- Security TWENTY
- Women in Security Awards
For recognising and preventing cyber scams, knowledge is power, writes Paul Anderson, Head of UK and Ireland, at the network and cloud security product firm Fortinet.
Cybercriminals use a wide variety of scam tactics to gain access to a device or network, extort money, or steal valuable information. When it comes to understanding today’s threats and how to protect yourself and your organisation against them, knowing the various ways they leverage social engineering tactics to trick users can go a long way. Understanding the basics about different types of scams, and learning how to recognise them will help you to minimise the impact of malicious threats.
The Most Common Threat: Phishing Scams
According to IBM research, 59 per cent of all successful ransomware infections are transported via phishing scams. Phishing attacks happen when a criminal sends a communication – usually via email, phone call or text – pretending to be someone else in order to extract or access credentials, personal data, or financial information about the targeted individual, or sensitive information related to the organisation for which the target works.
Considering the following will help you better recognise these malicious scams:
• Check contact names: Use caution if you receive communications from a source you don’t recognise asking you to take an action like providing personal information or signing into a site. Most companies will never prompt you for your information via email or text. When someone does, you should consider this a red flag that they’re not who they say they are. Check their email address or phone number and compare it with the person or organisation they claim to be associated with for inconsistencies.
• Look for misspellings and poor grammar: Professional organisations take the time to proofread their communications before sending. Often, phishing cybercriminals do not. If you receive a message from a supposedly trusted source that includes typos, poor grammar, or bad punctuation, chances are it’s a scam.
• Look for aggressive behaviour: If the subject matter and language of a message is overly aggressive, it is likely a scam. Have you ever seen an email in your SPAM folder saying something similar to, “Urgent! Your account is X days overdrawn Contact us IMMEDIATELY”? The goal here is to make you uneasy, so that you panic and take the action the scammers want. Instead, check with the party they claim to represent before taking any immediate action.
The Personal Attack: Spear Phishing Scams
While phishing attacks are sent in mass and offer relatively easy-to-spot clues, spear phishing is more highly targeted and sophisticated. Scammers conduct in-depth research about their victims and take the time to understand their organisation, colleagues and interests in order to boost their chances of success. To better protect yourself from spear phishing, you should:
• Use an email verification service, which works by validating the source of the emails you receive and checks whether or not the identities of the Administrative Management Domain (ADMD) match the email address being used.
• Proceed with caution when handing over information: While it sounds simple, if users weren’t willingly handing out their information to bad actors, phishing wouldn’t be an effective scam.
• Maintain good security hygiene: When you practise basic security hygiene, you deny scammers many of the common attack vectors they use to infect your machines and gain access to your information or organisation’s network.
The False Promise: Baiting Scams
Baiting scams, as the name suggests, aim to bait unsuspecting users into performing a certain action like downloading a virus or entering personal information in exchange for the “bait.” This bait can be anything from free anti-virus software or movies users can download, to physical bait such as a thumb drive labelled, “Corporate Salary Information” left out for a victim to find and plug into their machine. While this type of scam can take many forms, the end goal is always the same: luring users to install something malicious. To protect yourself and your organisation, pay attention to these common clues:
• Avoid “free” deals: Many cyber scammers will attempt to lure victims in with promises of free downloads, free shipping, or free subscriptions. So, be sure to not only double check the source and read the fine print of any agreements, but also do some checking on the organisation claiming to make these offers. Remember, if it sounds too good to be true, chances are it is.
• Avoid unfamiliar external flash drives or hard drives: Baiting can be done digitally or with physical drives that install malicious software. Make sure you know the owner of the drive before you connect it to your machine.
The Helpful Foe: Tech Support Scams
In 2017 alone, the FBI reportedly received around 11,000 reported cases of tech support fraud, costing a staggering total of 15 million dollars in damages. As the name suggests, scammers will pose as tech support employees, either working for a victim’s organisation or for an independent service, to gain access to personal information. Like the previously mentioned scams, success or failure is dependent on the victim falling for a social engineering attack. With this in mind, it’s important to watch out for one key red flag:
• Lookout for unsolicited messaging: Rarely, if ever, will tech support reach out to “check in” or offer to fix your computer. Software and hardware developers never track their solutions and then call to offer security assistance. If a tech support worker or company is reaching out to you via a popup ad, an unsolicited email or phone call, or through social media, it’s likely a scam. Legitimate companies have established processes in place to update your products and services, such as published patches and updates, or ways to address issues that are built directly into the solution itself.
When it comes to protecting yourself and your organisation against cyber scams, there’s no “one-size-fits-all” solution. As organisations and people alike continue to adopt new devices and technology, they’re opening themselves up to more opportunities for cyberattacks. By exercising a bit more caution and online common sense, the digital world we live in will quickly become a whole lot safer.