Due to the success of an ongoing scam targeting iPhone users, Apple recently took the step of warning its users not to answer Apple support calls. The attack starts with an automated call that displays the real Apple logo, address and phone number and warns the recipient of a data breach. It goes on to request personal information from anyone who takes the bait. This scheme–which uses caller ID spoofing tools combined with impersonation of a trusted provider and a sense of urgency to react–highlights how today’s social engineering scams mix advanced technology with tried-and-true psychological manipulation tactics.
What does Social Engineering Look Like Today?
Social engineering is not a new threat, but as the technology improves, new and more sophisticated techniques begin to crop up. One of the most common examples of social engineering in recent years is Business Email Compromise (BEC), in which scammers use information about their victims’ job roles and organizational hierarchy, along with the ability to spoof any email address, to exploit them. Commonly, these types of scams utilize fake emails from “the CEO” or other executive that request information or financial transactions from lower level employees in departments with access to sensitive data or payment authority, such as HR or Finance. A scammer might send an email that appears to come from the CFO to the head of finance, asking for a direct deposit to be made immediately. Assuming that the email looks legitimate and uses convincing verbiage (which they usually do through the use of sophisticated email spoofing and incorporation of insider details gleaned through online research), the employee will feel the urgency of the request and send the money.
Another common social engineering tactic takes cultural or seasonal trends and uses those to manipulate its victims. For instance, as Security Intelligence reports, scammers recently targeted basketball fans through March Madness streaming sites. Eager to watch games “for free,” unwitting individuals may inadvertently access an unsecure site that contains adware (ad popups embedded with malware). When they click, their computer could become infected by malicious code. In a similar scam targeting a popular trend, streaming sites have popped up that offer episodes of the latest season of Game of Thrones for free. Naturally, most of these sites are bad news–and many of them request personal information–maybe even financial information–which they later use to phish visitors to the site.
How Can We Avoid Social Engineering?
From giving away critical organizational data or funds to being unwittingly targeted by a virus on an unsecure site, social engineering can result in serious implications for the victim and their organization. So, how can we help our employees navigate these treacherous waters? It is important we remind our people that while the technology may be advancing, there are still a few key ways to prevent social engineering.
First of all, follow general email and web security precautions. A BEC scam–even a highly sophisticated one–can usually be ruled out by using common sense. Were you expecting an email from your CEO? Would he/she use this sort of language, or address you this way? Is it likely that they would ask you about something this important via email, rather than over the phone? By asking yourself these questions, you will probably be able to stop a BEC attack dead in its tracks.
As for the March Madness or Game of Thrones scams, look for the classic tells of an unsecure website. Does the site address start with “https,” with the lock icon indicating that it’s secure? If not, it may not be safe, and you should certainly not enter any personal information. Additionally, if an ad pops up on the site, don’t click on it.
Beyond that, consider that as we saw in the Apple scam social engineers intentionally learn about your interests and connections–and those of the culture at large–and use them against you. Be aware of current topics and your own interests, as well as a hacker’s ability to potentially access your address book or internet habits, and make sure that you’re evaluating any offers or communication with both eyes open. A scammer can and will use any means they can to make a scam more convincing or more enticing–don’t make it any easier for them to get traction.