Personal information has never been under so much threat from bad actors. Increasingly, our information is being used to gain access to our company’s information to increase the scale of an attack. In fact, one of the most valuable ways that criminals can use our personally identifying information is to impersonate us to our bosses and coworkers. In this blog post, we’ll give an overview of scams that use “social engineering,” the email scams that manipulate people into giving up sensitive information instead of taking it for themselves.
The Scams
If we’re being general, all phishing scams are social engineering scams, but they typically have a very small amount of trust involved. A lot of “classic” phishing scams use impersonations of trusted institutions (banks, tech companies, and delivery companies, for instance), so they rely on brand recognition to make you think you’re being contacted by the company. After you click through a link, you enter your credentials for that company’s website, and the attacker simply collects the credentials. You can mostly keep yourself safe from these attacks by not clicking (suspicious) links in emails or text messages.
With a Gift Card Scam, though, the scam isn’t having a bank or company reach out to you, but usually a high-level person in your company. In this scenario, your CFO sends you an email and asks you to purchase a certain amount of prepaid gift cards for some seemingly legitimate purpose. Once you do, and reply with the codes from the scratched-off cards, then the cards are then used by (surprise, surprise) an attacker who tricked you.
The key to the gift card scam is impersonating someone at your company who could plausibly make such a request, and it can be hard to identify a good fake. Some attackers use similar looking email addresses after gathering information about the people at your company; more advanced versions of this attack use homographs (letters that look similar to latin letters, but come from another alphabet). Worse yet, your CFO could simply have their email compromised by attackers after falling for a previous scam, and the attackers are able to send emails from their account.
Attackers can use information about the company to find and impersonate the email addresses of particular departments. In a HR or Payroll Scam, an attacker impersonates someone involved with payroll at the company, and if they appear legitimate, can ask an employee for their direct deposit information. If it looks legitimate enough, then employees will simply give their banking information over to the attackers.
Other scams rely on commonly used business communications, like invoices, to create both legitimacy and confusion. Invoice Scams can take people off guard because they sometimes start with a thank-you note for a nonexistent payment. When you contact the attacker to clarify the situation, they ask for details about an account or credit card. A twist on this scam is the corporate version, where an attacker impersonates a company and sends an invoice to another company. If the two companies regularly do business with one another, it may seem routine enough that the invoice gets paid without question.
Protect Yourself from Email Scams
The main thread between these scams is their use of email. As an open, public standard for communications, all emails that discuss payment or identifying information should be treated as highly suspicious, no matter who they seem to be from. It is best to treat emails as if they are all able to be compromised. That means increasing the scrutiny you give them any time something out of the ordinary happens.
Attackers often set up domain names that look like they are a part of your organization, and use names that appear like those of your coworkers. In the homograph attack mentioned above, emails from these attackers can even appear as verified in Outlook. With all of the confusion that these attacks can cause—and the lack of trust we now should have in the email protocol—it’s best to not conduct payment or financial activity via email at all. If it must be done, then it’s important to check with your coworkers in person or over a secure medium when something even the slightest bit unexpected comes to your inbox, such as an unexpected document or request.
Maintaining email security for an entire organization can be hard because it is up to every individual at the company to have good security practices for their email account. One compromised account can cause a lot of grief, because it only takes the trust of one other person in the organization to send important details to a compromised account. The most important step that you can take is to have good security practices for email accounts, such as 2-Factor or Multi-Factor Authentication. As with most cybersecurity measures, it’s not perfect, but at least your company’s emails won’t be low-hanging fruit.
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team