Social Engineering is the phrase used to describe a fraudster’s clever manipulation of their victim to extract valuable security credentials. Many fraudsters will claim that the technique of social engineering is their single- most effective weapon in their arsenal. For the fraudster, it is far easier to trick a person into disclosing their password details than the effort that is required to hack into an IT system. This is because as humans, we naturally tend to trust other humans.
The fraudsters have developed a number of different methods in order to influence their victim to divulge information. Each method has the same objective: gather information from the victim which, can be used to steal their identity, commit fraud or gain access to your PC or network.
This is the first in a four- part series which will look closer at the most commonly used techniques and arm you with the valuable information you need in order to protect you and your Business from social engineering.
Phishing is the sending of an email by the fraudster in the hope that the recipient will respond and disclose confidential information. As the name suggests, the fraudster is “fishing” for information. It is relatively cheap to send emails (approx. €1 for 1000 emails) so typically fraudsters will “carpet bomb” a number of email addresses all at once with the same email. One criminal gang who were brought to justice had on their premises a hard- drive which contained 78 million legitimate email addresses. That’s a lot of email addresses to potentially target!
In the past, it was usually quite easy to spot a phishing or spam email. They tended to be quite unprofessional looking and littered with spelling and grammatical errors. However the fraudsters have smartened themselves up and these days it can be very difficult to spot the difference between a legitmate email and a phishing email sent by the fraudsters. Increasingly emails display the logos of common household brands, Banks and in some cases Government departments in order to legitmise the content. The fraudsters will also employ seasonal targeting to increase their response success rate. For example, during the summer months, emails will display the logos of popular travel agencies whilst parcel delivery service companies will be used in the run up to Christmas when most of us are doing our shopping online.
In sending the email, the fraudster wants the recipient to either click on a link contained within the email which will take the victim to a bogus or fake website; or the victim will be tricked into opening an attachment containing malicious software.
Fake Emails- Know What to Look For:
- The ‘from’ name and email address on close inspection do not seem genuine.
- The email is addressed to something generic, such as ‘Valued Customer’ instead of your real name.
- The email has an urgent tone, catching your attention and encouraging you to act without thinking.
- The email contains poor spelling and grammar, or re-purposes genuine emails from your bank.
- The email prompts you to click on links to login to your account. This may, for example, take you to a fake replica of your bank’s website. Legitimate links from your bank will not take you directly to the online banking login page.
- There is a form attached to the email, possible containing malicious software. A genuine email from a bank would never attach a form to fill out in an email.
- The URL looks genuine, but when you hover over it you can see it’s a domain that is trying to look like your bank.
Be suspicious of unexpected email correspondence, even it purports to be from your bank.
Never enter sensitive personal or business information, including security credentials, via a web link attached to an email.