Wed, Oct 11, 2017

Social Engineering and Smishing - What You Need to Know

In 2016, the FBI reported that U.S. cyber crime losses exceeded $1.3 billion. Many of these cyber crimes could be directly traced to social engineering or phishing campaigns.

Social engineering, or what many call “hacking humans,” is a leading cause of network breaches and unauthorized access to remote systems. It can take many forms, from someone on the phone pretending to be an IRS agent saying you owe back taxes, to emails offering you millions of dollars after you first send a couple thousand dollars to cover related fees. Phishing or spear phishing attacks raise the stakes by using details of your personal and business relationships to trick you into thinking requests are coming from legitimate callers or email senders.

While many people have been duped by these various schemes, public and corporate cyber security awareness campaigns have gone a long way toward helping educate users not to trust unsolicited phone calls and emails. So, when users are smart enough to recognize scam phone calls or to spot and delete fraudulent emails, where do scammers turn next? Why not turn to communicating with people through a device they carry with them every hour of the day? Why not target their cell phone!

What is Smishing?

“Smishing” is the evolution of social engineering whereby phishing or trickery takes place via a text message. Cyber criminals count on human emotions of fear, hope, and curiosity to act on these fake text messages. And with only 160 characters in a text message, users have come to expect brief and impersonal messages on their phones. Following are just a few smishing examples that Kroll has observed across its investigations:

  • An official-looking text message from “your bank” asking you to verify a transaction
  • An official-looking text message from your “phone company” asking if you added a line of service
  • A “financial institution” asking you to validate a piece of personal information, otherwise your account will be locked or frozen
  • A text message saying you won a drawing and have a limited amount of time to respond

How to Spot Social Engineering

One of the many tactics cyber criminals use to defraud people is by spoofing the caller ID, which lends an air of authenticity to their communication. Attackers may also provide a link to a website where the domain name is very similar to a legitimate domain, but perhaps they have substituted a numeral “0” for the letter “O” – things that the normal user reading quickly would likely not catch. These may look like (a zero instead of an “o”) or (the numeral 1 instead of an “l”).

Some telltale signs of social engineering are:

Pretends to know some publicly available information about you

  • Will try to warn you of something or induce fear or concern about an item/situation
  • Will promise some sort of unrealistic outcome that seems too good to be true
  • Will have some sort of urgency or time sensitivity, applying pressure
  • Will provide information under the guise of authority meant to appear official but that cannot be verified

In a very fast-paced cyber world, protect yourself by slowing down.

Scammers may try to take advantage of friends and family relationships. This is especially true when email or social media accounts are compromised. So, instead of quickly responding to every text, email, or phone call, slow down and follow these best practices:

  • If you’re not face to face with someone, consider adopting the posture of “trust no one” until you are able to verify his or her identity.
  • If you receive a text message that appears to be fraudulent, don’t respond, don’t reply.
  • If a text message seems weird or abnormal, it probably is. If you have any doubts about the validity of a text message, a phone call, or an email, communicate with the known service provider at a phone number you already know to be good. If it is a bank, call the number on the back of your debit or credit card. If it is a utility, call the number on your bill.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.