Social engineering is a seemingly innocuous term that may sound like a mainstream business practice, but is actually a detrimental threat to your company’s security. So, what does it really mean? Social engineering refers to a range of techniques leveraged by ‘bad actors’, aka malicious individuals, to manipulate targets into divulging sensitive information or performing actions that serve their nefarious purposes.
Scary right? Unfortunately, the reality is that many business owners underestimate the impact of social engineering. Many employees prefer to believe that their time and experience online has equipped them with the ability to identify and avoid scams. In today’s online environment however, scammers have become increasingly adept at deploying advanced techniques that can bypass even the most vigilant radar.
To emphasize this crucial point, we have compiled several genuine examples of phishing attempts that have reached Ontech’s inbox. These examples will illustrate how these fraudulent emails typically appear and provide advice on how to protect yourself from falling prey to these scammers, commonly known as “phishers” (please note that our team successfully identified and avoided these attempts!).
The Website Request
Consider this scenario: It’s a regular Monday morning in the office. You’re at your desk, catching up on emails that came through over the weekend when you come across a website request. It might look something like the anonymized version of this request we recently received!
You scan the email, and it looks legitimate! Interestingly enough, you’re actually very familiar with this nearby county office and have spoken to ‘Jane Doe’ about her company’s IT needs before! At this point, your initial look has found no reason to be suspicious. So, what comes next?
There are two possible endings to this scenario.
1. Eager to provide a quick turnaround to the business request, you respond immediately, starting an exchange that eventually leads to a clicked link or downloaded PDF. That simple click leads to a bad actor taking over your computer and accessing your confidential files, including client forms, bank information, and all your passwords.
Sounds like a bad day and a detrimental mistake. Let’s consider another more positive alternative:
2. You take a moment to do some more digging and ask yourself, is janedoe@wisconsincounty.org really who they claim to be? This leads you to a quick visit to the county website staff page. Continuing to scroll, you come across the familiar face and name of Jane Doe – she’s real! However, there is one small catch that many would overlook – you discover that the domain name is actually “gov” not “org” making this email indeed FAKE.
Crisis averted. Good catch!
While this particular example may not be the most sophisticated phishing attempt, it serves as a reminder that these scams don’t necessarily rely on sophistication alone. The perpetrators exploit three key factors:
- the assumption that you are accustomed to receiving these requests from unfamiliar individuals
- the possibly that you will accept the request at face value if the name or company IS familiar
- the expectation that any awkwardness or eccentricity in the text exchange will be overlooked due to the form of online communication.
Moreover, these scams thrive on volume. In this case, it is highly likely that the scammers sent the email to a large number of IT companies scraped off of Google. Their strategy relies on finding one overly eager representative seeking an opportunity who might overlook important details and hastily engage in the interaction. Unfortunately, it only takes one click.
Finally, these types of scams depend on what is “typical” for any given space. Request for Proposal (RFP) scenarios commonly involve someone receiving a link to a webpage to which they could then submit documentation or from which they could download “more information” on the RFP.
No one in this scenario, in other words, would hesitate to click.
The Advertising Campaign Attempt
Now, let’s explore a more sophisticated incursion attempt that specifically targets a particular individual. Unlike broad-scale attacks, these scammers invest considerable effort into tailoring their approach. What makes this type of attempt particularly insidious is its reliance on the target having performed a specific action online, which the bad actor closely monitors.
Here’s the email we received:
In this instance, Ontech was running a Facebook ad for an upcoming event. It is likely that the scammer had been tracking activities related to new signups for Facebook Ad accounts. The element of novelty plays a crucial role here. Similar to the previous email scam, the success of this grift relies on the target’s limited knowledge about the situation. Given our relative “newness” to Facebook Ads, the scammer could reasonably assume our unfamiliarity with Meta’s communication style and expectations.
In essence, the less established a process an organization has in place, the higher the success rate for scammers targeting them. This is why Ontech’s managed security and risk mitigation services are so important!
So how do you know this is indeed a scam? For one, the sender uses a ‘pressure hook’ to lure you in by telling you that the account will be permanently suspended. They want you to click on the link immediately, so you don’t take the time to check it out! The best way to find out if this warning is legitimate? Simply go to Facebook and check, instead of clicking any links within the email. If this were indeed a real warning, your Facebook setting would have an alert letting you know.
With these types of attacks, it’s common to see multiple attempts come in waves, mimicking patterns of communication you would expect in a legitimate scenario. In this case, we started receiving “notices” right after we launched our ads. Several got through to our inbox, with only a handful filtered to spam. While this may seem like nothing, it indicated that these scammers could have done enough research on email filters to create messages that could get through without being flagged.
These notices eventually turned into a ‘Case Appeal’, mirroring an expected process, aka the core of social engineering in which you develop campaigns that mimic the known and familiar. Just as your company might build a marketing campaign on established principles, so will a bad actor. By appealing to your comfort zone, they create an ideal scenario for triggering actions that they can then use to their advantage.
What This Can Mean for Your Company
Scams are not always easy to spot, and their impact on your business can be swift. Just check out the graphic below!
As you can see, an incursion does not end at the initial breach. The objective is to infiltrate higher-level and critical business systems. In the case of the Facebook ad scam described earlier, the intention was likely to gain access to our ads account and, ideally, the admin accounts for our page. This would have paved the way for an extortion attempt, with the bad actor threatening to post damaging ads or content that could harm our reputation.
Considering the paramount importance of your business’s online reputation, can you afford to take any risks? To learn more about how Ontech thwarts social engineering attacks, contact our team today.