority of most phishing schemes aim to have the recipient reveal sensitive information, ranging from passwords to bank account numbers or even corporate data.
- Don’t respond to emails requesting personal information, and always delete emails before opening them if you do not recognize the sender
- Never click on embedded hyperlinks or open attachments in emails that you believe to be fraudulent or suspicious
- If an email appears to be from a company that you do business with, contact them directly to discuss or report the message
- Never share passwords, login credentials, or any authentication information
- Always use a SPAM filter, anti-virus software, and a personal firewall
This type of social engineering attack lures you with the promise of something fabulous. Offers for gift cards, free smartphones, or even a share of a lottery winner’s profits — are popular baiting techniques.
The most adept hackers will use information gleaned from social networking sites, corporate websites, job search sites, and online newsletters to tailor baits that may be very specific to you. This technique relies on your curiosity, hoping you will be attracted enough to an offer to surrender your login credentials to a certain site.
Also, beware of suspicious, unverifiable phone calls claiming to be from a bank or other organization. When in doubt, call them back at a known, published phone number.
Baiting techniques also include the use of phone calls and texting in addition to Internet scams.
- When it comes to cybersecurity, verify first, trust second
- Don’t believe everything you read —even if it is on a friend’s web page. If it sounds too good to be true, it almost certainly is
Hackers use social media not only to gain information about victims but as a way to spread malware and entice users into making mistakes.
On social media, cybercriminals may also create fake videos and websites tailored to trending topics and current events, or send messages with shortened, unverifiable URLs to spread malware intended to collect information from computers and other devices.
- Review your settings on social networking sites regularly to ensure that privacy settings are set to the highest level that you are comfortable with
- Be careful what you click on and what you say
- Do not share confidential information that may be the answer to your security question, such as your mother’s maiden name or your date of birth
- Never click on a hyperlink within a post if it appears suspicious, even it appears to come from a friend — your friend’s account may have been hacked
- Don’t accept connection requests from unfamiliar individuals, they may be looking to find out when you are on vacation or away for an extended period of time
Cybercriminals seek to turn your own online presence into a weapon against you and others. Always be vigilant of social engineering tactics in order to decrease the chances of becoming a victim of a cyberattack. Knowledge is power—educate yourself, your friends, and your loved ones. Depriving cybercriminals of their next success will be a victory for us all.
To learn more, contact your local M&T Bank Relationship Manager or visit our Banking Security Center.
This content is for informational purposes only. It is not designed or intended to provide financial, tax, legal, investment, accounting, or other professional advice since such advice always requires consideration of individual circumstances. Please consult with the professionals of your choice to discuss your situation.
Submitted by Joseph J. Imbriale, Vice President, M&T Bank; Office – 732-908-4804; [email protected]