Sidestep social engineering scams

As cybercriminals become more sophisticated, it’s important to educate yourself on the warning signs of common crimes like identity theft, consumer fraud, and financial abuse.

Many of the latest scams revolve around social engineering—manipulating individuals into sharing personal information. The information may seem rather innocuous, and a victim may think there’s no harm in sharing it—but it could be deployed later to initiate an attack.

It’s critical to stay up-to-date about common schemes you might encounter so you can help prevent fraud. We break down three common tactics used by cyber criminals—phishing, vishing, and SMiShing —and how they can evolve into social engineering scams.

Phishing starts with an email that often looks like it’s from a trusted or legitimate source. The email will ask you to do something—usually click on a link or download an attachment.

The link typically takes you to a website that seeks to steal your information or download malicious software (or “malware”) onto your computer. Opening the attachment may infect your computer with malware.

Once the malware invades your computer, a hacker can use it to look at personal documents saved on your computer, such as a tax return. They can also capture the keystrokes on your computer or take screenshots of sites you visit to steal your logins, passwords, and other sensitive information. If the hacker steals your information, they may try to access your bank accounts or contacts, or sell your data to other cybercriminals.

Security tips: Never click on a link or open an attachment from unsolicited sources, and don’t provide personal information when responding to an email request.

With this phone scam, a fraudster calls you and poses as a representative from a reputable organization to obtain your personal information. During vishing calls, the fraudster usually imparts a sense of urgency or panic to make you more likely to share the requested data.

Security tips: Only answer phone calls from numbers you recognize. Also, be guarded when providing your personal data by phone. Make sure the person asking for the information is from a legitimate organization and is who they claim to be. You can always hang up and call the organization back using a phone number found through a trusted source—such as the company’s official website or a financial statement.

Short for “SMS phishing,” this occurs when a fraudster attempts to get personal information via an SMS or text message or attempts to get you to click on a link in the text. The fraudster may also try to download malware onto your mobile device.

Security tips: Just like with phishing emails, never click on unknown links embedded in a text message, especially from a sender you don’t recognize. If you have any doubt about the authenticity of the sender, don’t respond. Instead, do some research to verify the validity of the sender.

Other common social engineering scams

Once cybercriminals have your personal information, they can use it to execute a variety of social engineering schemes. Here are several of the most common ones:

The Internal Revenue Service (IRS) calls saying you owe back taxes and threatens you with a lawsuit or jail time if you don’t immediately pay the debt with a wire transfer, prepaid card, or gift card. What’s wrong with this scenario? If you owe taxes, the IRS won’t call you. Instead, the agency will contact you by mail. Also, the IRS will never ask for money using those payment options or threaten to arrest or sue you.

Security tips: If you receive a call like this, hang up immediately without providing any personal or financial information. Then report the call to the Treasury Inspector General for Tax Administration (TIGTA) or Federal Trade Commission (FTC).

Using the name of an organization that’s similar to a well-known, reputable charity, fraudsters employ high-pressure tactics (usually during the holidays) to encourage you to donate on the spot.

Security tips: Ask for detailed information about the organization and take the time to confirm it’s a trustworthy charity. Don’t feel the need to give money on the phone. You can always donate later through the charity’s site.

Have you ever received a call from someone telling you there’s a serious problem with your computer? It’s likely a fraudster seeking remote access to your device in order to “fix” the issue. Instead, they’ll infect your device with malware.

Security tips: Never grant access to your device when you receive this type of call. Don’t provide the caller with any personal, account or computer-related information. Instead, ask the caller for their name, as well as the name of their company. Then hang up and call back using the official phone number for the company.

Visit the Security Center to learn more about how we work to help secure your account and additional steps you can take to protect yourself.

The source of this article, Sidestep Social Engineering Scams, was originally published on September 26, 2021.