How to Avoid One of the Oldest Online Scams?

Personalized Messages, The Hook That Catches Most Victims

Subject: [Your Name], I need your help..

Have you noticed emails like this landing in your inbox more often? Phishing scams, also known as social engineering exploits, are as old as the internet itself. But, scammers are becoming more sophisticated in their approach. Gone are the days of Nigerian princes. Today’s hackers use personalized messaging that targets individuals, often by name, in an effort to trick recipients into following bogus links or giving up their personal information.

You could be a victim and not even realize it until you’re locked out of your accounts or your bank balance is overdrawn. By then, it may be too late to do anything. The key is to know what to look for and how to prevent an attack.

Do you know how to spot a phishing attempt?

Newsflash: Phishers Are Not Your Friend

Despite the billions spent on cybersecurity, anti-malware, and advanced spam filters, IT security professionals overlook one thing: human nature.

You see, we’re hard-wired to help, especially if there’s a reward involved, and none of us believes we’ll become the latest statistic. The criminals are counting on that part of our psyche to remain unchanged.

We like to feel that we’re smart enough to avoid a scam, but the numbers indicate that far too many of us remain uneducated about common security threats.

Negligence by the Numbers: Eye-Opening Security Stats

Human error is the number one threat to data integrity. The causes can be as simple as negligence, like creating weak passwords or leaving devices unlocked and sitting out, or as complicated as a trail of links leading to a bogus version of a legitimate website.

I’ve had at least a dozen emails in the past week from a fake Amazon website warning me of a “problem with my delivery.” Fortunately, I’m one of the five people left on earth who doesn’t have a Prime account or a pending delivery, so this campaign was a fail. Unfortunately, millions of other people do, so this phish in a barrel approach is bound to catch quite a few unsuspecting shoppers.

How widespread is this problem?

A 2017 Data Security Incident Response Report put together by BakerHostetler incorporated data from the 450 breaches that occurred the previous year. The report revealed that 32% of incidents were initiated by human error. Of these, 25% of attacks involved phishing and another 23% were initiated via ransomware. An additional 18% of compromises occurred due to lost or stolen devices, and 3% of victims reported internal theft.

IBM’s 2015 Cyber Security Intelligence Index steals the show with this information: 95% of cybersecurity breaches are due to human error. Not much has changed over the past five years except the level of innovation and the sheer volume of email accounts. That means almost 100 percent of successful phishing attempts and cyber thefts are avoidable.

Take a deep breath and let that sink in for a moment.

Ready?

Now, we can move forward to detail how these scams occur and what you can do to prevent them.

Social Engineering in a Nutshell

Rather than sending bulk, generic emails and hoping for success through volume, today’s hackers are initiating a long con. This makes it easier to avoid the advanced tech designed to thwart them and relies on human frailty for success. That doesn’t mean that victims are weak, they’re simply naive, busy, and willing to help if they think someone is in trouble.

There are thankfully few people who would respond to a blatant attempt from a stager to hand over their credit card or account information, a la Nigerian royalty. The new phishing and spear-phishing attempts often involve multiple contacts to build trust slowly. This can include contact or seemingly casual contact on social media platforms.

The idea is to obtain enough nuggets of information to craft a realistically personal email aimed directly at individual targets.

Once they make contact and establish trust, they slowly worm sensitive personal information out of individuals or encourage them to follow links that contain hidden malicious code. Whatever the method of attack, the results are identity theft, cryptojacking, or empty bank accounts.

In 2016, 60% of companies surveyed reported social engineering attacks like these, and 73 phishing attempts are halted by Symantec every day. The number of such exploits is increasing, with no limit in sight.

For Symantec, this kind of attack now represents such a threat that it has shifted the playing field in cybersecurity. “This is the next evolution of social engineering, where victims are researched in advance and specifically targeted,” a company spokesman said in a recent internet threat report. “The very nature of social networks makes users feel that they are among friends and perhaps not at risk. Unfortunately, it’s exactly the opposite and attackers are turning to these sites to target new victims.”

Humans Versus Technology

You might be thinking that people must be stupid to fall for such tricks, and that’s exactly my point. People aren’t stupid. They’re simply too trusting. What these examples really prove is the danger of two aspects of being a human. One is that we like to help each other out in a world where hackers regularly exploit this good nature. Second, we’re creatures of habit, and our routines are periodically tracked and used by hackers.

For example, if I asked you how many traffic lights there are on your journey into work, you probably couldn’t tell me. Likewise, when elements of our job become routine, we become less conscious of what and why we do certain things. This can be incredibly dangerous to businesses, as this lack of mindfulness leads to accidents.

What to do about it?

Spotting a phishing scam might sound pretty easy, but a lot of people still fall for them. Teach your employees (and yourself) what a cyber threat looks like. You could even send some fake emails if you are feeling mischievous, and see if anyone falls for them.

Other necessary security measures include implementing multi-factor authentication; creating a forensics plan to initiate a cybersecurity investigation quickly; building business continuity into the incident response plan to ensure systems remain stable; vetting the technical ability, reputation and financial solvency of your suppliers; taking advantage of the encryption and IP-masking features of a strong and encrypted VPN service in order to avoid easily giving hackers the information they seek; deploying off-site or air-gapped back-up systems in the event of ransomware; and acquiring the appropriate cyber insurance policy.

The Bottom Line

Ultimately, what you’re aiming for is to make your employees aware of cybersecurity as they are of home security. In the same way that you would teach a child to look both ways before crossing the street, your employees need to understand how to assess the risk of ‘helping’ someone outside of your organization by giving them information or access to your internal systems and databases.