By Lara Evans Bracciante
To help ABMP members stay safe in the digital world, we are running a short blog series on cybersecurity and how you can protect your personal information and your computer and digital devices from today’s bad actors. Here is the first installment on social engineering scams.
Google and Facebook lost $100 million when payment for services were repeatedly sent to a hacker account. Username and password credentials were stolen from employees at the US Department of Labor, compromising sensitive data. Microsoft sounded the alarms when Russian hackers targeted individuals at organizations critical to Ukrainian security and emergency response. And massage therapists have repeatedly been the target of “reimburse for overpayment” scams and fake invoicing for website hosting. In all these cases, the bad actors were targeting individuals, asking them to make one wrong move, and let them through the door.
Cybersecurity has become a mainstream word, and we all generally know what it means: information protection on our computers and devices. And while success requires a multipronged approach—updated software, firewall protection, strong passwords—it is also critical to protect yourself from a thing called social engineering.
What is Social Engineering?
Social engineering is a fancy phrase for getting someone to click on a link or take an action that will compromise security. And while we’ve gotten pretty good at spotting the “Nigerian prince” email scam, social engineering includes a variety of techniques, some of which are now quite sophisticated. They can come via email, text messaging, app messaging, or over the phone. And they are happening all the time, and pretty much to everyone.
The basic concept is, a message is sent to you urging action—to click a link, download a file, maybe update your online credentials. The sender may be sending this en masse or has perhaps targeted you or your business specifically. They may even pretend to be your bank, your boss, or an employee in human resources or accounting. Ultimately, they are looking for you to make a mistake that could compromise your private information and/or infect your computer or digital device with a virus. Check out these specific phishing examples from KnowBe4, an organization offering online security training.
But if you stay aware, you will find tell-tale signs within scam messages that give them away, and you can simply choose to not open the door when the hacker knocks.
Tips to Protect Yourself from Social Engineering
Here’s what to look for:
- When receiving an email, mouse over the sender’s name and see what actual email address is behind the name. For example, the name may read John Smith (your manager) but scrolling over the name reveals the email address as firstname.lastname@example.org (not your manager’s email).
- Also, when checking the full email address, verify the domain (that last part of the email address) and ensure it’s not a close fake; email@example.com is not the same as firstname.lastname@example.org. That single period makes all the difference.
- Check the subject line. Is it relevant to the content? If not, this is a big red flag.
- Does the subject line or content connote urgency? For example, check to see if the subject line is attention-getting but vague (“Very Important”) or the content asks for immediate help (“I am stuck at the airport and need some cash.”) Chances are, this is not legit.
- Mouse over any links in the content and verify the authenticity of the website address. If there’s any question, don’t click.
- Never click on or download an attachment unless you are absolutely certain it’s coming from a safe sender, and you are expecting it. Not sure? Pick up the phone and call the sender to verify.
- Question any phone or email requests from “the IT department” or “accounting” asking for computer access, account credentials, or other sensitive information. It is unlikely that such a request is ever necessary.
- Remain skeptical. Would the CFO really send you an email from the airport asking you to quickly wire money to a client he forgot to pay? If there’s any doubt, make a call to verify the request. Your boss, bank, or client will appreciate your savviness.
Social engineering is widespread, and everyone is at risk. Be wary, keep your guard up, slow down, and check twice. The extra seconds to do so could make all the difference.
Lara Evans Bracciante is ABMP’s senior director of Information Technology & Member Service Operations.