True or false?: The most dangerous threats facing average computer users today are sophisticated attacks that require high-tech defenses. That is actually false. While some cybercriminals certainly have highly advanced tools at their disposal, most of them favor strategies that target human weakness, not computer flaws.

Such ttacks are carried out in the form of clever schemes, designed to trick us into handing over confidential information and/or control of our computer. Experts now refer to this strategy as “social engineering.” It’s a modern term for a broad category of criminal activity that’s as old as the hills.

Social engineering relies upon the art of deception. Often, fear and anxiety are the triggers used to to manipulate our emotions and cloud our otherwise sound judgment. In this article, we’ll highlight some popular social engineering scams, and provide techniques for sniffing them out.

Phishing

This method of deception in named after the popular pastime of “fishing” but intentionally spelled different. Both activities use a “bait” and a “hook,” and the consequences of biting the lure can be dire.

Phishing expeditions are commonly carried out via email and other forms of electronic messaging. They appear to originate from legitimate businesses (such as your bank) when, in fact, they come from cybercriminals in disguise, who are attempting to steal your identity and money.

In email format, phishing messages can be especially convincing because they often incorporate logos and other branding to impersonate familiar businesses. Here’s an example of a well-known email scam that was recently passed around the Internet, targeting Netflix subscribers:

Clicking the UPDATE ACCOUNT NOW button takes the unsuspecting user to a page with Netflix branding, in no way connected to the TV streaming service. Of course, the goal is to trick customers into giving up their credit card details or, worse yet, bank account information.

So how do we differentiate between phishing scams from genuine account notifications? Here are a few tips:

1. First, pause and take a step back before taking action on any message that instructs you to provide financial or personal identity information. While there’s no need to be paranoid, “trust but verify” is never a bad approach.
2. Next, ask yourself if you actually have an account with company who is allegedly trying to contact you? If the answer is no, assume the message is a scam and ignore it.
3. Carefully read the message and look for oddities in the content. For example, in the message above, note the salutation is generic. “Hi dear” is unusual to say the least. Also, there is a capitalization error in the third sentence. Misspellings and grammatical errors are other common clues that a message may be fraudulent.
4. Before clicking on buttons or links, hover your mouse pointer over them to view the targeted link. (The link should open in a pop-up “bubble” as shown here:
   
   
   For legitimate links the company domain appears before the first single slash character, like this:
   https://www.myuofmhealth.org/login
   
   If the company’s domain does not appear anywhere in the link, or it appears after the first single slash, the link may be fraudulent. These are examples of clever fakes:
   
   https://www.accounts_login.cz/myuofmhealth.org/login
   (Here the domain is “accounts_login.cz,” not myuofmhealth.org)
   
   https://myuofmhealth.org.accounts_login.cz/
   (Here, the domain is “myuofmhealth.org.accounts_login.cz/,” not myuofmhealth.org)
   
   The lack of a company domain name in a link does not always indicate fakery. Many organizations use secure, 3rd party services/links to route account login and payment activity. When in doubt, pick up the phone and call the customer service number on your latest bill or account statement.
   

Phone Scams

Telephone calls are another popular medium for social engineering mischief, some of which can also lead to cybersecurity threats.

According to the Federal Trade Commission (FTC), “People lose a lot of money to phone scams — sometimes their life savings. Scammers have figured out countless ways to cheat you out of your money over the phone. In some scams, they act friendly and helpful. In others, they threaten or try to scare you.”

One common ruse is the caller from “Microsoft” who informs you that he and his team have determined your computer has been infected with a serious virus. Of course he offers to login remotely and fix the issue “for free,” then happily walks you through the process to allow him access your computer. Inevitably, he installs a real “ransomware” virus on the computer which eventually locks you out with a message demanding an inordinate sum of money to restore normal function.

Other variants of this scam involve a threatening tone, indicating you are under suspicion for possessing illegal content on your computer and, to avoid prosecution by law enforcement, you are obligated to allow the caller to login and inspect your computer.

Know that neither Microsoft, nor any other reputable technology company, call customers to proactively report an infected computer. Likewise, law enforcement personnel never call citizens to threaten legal action related to computer crimes (or any other crime for that matter).

Other Recommendations

In addition to employing common sense strategies to recognize social engineering, it’s also important to observe a few general security guidelines:

• Create effective passwords: A recent study by cybersecurity firm Kaspersky finds that nearly half of all passwords can be cracked in a minute or less. According to the findings of that study, “the majority of the examined [cracked] passwords […] contain a word from the dictionary, which significantly reduces the password’s strength.” Others contain a common name (Daniel, Kumar, Samual, etc.).
  
  Never use a dictionary word without turning at least one of the letters into a number or special character. For example, substitute “@” for “a” or “!” for “i.”
  
  Also sprinkle capitalization throughout, at unusual locations, not for the first character.
  
  Finally, remember that the longer your password, the better. At one point, complexity was thought to be the most important aspect of a password. These days, many experts feel that increasing the number of characters is even more important. With this in mind, consider a short, easily-remembered phrase with a few character substitutions, rather than a single word. For example, “Mike buys burgers for lunch” might be converted to this passphrase:
  
  mikebuy$burger$4LUNCH!
  
• Protect your wireless (wi-fi) network: Use the account password strategy described above to create equally effective passphrases for your wireless network. Remember, your wi-fi network extends beyond the boundaries of your home or office. That guy in the car parked outside on the street could be using a password scanner to crack your weak wi-fi security – if he gets in, you may never know it. Also, most modern wi-fi routers allow you create a separate guest network that only allows access to the Internet, but not to your internal devices. Consider enabling that feature and share the guest wi-fi with visitors instead.
• “Keep them secret – keep them safe”: Even the best passwords are useless if they are shared with others.
• Make sure operating systems are up-to-date on all your devices: In many cases, Windows, Mac and mobile phone updates contain critical security updates to patch known vulnerabilities. Overlooking these regular updates can compromise your cybersecurity defenses.
• Install anti-virus protection on all of your devices: There are many reputable, inexpensive options out there for computers, phones and tablets. Make your best deal, install the software, and keep it updated.

Final Words

When in doubt, ask for help from someone you trust. At Computer Homecare, we would like to suggest that you call us!