Scammers are becoming increasingly more prevalent and sophisticated. They are wily, savvy, and keep up-to-date with technology developments and media platforms so they can find new and cunning ways to illicit funds from unsuspecting victims. And just as people become alert to one scam, you can bet another one follows closely behind.
You may think you have the best security systems, firewalls and anti-virus software in place, however most scams rely on people. The term 'social engineering' refers to scammers trying to deceive and manipulate people into letting their guard down - clicking a link, opening an attachment, or other similar actions which are often performed without a second thought. Sadly, scammers rely heavily on people being trusting, helpful and naive, so a certain level of cynicism works in your favour when it comes to online security.
Here are some tips on identifying a scam, and helpful tricks to keeping you and your business safe:
The "what's what" of electronic scams - a glossary of terms:
Baiting plays on people enjoying a good 'find' by leaving around USB flash drives infected with malware. A user pockets an unguarded, seemingly-forgotten flash drive and then unwittingly infects their computer, or even an entire network, when they try to use it. Obviously the best advice for this situation is to never trust unattended electronics. Drop them in the nearest bin to prevent others from falling victim, or take them to your nearest police station - if it was genuinely lost the owner will go to claim it.
The now well-famous scam of an e-mail pretending to originate from a bank or a supplier, asking you to click this link, open that attachment, or reply to them with your account details. Sometimes these are very obviously scams, however some go to considerable lengths to feign authenticity by copying logos or adding genuine links to the footer of the e-mail. We give you some suggestions on clues to look for when receiving suspicious e-mails below.
A user inadvertently downloads malware which locks up their computer or a whole network. The firm literally is held to ransom as it must pay the extortionist to be able to access its data, or else all files will be deleted, permanently encrypted or otherwise impossible to access.
This scam involves convincing the user that their computer has been hacked or infected with malware or they have inadvertently made an illegal download. Predictably, the problem can only be 'fixed' by clicking on a link, at which point the user's computer actually does become infected.
Short for 'SMS phishing', it attempts to fool you via text messages. It can trick a user into downloading malware such as a virus or Trojan horse onto his or her mobile phone or other device. If this device is set up to sync with your office system you can see the problem! SMiShers can also use text messages to obtain financial data from users for the purposes of identity theft and fraud. A great tip is to never click on links from senders whom you do not recognise, or who seem suspicious. A curiosity link-click is all it can take - you know what they say about the cat!
Short for 'voice phishing', vishing is the telephone equivalent of phishing, and is not always carried out over the internet; instead it makes use of voice technology. This type of scammer fools the victim into thinking that he or she is assisting a genuine business contact. Some can display a fake number or caller ID on your phone. Automated recordings may direct you to call a given number or enter account details. Vishers may also intercept your follow-up call to confirm the call was genuine. A common trick is for the scammer not to hang up so they are able to stay on the line of your phone and impersonate a genuine contact.
Some clues to look for when trying to identify a scam, especially phishing e-mails, include:
- Originating e-mail address and display name - these may give a clue as to whether the e-mail is genuine or not. Look for spelling variations or an unusual domain eg 'PayPal.uk' instead of 'PayPal.com', or the display name says 'Paypal' but the address is 'firstname.lastname@example.org'
- Logo quality - often the e-mails will include a company logo which may be low resolution, fuzzy or pixelated due to it having been copied from the real company's website
- Incorrect grammar, sentence construction and/or spelling - may indicate the writer's first language is not English and is attempting to write in professional language
- Content - an e-mail advising you have a UPS parcel awaiting collection even though you have not ordered anything from overseas should raise suspicion
- Account login links - these are a big giveaway! Organisations such as banks which deal with your sensitive information are highly security conscious and will never ask you to follow a link within an e-mail. If such an agency e-mails you they will often include warnings that their staff would never ask you to disclose your personal information or passwords via e-mail or phone, and to only log in to their online platform by physically typing the website address into a browser. If your phishing e-mail tells you to 'update your details' using a link, delete it immediately
Pretexting - when all is not as it seems
Pretexting is a social engineering ruse where a fictional situation is created for the purpose of obtaining personal and sensitive information from an unsuspecting individual. It usually involves researching a target and making use of this data for impersonation or manipulation. Pretexting often involves a scam where the impersonator asks you to provide your information in order to confirm your identity, then uses that information for nefarious purposes. Some examples of pretexting include:
- A caller, claiming to work for the business's IT company, requesting login details because they are undertaking some 'routine maintenance' and need remote access to the system
- An official-looking announcement appearing on the bulletin-board advising the number for the helpdesk has changed. When employees use the new number to call for help, a call-centre asks for their passwords and ID's in order to gain access to the company's private information
- A contact might come through social media establishing a rapport as a prospect interested in what the business offers, all the while manipulating you into revealing sensitive information
- The friendly new reps from one of your suppliers turning up at reception with morning tea for the team and cheerfully asking questions about your business operations and assets
- An e-mail which appears to be from your Boss or Manager, requesting you to arrange for a large sum to be paid to an overseas 'consultant' from the company bank account
In each of these scenarios, take a moment to assess the situation. If your instincts are telling you something is amiss, proceed with caution. If in doubt, stall them until you can authenticate their identity and purpose. You could:
- Ask them to wait while you confer with your Manager, IT Consultant or a colleague
- Contact the company they claim to be from to verify they are genuine. Be careful not to call a number they provide you with; instead, look up the company's phone number yourself
- Ask for their contact details so you can call back, or request they come back later. This allows you time to check their credentials without feeling like you're 'put on the spot'
- Ask lots of questions. If they are genuine they should have no problem answering these
A legitimate person will understand you are doing your due diligence or following protocol, and will likely be happy to comply with answering questions or coming back later. However if they seem edgy, caught off-guard, or start getting demanding, pushy or even aggressive, this should immediately raise red flags.
If you are concerned about online safety and cyber security, please contact your IT provider for advice and recommendations.
Keep on eye on our blog this month as we present a series of articles on
strategies for business success
You won't want to miss these!
Subscribe to our monthly blog titles e-mail