It's National Cybersecurity Awareness month!
Welcome to our new blog series, The Idea Vault, where you’ll hear from ARB subject matter experts on a variety of topics to educate you on all things banking! We thought we’d launch the series with a few weekly posts on cybersecurity in honor of National Cybersecurity Awareness month.
This week, we wanted to shed a little light on the concept of social engineering. Put simply, social engineering is a scheme used to gather information, commit fraud, or gain access to systems by use of deception. Social engineering is a nasty trick fraudsters use to con unsuspecting victims out of their personal information. They can even use social engineering tactics to worm their way into your bank accounts! Read on to learn some terminology and tactics, along with tips on how to prevent yourself from being conned.
This is where the fraudster creates some sort of story to fool you into providing information. They then use the information to create a “social profile” of their victims so they sound even more legit in the event they contact your bank to make account changes, get balances, or even send money. They basically prepare a series of potential questions and answers that might be asked by the person on the other line. Then the acting begins! Some of the most effective techniques include pretending to have cold to explain why they can’t recognize the voice, or using an irritated or angry tone to attempt to hurry them along to take action NOW rather than subject them to the inconvenience of asking additional identifying questions.
The most successful social engineering call I’d ever listened in on was where the fraudster was whispering, while claiming to have a sleeping baby at home. It also gave them an excuse for not being able to answer the security questions right away as they claimed to have to run to “check on the baby”! If you listened carefully, you could hear the typing on the other end of the line, likely Googling or searching for the answers.
Laurel Sykes, Chief Compliance and Risk Officer at American Riviera Bank
Be wary of social media too. Often times social engineering occurs through social networking sites. A common scenario is where the fraudster contacts you via a social media to glean personal details and possibly to start a conversation or engage you in some way. Gradually the fraudster gains your trust and cons you into disclosing sensitive information like password or bank account details.
Tip: Don’t ever provide personal information unless you have initiated the contact. Finally, review the personal information that you make “public” on all your social networking sites. Do you disclose your birthday? Your family members? Your dog’s name? You should also consider revisiting the security questions you have on file with your bank – it’s incredible how many people still use “mother’s maiden name” as a security question on their bank accounts!
Vishing is also known as “voice phishing” where crooks use social engineering over the telephone to trick you into giving out information. It’s also used sometimes to do recon on a potential victim and gain additional information that might be used in a later scam, such as your PIN or password. “Robocalls” are frequently used to commit these attacks. The phone system might reject your initial attempt to enter your PINS or passwords – tricking you into disclosing multiple passwords! Other scams will transfer you to someone posing as customer service for further questioning.
Tip: Consider always letting phone calls go to voicemail first. If it’s something important, they will leave a message.
In some cases of social engineering, you may have been contacted via text or other personal message, or an instant messaging service such as Facebook messenger, to click on a link, view a video or open an attachment. If respond or act on such messages, you might unwittingly be downloading malware or providing credentials or divulging other information to a fraudster.
Over the summer I was “contacted” via messenger by a friend I hadn’t spoken to in a while. The message started innocently enough saying “Hi! I haven’t talked to you in a while! How have you been?” Once I returned the question, my “friend” responded that they were GREAT! And wanted to share with me some “exciting news”. I was ready to hear about news of an engagement or a new job, but when he asked if I had heard about the Powerball Lottery, I knew my friend had been hacked. I stopped responding immediately, and the urgency of the messages continued to escalate as I proceeded to contact my friend via another channel.
Laurel Sykes, Chief Compliance and Risk Officer at American Riviera Bank
Tip: Never, ever click on links or file attachments in messages, especially if you aren’t expecting it. Be wary of messages that don’t “feel right”. Your friends/colleagues may have been breached!
If you’ve made it to the end, thanks for reading! Tune in next week for a post on email compromise. Happy National Cybersecurity Awareness month!
Next: Email Compromise: the $26 Billion Scam!