Top 3 Social Engineering Scams

Think about hackers breaking into accounts. If you think they need top-notch computer skills, you would be wrong. These days, instead of requiring skills behind a keyboard, hackers generally rely on strategy…specifically a strategy called social engineering. This means that hackers don’t have to be technical, but they DO have to be clever and crafty because they are essentially taking advantage of people and “tricking” them into giving information.

There are four main ways that hackers use social engineering:

  • Phishing – where hackers use email tricks to get account information
  • Vishing – similar to phishing, but through voice over the phone
  • Impersonation – the act of getting information in person
  • Smishing – getting account info through text messages

Phishing accounts for 77 percent of all social engineering incidents, according to Social Engineer, but in vishing attacks, alone, businesses lose, on average, $43,000 per account.

Here are the top scams that all consumers and businesses should know about as we move into 2017:

Scam Using the IRS

Starting from the holiday season stretching through the end of tax season, there are scams involving the IRS. One such scam uses caller ID to change the true number of the caller and replaces it with a number from Washington, D.C., making it look like the number is from the IRS. Usually, the hacker already knows a lot about the victim, as they got information illegally, so it really sounds legit.

In this scam, the hacker tells the victim that they owe a couple of thousands of dollars to the IRS. If the victim falls for it, the hacker explains that due to the tardiness, it must be paid via a money transfer, which is non-traceable and nonrefundable.

BEC or Business Email Compromise Scam

In the business email compromise, or BEC scam, a hacker’s goal is to get into a business email account and get access to any financial data that is stored within. This might be login information, back statements, or verifications of payments or wire transfers.

Sometimes a hacker will access the email by using an email file that contains malware. If an employee opens the file, the malware will infect the computer and the hacker has an open door to come right in.

Another way that hackers use the BEC scan is to access the email of a CEO. In this case, they will impersonate the CEO and tell the financial powers that be that he or she requires a wire transfer to a bank account. This account, of course, belongs to the hacker not the business. When most people get an email from their boss asking them to do something, they do it.

Ransomware

Finally, hackers are also commonly using ransomware to hack their victims. In this case, the hackers are working towards convincing targets to install dangerous software onto their computer. Then, the computer locks out the data and the victim cannot access it…until he or she pays a ransom.

At this point, they are informed that they can get access back when they pay a ransom. This might range from a couple of hundred to several thousands. Usually, the hackers demand payment by bank transfer, credit card, bitcoin, PayPal, or money transfer services. Victims are usually encouraged to go to a certain website or call a certain number Unfortunately, too often, once the victim pays the ransom, the hacker never opens up the system. So now, the hacker has access to the victim’s computer and their credit card or financial information.

The way social engineering works in this scam is varied:

One way is this…imagine you are browsing the internet, and then you get a popup warning that looks quite official, such as from the FBI. It might say something like “Our programs have found child pornography on your computer. You are immediately being reported to the FBI unless you pay a fine.” When you click the popup to pay, the program actually downloads a program called spyware to your computer that will allow the hacker to access your system.

Another way that social engineering works with ransomware is through voice. In this case, you might get a phone call from someone saying they are from Microsoft and the representative tells you that they have scanned your computer and have found files that are malicious. Fortunately, they can remotely access the machine and fix the problem, but you have to install a program to allow this. When you install it, you give them access to everything, including personal and financial information, and they can do what they want with it.

Finally, you might get an email offering a free screen saver or coupon, but when you open it, the software encrypts your drive and takes over your computer.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Social Engineering: How to steal Brand New iPhones from Apple

Looks like there’s some worms in Apple.

3DNot too long ago, dozens and dozens of iPhones were stolen from two Apple stores. How could this happen, what with Apple’s security? Simple: The thieves wore clothes similar to Apple store employees and obviously knew the innards of the stores.

They sauntered over to the drawers that held the new phones, acting nonchalant to avoid attracting attention. In fact, a new face in Apple attire at one of the stung locations wouldn’t raise eyebrows since new employees are trained there.

What mistake did Apple make to allow these robberies? The introduction of new uniforms, perhaps? They came up with the idea of “back to blue, but all new” attire. But really, that shouldn’t be so easy.

This meant no one and only uniform, but rather, a variety of options that fit within a color and style concept. This makes it easy for someone off the street to visually blend in with store employees. There are six styles of just the top alone. You can pick up a strikingly similar top, including color, at Walmart. And unlike previous attire, which changed seasonally, this new line is meant to be permanent.

Have you yourself ever been mistaken for an employee at Walmart or Target (blue shirt, red shirt), or asked someone for assistance who replied, “I don’t work here”? See how easy it is to blend in—without even trying?

The theft at the two Apple stores are believed to be related, but the thieves are not known. It’s also not known if the thief or thieves were wearing an actual Apple top or just a look-a-like.

This ruse can easily be pulled off by anyone appearing to be in their early to mid-20s, clean-cut, wearing glasses (to look geeky), and with calm, cool and collected mannerisms—and of course, a royal blue shirt.

The solution would be for Apple to require a line of tops with a very distinct color pattern, and only two choices (short and long sleeved).

The lesson here: Not everything or everyone appears to be what they actually are. Social engineering is a confidence crime. As long as the thief has your confidence either in person, over the phone or via email, you are likely to get scammed.

Always be suspect. Always challenge what’s in front of you. Never go along to get along. And put systems, checks and balances in place to prevent being scammed. In this situation, proper, secure identification and authentication with proper checks would have prevented this.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

6 Ways to prevent Social Engineering Attacks

Hacking isn’t just about weak passwords and single-factor authentication. A lot of it occurs because people can be so easily tricked into giving up personal information: the craft of social engineering. Example: “Download this video of Kim K fully naked!” How many men would be lured into clicking this gateway to a viral infection? We are a sad species.

11DThe victim isn’t always a goofball like this. They can be a tech support agent tricked into resetting a password and handing it over. Often, the victims don’t even know they were targeted until well after the fact, if ever.

  1. Just say no—to giving out personal information. Social engineering can occur over the phone: someone pretending to be your bank, asking for your private information. Always contact any institution for verification they want your private data before blindly giving it out.
  2. Be scrupulous with security questions. Don’t answer ones that a hacker can easily get the answer to, such as “City you were born.” Choose the most obscure questions from the list. If all seem rather basic, though, then give answers that make no sense, such as “Planet Neptune” for the city you were born in. If you fear being unable to remember these answers, put the answers in an encrypted file or password manager.
  3. Do you get e-mails about password resets? Be careful. Contact the service provider to see if the e-mail is legitimate.
  4. You’ve probably heard this before, but here it is again: Never use the same password for multiple accounts! In the same vein, don’t use the same security questions, even though the list of security questions from one service provider to the next is usually the same list of questions. Do your best to use as much of a variety of questions as possible, and don’t forget, you can always give crazy answers to the same question for different accounts.
  5. Keep an eye on your accounts and their activity. Account providers such as Gmail have dashboards that show where you’re logged in and what tools or apps are connected. This includes financial and social media accounts.
  6. Beware of emails coming from anyone, for any reason that require you to click links for any reason. Social engineering via email is one of the true successful ways to con someone. Just be ridiculously aware.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing  identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

Liars Cons and Scammers: How to Recognize Them

Robert Siciliano Identity Theft Expert

We talk about criminal hackers, scammers and con men as though they are mysterious creatures from the Twilight Zone. But while they are certainly interesting, fundamentally they are people. People who lie, and do it better than anyone else.

If only our noses grew every time we lied. Life would be so transparent. 

Social engineering is the act of manipulating people into performing certain actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access. In most cases, the attacker never comes face to face with the victim. But many times, con men do come into personal contact with victims. And when they do, there are a few telltale signs to look out for.

According to a University of Massachusetts study, 60% of participants lied at least once during an observed ten minute conversation.  Body language expert Carolyn Finch, a colleague of mine from New England, was a consultant and during the OJ Simpson trial and has appeared on numerous media outlets. She points out what to look for:

Face: Finch says when people lie, they smile with only the lower muscles in their face. A liar might try and fake a smile to look genuine or at ease. But a real smile uses the entire face, including the eyes.

Speech: A liar will speak hesitantly and pauses frequently when answering a question. A liar might also repeat words or stutter. “A person who is pausing is thinking,” said Finch. “The eyes go up and around and down to think about what they are going to say next.”

Nerves: Other indicators that the person is uncomfortable include nose rubbing or touching underneath the nose. And watch hands closely, which are an easy way to spot nervousness. “Sometimes there is tremor, definitely in the hands,” said Finch, who also noted the jaw might shake, too.

Eyes: Liars will make a concerted effort to keep your gaze so as not to arouse suspicion. However, Finch advises studying where there eyes go if, and when, they do break gaze.

If you ask someone to remember what they ate an hour ago, they might look up and to their left, which indicates “visual recall,” meaning they are accessing a part of their brain to remember a fact. Whereas if you ask them to think of what it must be like to live on the moon, they look to the upper right, which is called  indicates “visual construct,” meaning they are accessing a part of their brain to create a scenario. This is also what someone does when they lie.

Become an observer of the human condition. Study what makes people tick and what motivates them. Determine who is truthful and who lives a lie. Bad guys who want to take from you generally lie. Whether in person, online, or over the phone, you can sense a lie if you are tuned in. And that should help protect you from scammers and identity thieves.

There are numerous tools to protect you too. Intelius offers a Background Report and a DateCheck. Its unfortunately not enough to simply “trust” or even trust your gut. Its often necessary to make a small investment.

Background reports include, when available, a criminal and sex offender check, lawsuits, judgments, liens, bankruptcies, home value & property ownership, address history, phone numbers, relatives & associates, neighbors, marriage/divorce records and more.

A Date Check instantly gets the scoop on potential dates with an online background check which provides information on living situations, relatives, criminal convictions, professional information, bankruptcies, liens, address history, social network info and more. Date Check helps you follow up on your intuition with real facts.

In the meantime protect your identity too.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano, identity theft speaker, discusses Bernie Madoff, liar, on CBS Boston.

Data Breaches; LexisNexis – FAA Hacked, Botnets Grow, Hackers Hold Data Ransom

Identity Theft Expert

What a week. Just when it starts to get boring, criminal hackers put on a spectacular show.

Criminal hackers continue to step up to the plate. Security professionals are fighting, and sometimes losing, the battle. Here’s one week’s worth of hacks:

Lexis Nexis, which owns ChoicePoint, an information broker I recently blogged about that was hacked in 2005, was just hacked again this week. On Friday, LexisNexis Group notified more than 32,000 people that their information may have been stolen and used in a credit card scam that involved stealing names, birth dates and Social Security numbers to set up fake credit card accounts. The cybercriminals broke into USPS mailboxes of businesses that contained LexisNexis database information, according to a breach notification letter sent by LexisNexis to its customers. The U.S. Postal Inspection Service is investigating the matter. (Check your credit reports and examine        your credit card statements carefully!)

CNET reports that hackers broke into FAA air traffic control systems, too. The hackers compromised an FAA public-facing computer and used it to gain access to personally identifiable information, such as Social Security numbers, for 48,000 current and former FAA employees. In a House Oversight and Government Reform Subcommittee testimony, it was stated, “FAA computer systems were hacked and, as the FAA increases its dependence on modern IP-based networks, the risk of the intentional disruption of commercial air traffic has increased.”

Computerworld reports that a hacker has threatened to expose health data and is demanding $10 million. Good for him, bad for the Virginia Department of Health Professions. The alleged ransom note posted on the Virginia DHP Prescription Monitoring Program site claimed that the hacker had backed up and encrypted  more than 8 million patient records and 35 million prescriptions and then deleted the original data. “Unfortunately for Virginia, their backups seem to have gone missing, too. Uh oh,” posted the hacker. Holding data hostage is nothing new, but it is      becoming increasingly common.

The Register reports that bot-herders have taken control of 12 million new IP addresses in the first quarter of 2009, a 50% increase since the last quarter of 2008, according to an Internet security report from McAfee. The infamous Conficker superworm has occupied all the headlines, and makes a big contribution to the overall figure of compromised Windows PCs, but other strains of malware collectively make a big contribution to this number. McAfee’s Threat Report notes that the US is home to 18% of botnet-infected computers.

While you can’t do much about others being irresponsible with your data, you can protect your identity, to a degree. Consider investing in identity theft protection and always keep your Internet security software updated.

Robert Siciliano, identity theft speaker, discusses Ransomware.