This article looks at common types of social engineering used by cyber fraudsters.
If a complete stranger appeared at your door and invited themselves into your home, would you let them in? Probably not. Then why do so many people open the door to cyber-criminals on their computers?
A common misconception is that most cyber-crimes involve hacking: the use of computer technologies to gain access to computers and networks. However social engineering— the psychological manipulation of people into doing something against their interests—is a much more common method.
Phishing emails purporting to be from trustworthy entities such as banks and utility companies are frequently used, usually with the aim of getting the recipient to click on a link or open an attachment resulting in the installation of malicious software that acts against the interests of the computer owner.
First contact from cyber-criminals can also be initiated by phone. In a recent example a practitioner took a call from a man who said he worked for Telstra, who was in fact a fraudster. The practitioner was told by the fraudster that Telstra had detected his office computer had been compromised and was vulnerable to hackers. The fraudster requested remote access to the computer and suggested the practitioner close any confidential documents. The practitioner thought the request not unusual and agreed. He was then directed to a website and downloaded an application that gave the fraudster access to his computer.
Once in control of the computer the fraudster claimed to run some tests over several minutes before displaying on the screen purported details of over 4,000 recent hacking attempts. He remotely took some further action on the computer and, after several minutes, asserted the email had been secured.
The fraudster then asked the practitioner to open his business internet banking account on the basis the practitioner’s password would neither be provided nor visible. The practitioner did as requested and the fraudster again appeared to take some action on the computer before declaring to the practitioner that the account was safe to use. When the practitioner later checked his business account, he discovered the fraudster had stolen $2,000.
It could have been much worse. After the practitioner provided access to his computer, the fraudster could have accessed client information and identified future transactions involving the practitioner’s trust account. This information could then have been used for an electronic funds transfer scam either by sending the practitioner an email purporting to be from a client with fake bank account details, or sending a client an email purporting to be from the practitioner with fake trust account details.
Although it might be easy to scoff at the apparent gullibility of the practitioner, we receive reports of the success of this type of phone fraud with enough regularity to make it worthwhile for the scammers.
Cyber criminals cleverly prey on people’s trust, assumptions and insecurities. Practitioners should always treat any unsolicited contact with due suspicion and take appropriate steps to confirm the sender or caller is who they say they are before doing anything they request. Failure to do so could be potentially catastrophic for the practitioner, their practice and their clients.
For more information about cyber security visit our website.