For the better part of the past decade, online tech support scams have been on the rise as hackers find new ways to trick consumers into providing remote access to their computers in order to steal information. This tried-and-true phishing scam today relies on sophisticated social engineering fueled with detailed information on the user that can trick even the most savvy or skeptical user into keeping the scam going.
In fact, in 2017 alone, 2.7 million Americans reported some form of fraud to the Federal Trade Commission. And there were almost certainly many more who were either too embarrassed or too jaded to report what they experienced.
What essentially all online and email scams share is that they attempt to impersonate someone or some institution that seems credible. They attempt to capitalize on the recipient’s cultural norms of trust, courtesy, and professionalism to hear out their pitch. They usually attempt to play into the listener’s sense of fear over losing something, like a valuable service or, alternatively, appeal to the listener’s opportunism for getting something valuable for nothing.
Phishing scams today often involve someone pretending to be from a company you already do business with such as Apple, Microsoft, or Amazon, sending out a text or email that says you have a problem with your account, or perhaps a delivery issue, a refund, or some other plausible-sounding matter. You are then directed to a link and told that unless you provide confirmation of your account information, that account will be suspended, and legal action will follow.
The phisher almost certainly doesn’t have either your username or password. If they did, they wouldn’t have to bother using an elaborate ruse to gain access your computer network. Instead, claiming that it’s a matter of great urgency, they use deceit to trick you into providing access to data, images, text files, or money.
One particularly damaging form of trickery may not involve email at all. It could start with a phone call from someone pretending to be your helpdesk or IT service organization needing to remotely access your computer to update or fix something. “All you need to do is download this maintenance patch I’ll send you and let me do the rest,” the user is told. Of course, it’s a scam for someone to access the network. Here are some common tips.
Security Tips: Cutting Back on Phish
With so much toxic angling, a low-phish diet will be good for you and your business. Sooner or later, everyone is likely to receive a deceptive phone call or email. But like any diet, this one requires awareness, education, and discipline. Essentially, all phishing scams require the recipient to open or click on something that’s malicious. Educating yourself and your employees about how to recognize, avoid, and report phishing attempts is essential to the effort. Vigilance and skepticism online are the mantras of digital living.
- Many phishing messages share certain elements in common. One of the most frequent is a sense of urgency saying that the recipient needs to do something immediately – either to send money to verify certain information, or to update their credit card on file. That’s a red flag. Banks, government agencies, and most business organizations still use snail mail to collect funds and personal data.
- When you do receive an email from your bank that requires action, log on to its website by keying in the bank’s URL yourself. Don’t use the link in the message to visit the bank’s website; it could actually be a malware attack on your computer. By hovering over a link in the message without clicking on it, a balloon will appear with the sender’s real address. If it looks phishy and doesn’t contain the official domain of your bank, pick up the phone and call your bank.
- Many scams originate overseas from countries where English is not the native language. As a result, there might be awkward phrasing, archaic terms, or misspelled words that a professionally written email or website from an authentic U.S. organization would never use. That’s another red flag.
To help train employees, IT personnel can periodically send fake “phishing” emails, which helps identify vulnerable staff members who could benefit from more guidance. They can teach users to recognize malicious messages.
But scams continue to evolve. Ongoing education and awareness efforts, together with prompt reporting of suspicious emails, are essential to maintaining the first line of defense against phishing scams–alert company employees and wary business executives. Remote collaboration may be a double-edged sword but, using the right defense, the user can properly yield its power.