Would you let a stranger into your house?

Social Engineering

In the pursuit of a quick dollar, the Internet’s underworld is always looking for the weakest link in the chain.Unfortunately for us all, WE are now the weakest link. The continued improvement in anti-malware protection at the firewall, over the network and on our PC, along with external filters and anti-intrusion methods have made it hard for scammers to cut through the technology.Increasingly, clever scams and malicious methods are being directed at humans to trick them as part of their daily lives. This is known as “social engineering”.

 

Aside from the technological advances, the most effective way to prevent social engineering is education. Keep reading for some tips on avoiding the traps being set for us all.

Credibility

Social engineering relies on the recipient (usually via email) finding a claim to be plausible.
While a claim that an Australian recipient has a $90,000 tax refund owing from USA’s Internal Revenue Service will hold near zero credibility for most Australians, a claim that an Australia Post package needs to be collected is fairly universal to a local audience.
Some social engineering is a pretext to other attacks. “Phishing” is the act of tricking people into revealing personal or financial information, which can be used to steal money directly or indirectly through further social engineering.
Security company RSA, a company’s who’s RSA SecurID utility is used worldwide to secure remote access by many of the world’s government and business organisations, was compromised by an Excel spreadsheet called “2011 Recruitment plan.xls”.An office worker retrieved the attachment from the Junk Items folder and ran the attachment, infecting the company and exposing all of their customers world-wide to remote access attacks.

Risks

In almost any case of social engineering, the end goal is profit. Whether it’s the Nigerian Price scam for pre-payment to free up fantasy millions, or a Facebook page asking for “Likes and Shares to win!” to collect your personal details and forward them to identity thieves for profit, the goal remains the same.
A more direct and devastating attack recently is Ransomware. Ransomware was typically delivered in ZIP archive files with plausible names and purposes, such as a resume submission, missed parcel delivery etc… More recently, they’re being delivered in Microsoft Word and Excel documents with instructions on how to disable macro security necessary to have the malicious script run.
Ransomware uses modern encryption methods to encrypt your data and ransom it back to you for a cost. Various psychological and technological methods are used to cause maximum distress in order to get victims to pay up.
The advice from security organisations remains the same – do not pay. The only true protection is data backups, and backups have saved many businesses affected by Ransomware.
Contact us at Diamond ICT should you have any concerns about your data backups.

How to spot a scam

The easiest way for us to help you spot a scam is by providing a check list of signs that what you’re seeing isn’t legitimate or could be malicious.

1. Was the email/message/post unsolicited?

Most scams are unsolicited. If you’re not expecting a delivery from FedEx, then a message with an attachment from FedEx is highly suspicious. Be sceptical. Legitimate organisations try to avoid contacting users via these methods about important account and financial interactions, as it gives these scams more credibility.

Is the email/message/post targeted to you?

If the message doesn’t include information about you that can’t be found in your email address or social media profile, then it’s suspicious. An email from PayPal or iTunes that starts off with a generic greeting “Dear customer” is highly suspicious. Be sceptical.

3. Is the message prompting you to visit a suspicious location?

Most forms of social engineering require a return email or website address. More sophisticated attacks will use clever imitations of legitimate domain names such as apple-service.ru as a phony version of apple.com.
Website links in emails can be revealed by holding your mouse pointer over them. Any links are suspicious, but those that don’t point to a true and known domain such as microsoft.com are highly suspicious.

4. Was it sent to Junk Mail?

If an email has an attachment and/or links to external pages and is in your Junk Mail/Spam folder, it’s already suspicious. Treat any such emails as “guilty until found innocent”. You may want to refer to external help as discussed below in point 5.

5. Check with co-workers and your IT department

A co-worker may be able to spot a fake for you, and an IT technician will have a good set of tools to scrutinise any suspicious messages and attachments you receive.
Forget any inconvenience about raising something as suspicious that turns out to be legitimate, as the alternative is far more damaging and costly.

We at Diamond ICT are available to you as part of your Managed Services Agreement to help keep you safe from the Internet’s predators. If you are suspicious about a message and it has no impact (deleting it won’t do your business any damage or inconvenience) then delete it.
If you have a suspicious message that needs to be checked for legitimacy, use the Red D tool in your bottom right of screen to start a ticket with our technicians and we can scrutinise these for you.