Online scammers up their game with social engineering as more and more of us get phished
Phishing scams have reached new levels of sophistication and personalisation.
Confidence tricks are a fraud as old as human civilization, but in the data age, it has become even easier for cybercriminals to access data about us to relieve us of our hard-earned cash. However, phishing is amongst the most recent methods of identity theft to appear, and the largest growing fraudsters’ market.
Many readers may already be familiar with this method of finding out the passwords, PIN codes, and personal details that allow fraudsters to access otherwise inaccessible online or phone accounts. But for those not in the know, phishing involves fraudsters impersonating a trusted institution, such as your bank, in order to trick you into handing over vital security credentials.
This can be done online, often by sending emails with suspicious attachments or links which open malware on your computer, or over the phone by fraudsters impersonating employees of trusted institutions, or even a combination of the two.
If you think you’re unlikely to be targeted, think again. In the last year alone, a massive 26,379 people were the victims of phishing expeditions, according to FBI figures. Although this is only a slight advance on the numbers that the FBI recorded for 2017. The sums being stolen have jumped from a worrying $50 million stolen in 2018 to a terrifying $70 million stolen this year.
These aren’t the charmingly ham-fisted begging letters from Nigerian princes that we’ve all become so used to either. Scammers now rely on social engineering, targeting us individually and picking up data that is available on our social media, or generally publicly accessible, to build up a portfolio of useful facts to gain our trust or even gain access to parts of our account.
Take the example of Pieter Gunst, who recently shared his experiences in an article with CNN. An intelligent, articulate business owner, he still found himself being taken in by a caller who claimed to be a representative of his bank, reporting suspicious activity on his card. What gave this scammer the edge was they had done their research and could send him a verification PIN to his phone, from his own bank, and then use it to gain access to his online account.
The fraudster was then able to reel off details from Gunst’s accounts just as a real employee would. This reassured Gunst enough, in spite of the surprise nature of the call and the unknown number it had come from. This continued right up until the point when the caller asked him for his PIN (supposedly to block it and stop further misuse of his card).
Gunst knew that no legitimate employee would ever do this, or would ever need to, and so hung up at once, going straight to his bank’s actual fraud department to tell them what had happened.
The primary issue Gunst had was how the phishers were able to use the bank’s own verification text to gain access, due to the text having no description of why it had been generated (in this case, supposedly for fraud prevention).
But the social engineering skills of the phishers can exploit any chink in our data security, for instance, using our social media feed to see restaurants or hotels we may have patronized and then contacting them to obtain billing data (small firms are less likely to have reliable data protection policies in place and so are easy targets).
In Gunst’s case, his details (including about who he banked with) may have been available through a database used for member newsletters or similar offers that are easily publicly accessible for an intelligent, dedicated hacker. And phishers are nothing if not dedicated.
They increasingly call from phone numbers that resemble legitimate ones (even mimicking the FBI’s own numbers) and go beyond the classic emails and calls that say you have won a substantial prize, broken the law or failed to pay your taxes and face a fine.
If you receive a call or email that seems a bit too unbelievable, hang up or don’t answer, and contact the institution that is claiming to be on the line.
That way you’ll know for sure because these scammers are slippery phish. Try not to let them catch you.
Sign up for our newsletter to get the best of The Sized delivered to your inbox daily.