I walked into my local supermarket yesterday and saw a curious poster. It had a police officer blowing his whistle, which is basically crime stoppers 101. That isn’t the interesting part. That would be that this poster existed to warn consumers that if someone is asking them for hundreds of dollars in Google, Apple, or Amazon gift cards, that they are probably getting scammed. With the rise in cyber-attacks ranging from government, to corporations, to private citizens, it is becoming increasingly important that you know the signs that someone is trying to trick you. This is what is known as social engineering.
Social engineering is a sophisticated form of manipulation. This is because the goal isn’t to use your technology against you, like malware and spyware attack, but to use you against yourself. These malicious actors seek to convince you to act against the best interest of yourself and at times your business or employer, using things such as email, SMS text messages, and phone calls. I’m sure you have gotten these messages at an increasing rate recently. Text messages telling you that you have been approved for a loan you didn’t apply for or won a contest you never entered. Emails telling you that you must act now because your account has been compromised, your job is in jeopardy or you owe the government money. Who can forget, the phone calls. Most of us at this point get about four calls a day about our cars extended warranty or that our social security number has been compromised. These all share one very common trait, they are coming from a new wave of hackers and scammers who want to get your login information, credit card numbers or your money directly.
How do these attacks occur? What should you be looking for? The most common form of social engineering attacks are text based. The latest batch come from what seems to be trusted sources. This could by anything from an “HR rep” who needs you to click a link and reenter your login credentials, to an email from your “boss” who is stranded in a foreign country with no money and can only get home with Itunes gift cards. It is first important to read these messages carefully and look for the signs of malicious activity. Do these messages come with a forceful sense of urgency? Phishing attacks are often set up to scare the recipient into making a mistake, be it downloading a malicious file or logging
in important information into a scam form. They will say things like “CLICKHERE TO AVOID INTERUPPTION” or “URGENT ACTION NEEDED”. This is because when we
are afraid, it oftentimes overrides our due diligence. We are working so hard to avoid the consequence, that it is easier to overlook the fact that something is off with the email or text.
One of these things that may be off is grammar and punctuation. The English language is incredibly complex with it’s grammar rules and punctuations. Many of the people carrying out these attacks are foreign actors who while they have a grasp on the English language, they don’t know the intricate rules that dictate it. This is important. Run on sentences, improper or complete lack of punctuation, or rudimentary grammar mistakes are all signs that this email or text isn’t coming from who they say it is and is in fact a phishing attack. Take your HR rep for example. Usually, the emails they send you are professionally written. However, if you receive one asking you to login to an unknown site or to send them your information, look closely. Does it start with Dear, or To Whom it May Concern or some other unusual greeting from someone who usually goes straight into the message? See that string of thoughts without the usual commas and proper tenses? That is a surefire sign that you are being phished. As a rule, if you receive something that appears out of the
ordinary, call the person or send them an email. If Mike from IT supposedly sent you the email, call him and double check that it’s from him. Chances are, it isn’t.
Another important thing to check is the email addresses, the links attached and domain names. If something seems off, a good trick is to check other emails from the “sender”. Is the email address the same, or is this a variation of their usual email address? Even an email from someone you know can be malicious if there are other red flags as compromised accounts are something that can happen. What about the attachment thaht’s there? Is there a hyperlinked piece of text? Hover your cursor over these things. Chances are they are links to a place you don’t want to end up such as a mirror site that goes to the hackers . Even if it looks good, take a closer look, as one letter or a hyphen can make all the difference in the destination. Cross reference that with the email address. If it says it’s from paypal.com but that link reads Pay-Pal.com, well dear reader, that’s a trap.
You can avoid these social engineering attacks ramifications, and it’s surprisingly simple to protect yourself. It comes down to awareness and discernment. If something seems out of the ordinary, chances are it is. Never answer a text message or click on a link from a sender who you are unaware of. If you receive something with an extreme sense of urgency seemingly at random, leave it be. If you get an email from a boss or colleague at a random hour, say 4:30 am, it’s probable they didn’t send it. Cross reference sender
information with old emails and keep an eye out for grammar issues. Never click on links or download attachments without due diligence, hovering for hyperlinks, and checking with the sender to see if they actually sent it. When in doubt, double check. Finally, always report these attacks to your IT team, be it in house or your friendly neighborhood managed service provider like your friends at Delval Technology Solutions.