This is one-half of a two-part series. Read the related story, Be Prepared: The Top ‘Social Engineering’ Scams of 2017.
Imagine a hacker breaking into someone’s accounts.
If fancy computer skills are part of your mental scenario, rewind the tape in your mind. That’s not how it’s happening nowadays.
Usually, the hacker is someone tricking the target themselves or a helpful customer service agent or an employee into opening the way for them — a strategy called social engineering, used in more than two-thirds of all hackings nowadays.
For instance, in a scam being perpetrated now, hackers are getting unwitting customer service agents at telcos to abet them in having people’s phone numbers sent to the hackers’ device, from which they reset passwords to the victim’s accounts at email service providers and banks and more.
“Malicious social engineers aren’t necessarily very technical people but they’re crafty and clever in the way they think,” says Michele Fincher, chief operating officer of Social Engineer, an agency that offers consulting and training in social engineering.
The four main ways in which social engineering occurs is by phishing, in which the hacker uses email to trick someone into giving them access to some kind of account or login or financial information; vishing, which is the same but through voice, such as a phone call; impersonation, which is done in person, on site; and smishing, which occurs through text message.
According to Social Engineer, phishing accounts for 77% of all socially based attacks, but businesses targeted in vishing attacks lost $43,000 per account, and individuals targeted through impersonation attacks lost $4,200 on average.
“Most of the time, what you find today, the breaches start with a phishing email or vishing call, then they go to a technical hack,” says chief human hacker Chris Hadnagy.
But while giving a hacker access to one account may not seem like something to be so afraid of, one breach usually ends up unw.
“If they are able to uncover some info you use on one site, they know it’s likely you’ve reused that password or information or answers to security questions somewhere else,” says Fincher. “So maybe it’s not a big deal they got into your Twitter account, but they use that to get into your bank or Amazon. It’s an expanding web where they launch an attack that seems simple and nominal but has far-reaching consequences.”
Here are the top scams that Social Engineer says both consumers and businesses should be aware of in 2017.
1. The IRS scam.
From the holidays through to the end of the tax season on April 15, hackers call the target from a “spoofed” phone number — one that masks the caller’s true number and replaces it with a number from, in this case, the Washington, D.C. area — and claims they are calling from the Internal Revenue Service. In this case, the hacker typically knows a lot of information about the target already — the name of the person who is supposed to answer, their address, etc. “The assumption is they’re getting this data off the dark web, usually from one of the health care breaches,” says Hadnagy.
They usually say that an older tax return, maybe from three or five years ago, has accrued late debt, usually around $2,000-$5,000. “They’re not saying ‘you owe us $50,000,” but a number that most people could afford to scrounge up,” says Hadnagy.
If the target falls for it, the hacker says that because the debt has previously been unpaid, bank transfers and credit card payments are not accepted and that the only form of payment possible is a money transfer through a service similar to Western Union (though not Western Union itself) that is nonrefundable and non-traceable.
Hackers are also now convincing their targets to install malicious software onto their computer that then encrypts all their data. The hacker then locks it so it’s inaccessible to the victim, and the software then also explains that the computer is now locked and demands a ransom before the hacker will unlock the computer for you.
Victims are told to go to one particular site or to call one particular number, where the ransom could be anywhere from hundreds to thousands of dollars. Payments are demanded by credit card, bank transfer, a money transfer service like Western Union or Paygram, PayPal and bitcoin. Unfortunately, often, the hacker will take the ransom but not unlock the computer, so now they have both your money or credit card information and also your data, which can allow them into all kinds of other accounts.
The social engineering part of this scam happens several ways.
Perhaps one day you’re browsing the web, when suddenly, a warning that looks like a federal warning, say, from the FBI, pops up saying, “Child pornography was found on your computer. You’re being reported to the FBI. You can avoid this by paying this fine.” But when you click, it downloads the encryption program onto your computer.
Or maybe you get a call from Microsoft saying that the company logged data from your machine that looks malicious, so they want access to your machine. (In this case, the hackers typically target older people.) The Microsoft customer service rep has you install a program called Tame Bureau, which is used for customer support all over the globe, which then gives the attacker control to install their encryption program onto your computer.
Or, maybe you just receive an email offering a coupon or free screen saver, but when you open it, it installs software that takes over your computer and encrypts the drive.
A cc — they have these foreign merchant accounts they could set up. More often than not, they’re using something like WU or Paygram — you go to Walmart, and they’re giving you a foreign account and they’re paying them that way. Or they’re using bitcoin.
3. Business Email Compromise scams.
In a so-called BEC scam, the hacker aims to get into an email account and obtain the financial data stored there, whether it’s bank statements, login information or other financial data such as verifications of wire transfers or payments in and out of your account.
Sometimes they’ll gain access to the email account by sending the victim a document containing malware. Once opened, the malware infects the computer, allowing the attacker to browse the machine remotely. In the recent case of John Podesta’s email, the hackers sent him a password reset email that linked to a fake page. There, he gave the attackers his email password (called credential harvesting), which gave them the ability to browse his email.
In one variation of a BEC scam, if, say, the CEO’s email was compromised, a malicious attacker could impersonate him or her and send an email to the head of finance, saying, “I’m heading out of town for the holidays and will be on a plane and out of reach for the next several hours, but we need to make a wire transfer to bank account asap to bank #XXXXXXX.”
This is especially common when people are traveling or when people work together but don’t necessarily know each other personally. “This tactic uses the sense of authority or legitimacy,” says Fincher. “If my boss tells me to wire money, I’m not going to question it.”
So if you’ve got 30-character random unique passwords on every account, don’t think you’re immune to a hack. “Social engineering in general isn’t about how smart technically you are,” says Fincher. “It’s about what connects you to others, what makes you curious and angry and what might make you act without thinking.”
Read the related article, 7 Ways To Make Yourself Hack-Proof.