May 2, 2023 | Article | 7 min Business insights
Technology can do wonders for your business, but it can also leave you open to many types of social engineering attacks if you don’t take the necessary precautions. Is your business prepared to recognize and fend off these attacks? Let’s unpack some common social engineering scams and how to prevent yourself from becoming another statistic.
You hear the horror stories all the time—people falling for different types of social engineering attacks and losing everything to some scammer. You’re confident it could never happen to you. But is your business prepared to recognize and fend off these attacks?
Social engineering is an umbrella term for any malicious attack accomplished through human interaction. Social engineers don’t need to be master hackers or tech wizards. Instead, they rely on their silver tongues to gain your trust—and, subsequently, your personal or security information. In 2021, companies worldwide lost $3.6 billion to fraud.
Are your employees trained to recognize phishing scams or deepfakes? Are your cybersecurity and IT teams prepared to fight against ransomware and other computer hacks?
If not, your company could be at significant financial risk—not to mention the damage these scams could do to your reputation. Let’s unpack some common social engineering scams and how to prevent yourself from becoming another statistic.
1. Phishing, Vishing, and Smishing
You might wonder, but they’re not characters from a Dr. Seuss book. Phishing, vishing, and smishing are common types of social engineering attacks, with the latter two being sub-variants of the former. All three involve impersonating a trustworthy brand or figure to trick the victim into handing over personal information.
In a phishing scam, the attacker impersonates a trusted source to extract sensitive information, like passwords and account numbers. You may receive an email from a brand you recognize or with a letterhead you’re accustomed to. Normally, you wouldn’t think twice about a message from a friend, relative, or trusted brand. Scammers impersonate these people to exploit your trust.
A classic phishing example would be an email from (what looks like) Amazon claiming they’ve locked your account. But if you follow the provided link and enter your username, password, and Social Security number, they’ll unlock it. Unfortunately, you may have just handed all your information over to a scammer.
Phishing attacks come via email, while smishing attacks pop up as text messages. They’ll often contain a fraudulent link that either brings you to a form to fill out or downloads harmful malware on your phone.
Smishing messages will appear as urgent requests from a trusted source. For example, your “bank” might text you about a large withdrawal, or “UPS” might message you about a missing package. Because the problem seems urgent, smishing scams can be easy to fall for. Always call the source directly if you receive one of these messages.
Finally, vishing scams use calls or voicemails to impersonate a trusted company. Scammers will call their victims and use a pre-recorded message to solicit personal information.
For example, you may get a robocall talking about your car’s extended warranty. Once you make it past the robot, you’ll be connected to an “agent” looking for more information. That information may include:
- First and last name
- Driver’s license number
- Social Security number
- Credit card number
Some vishing scams seek to record your voice by asking questions you’ll likely answer “yes” to. Then, they can use that recording to authorize charges by pretending to be you on the phone.
2. Whaling: The CEO Fraud
Whaling—also known as CEO fraud—is a social engineering attack aimed at C-suite executives, like CEOs, CFOs, and other high-ranking officers within a company. The term “whale” comes from cybercrime, where highly influential people are considered big fish for online scammers. They target C-level executives because of their authority to access confidential and sensitive information.
Whaling is a targeted phishing attack, meaning scammers are more diligent and sophisticated when engaging with their victims. Phishing emails typically:
- Contain personalized information about the company or individual.
- Are written with a sense of urgency
- Use well-crafted business jargon to convey authority and gain trust.
Scammers will also disguise themselves as another colleague or partner—perhaps someone you communicate with daily. For example, you might exchange emails with BusinessPartner23@work.email.com—your actual business partner. A scammer may send you a message from BusinesssPartner23@work.email.com.
Did you notice the subtle difference? The extra ‘s’ in “Business?” Now imagine you're up to your neck at work. Would you be able to spot the difference at a moment's notice?
In falling for these attacks, you may accidentally convey sensitive information to malicious actors. Some whaling attacks exist to learn more about the company as scammers prepare for a large-scale attack in the future.
Consider these best practices for preventing whaling and CEO scams from infiltrating your company:
- Focus on Education: Ensure all team members—executives included—understand the different types of whaling scams and how they can hurt the company. Leverage phishing simulation tools to help them identify future scams.
- Control Information Spread and Limit Personal Device Use: Establish a system for limiting the time employees spend on personal devices. Ensure that sensitive company information never leaves the office.
- Audit Current Cybersecurity Infrastructure: Ensure you’re using the latest malware protection technologies to secure your information.
Technology has opened thousands—if not millions—of new doors for business opportunities. Unfortunately, scammers can easily walk through those doors too. Anybody with a smartphone can download an app, swap their face or voice, and try to scam you. When these types of social engineering attacks reach a certain level of sophistication, they enter the realm of deepfakes.
Deepfakes, specifically audio deepfakes, can be incredibly deceptive. With audio deepfakes—also called voice swapping—scammers use AI to mimic a real person’s voice, usually a C-level executive or someone with authority. From there, they’ll contact an employee with an urgent request, and that employee will likely oblige because it sounds like it’s coming from the boss.
Deepfakes are challenging to detect, a testament to why they’re so effective. Remind team members that just because they believe they’re communicating with an executive doesn’t mean they should comply immediately.
If the message circumvents company policy, has an abnormal sense of urgency, or seems suspicious, there’s a good chance it’s malicious.
Pay special attention to money-related requests that deviate from established processes. If you receive a suspicious voicemail from someone, call them back on a direct number—such as their desk phone or personal mobile phone—to confirm.
4. Banking Scams
Between depositing checks, reviewing balances, and transferring funds, you can satisfy all your banking needs with your thumbs and a smartphone. But technology works on a two-way street.
Banking scams leverage different types of social engineering attacks to obtain your account information, including usernames, passwords, and security question answers. From there, scammers have free reign over your bank account to either drain your funds or open credit cards in your name.
With banking phishing scams, fraudsters will send you a text, email, or voicemail that appears to be from your bank. They’ll ask you to take immediate action to prevent catastrophe, such as providing personal information to prevent your account from being closed or a massive charge from going through.
The message may link you to a website that deepfakes your bank’s real website. It may also transfer you to a customer service rep who already has some of your personal information. They’ll gain your trust by rattling off details easily sourced from your social media pages, like your hometown and birthday.
Scammers can easily pull personal information from your social profiles to guess your passwords. Therefore using long passwords with capital letters, numbers, and special characters is crucial.
According to McAfee, a computer can guess an eight-letter password instantly, and it only takes about 22 minutes when you add a single uppercase letter. Meanwhile, it’ll take the computer 34,000 years to guess a 12-character password containing an uppercase letter, a number, and a symbol.
Scammers also target public Wi-Fi networks to steal personal information saved in the network. For example, if you buy something online while waiting at the airport, your credit card information might be saved in the public cloud.
Never enter banking information while on a public Wi-Fi server. Whatever it is can probably wait until you’re home or back in the office.
Ransomware is malware that blocks access or encrypts data on your servers. From there, cybercriminals demand ransom money in exchange for removing the software and releasing your data.
There are two basic types of ransomware: locker and crypto. Locker ransomware restricts access to basic computer functions. Your mouse and keyboard use may be restricted, and the malware will deny you access to your desktop. Thankfully, this type of ransomware doesn’t go after your data. Instead, it’s meant to lock you out and disrupt workflow.
On the other hand, crypto ransomware goes after your files and data. It’ll encrypt them, making them inaccessible, and then add a “self-destruct” timer. If you don’t pay the ransom in time, all your files will be deleted. If your data isn't backed-up in the cloud or saved on external storage, crypto ransomware can devastate your company.
With these distinctions in mind, here are some best practices to consider to protect your company from ransomware attacks.
- Back Everything Up: If it wasn’t abundantly clear, ensure all your data and files are backed-up in the cloud or on an external storage device. If you fall victim to ransomware, you’ll be able to recover everything you “lost.”
- Make a Plan: How you react to a ransomware attack will likely determine the outcome. Have a plan and stick to it—whether it’s a ransomware attack plan or a business continuity plan.
- Perform Constant Updates: Ensure your cybersecurity software and hardware are running the most up-to-date versions. Configure all your employee devices to update automatically, and leverage security tools that install patches the moment they release.
According to the FBI, you should never pay the ransom. Instead, get authorities involved ASAP. In some cases, like in hospitals and public utility companies—when ransomware is a matter of life and death—it may not be possible to wait. But notify the FBI of all cybersecurity attacks regardless, as it’s the only way to prevent future events.
How You Can Fight Against Social Engineering Attacks
Learning how to prevent them feels daunting with so many types of social engineering attacks. But cybercriminals will never stop trying to steal your information, meaning you can never stop fighting to defend yourself. Aside from what we’ve already covered, here are some additional strategies to protect against social engineering attacks.
Update Spam Filters
Scammers love email—so cutting them off at their favorite source is the best way to prevent phishing scams from landing in your inbox. Implementing a robust email gateway can prevent 99.9% of all spam messages.
Establish Rules Around Social Media
Targeted phishing scams use personal information from social media to build trust between scammer and victim. Limit the personal information you and your employees post on social media and instruct them about popular tactics scammers use to obtain personal information.
These include quizzes, reposts, and shares saying, "What do your first car and Zodiac sign say about you!” Scammers can easily guess your birthday and know your first car—a standard security question on many websites.
Leverage Multi-Factor Authentication
The more hoops scammers have to jump through, the harder it is to steal your information. They may obtain your login credentials—but you’ll have to approve all logins from an app on your cell phone.
If It’s Too Good to Be True… It Probably Is
Use basic logic and due diligence to weed out impossible offers. For example, scammers hacked many celebrity Twitter accounts in 2020—including Bill Gates, President Obama, and Elon Musk—claiming they were giving out free bitcoin if their followers sent them $1,000.
Safeguard Your Business Today
Technology can do wonders for your business, but it can also leave you open to many types of social engineering attacks if you don’t take the necessary precautions. Falling victim to phishing scams, deepfakes, and ransomware can cripple a company, exemplifying the need for robust cybersecurity plans, systems, and knowledge.
Social engineering attacks can harm your business so you should have a strong relationship with your bank. First Bank & Trust, a division of HTLF Bank has a team of fraud experts with extensive knowledge to help their clients better defend against scammers and mitigate risks. You can take the first step to protect your business by educating yourself and your team on current fraud trends and implement internal policies and procedures to reduce your fraud exposure.
Get in touch with First Bank & Trust, a division of HTLF Bank to speak with a commercial banker to learn more about the solutions we provide to help protect your business. Together, we can better shield your money and personal data from malicious cybercriminals.