Social Engineering: What to Look For and Things to Avoid

by Andy Gritzer

Around 10 months ago I sent out an email highlighting the various email security threats out there and how to avoid the pitfalls of phishing and impersonation.

 

Here is that articlehttps://mepush.com/email-safety-tips-must-read-every-employee/   

 

The points in my previous article are still valid, but I wanted to update that to include a few other variations our cybersecurity team has been seeing.  

 

Attempts to gain access to your accounts or gather your personal information can come from anywhere.  Facebook, twitter, phone calls, text, etc. are all vectors people may use to do this.  All of this is called social engineering.  This is defined as “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”

 I'm the IRS: I need your social security number

Every day we deal with the issue of determining whether some form of communication we receive can be trusted or not.  Unfortunately, it’s getting to the point where this thought process is almost automatic.  So again, we just want to highlight the things to look out for, so you don’t fall victim. 

 

BE CAREFUL IF IT SEEMS URGENT

Social Engineering: Fake Facebook Password Reset Email

Example of fake password reset email.

Many phishing emails attempt to generate a sense of urgency (generally time sensitive).  This tactic is designed to cause panic and hopefully keep you from making good decisions.  Here is an example.  

 

“If you don’t reset your password now all of your emails will be deleted!!”   

 

Of course, an email host would never do this.  Not all people realize this, and you might panic, follow the instructions in the email, and hand over their account credentials.  I’m sure you’ve had friends on Facebook say, “Don’t open the link I sent you.  My account has been hacked!”.   This is most likely how that happened.  The general rule of thumb is if you didn’t request the reset password link IT’S A PHISHING SCAM.  If you still want to reset your password, go directly to the site and do it there.  

 

BE CAREFUL IF IT SEEMS OFFICIAL 

 Senders also attempt to impersonate official agencies or use a well-known name to get what they want.  Just remember, the IRS is NOT going to email or call you asking for your social security number.  They already have your information on file. 

 

Social Engineering: You've been infected pop up.

You’ve been infected pop up.

 The most common ones we see come in two forms.  The first is the dreaded 1-800 pop up that you may get on your computer saying you’re infected with a virus and to call a number right away.  Calling the number will connect you with a “technician” that will attempt to log into your computer and then persuade you to pay a cleanup fee to resolve your issue.  The warning message you get is a pop up being generated from an infected website (NOT a virus on your computer).  Generally, closing your browser or just rebooting your computer resolves this.     

 

The second is a “too good to be true” scenario.  The target will receive a phone call from Microsoft of some other well-known entity.  They will let you know that due to them going out of business they would like to refund you the remainder of the warranty or service that you had purchased.  They will just ask you for your bank account or credit card so they can send you the refund.  It would be fantastic if someone called me to give me money.  But unfortunately, it has never happened.  If you ever get a call like this just hang up the phone.  Do not engage the caller. 

 

Hopefully with this information you will be better equipped to deal with potential scams that come your way.  

 

Sincerely,  

 

Andy Gritzer 

Remote Team Leader/Project Manger