Hackers will exploit our fear and doubt every opportunity they get. They take advantage of the one weakness every business has: human psychology. Using social media and other channels, these attackers manipulate people into handing over access to sensitive data through fear-mongering or trust tactics. In the wake of the recent COVID-19 pandemic, they will go as far as using our fear of the biological virus to infect us with a digital one.
Take for example the advisory released by the World Health Organization warning of ongoing scams following the outbreak of COVID-19. These scams exploited individual’s fears and the uncertainty of the disease’s spread. For example:
During this prolific period of change, we need to be on the lookout for these four types of cyber crimes that leverage our emotions in order to gain sensitive data:
Phishing is one of the most common “scareware” tactics hackers use to leverage our fear in order to obtain personal information. At a high level, phishers seek to accomplish three things:
- Obtain person information such as usernames, Social Security Numbers, and credit card details
- Use misleading links that lead users to websites that host phishing landing pages
- Utilize fear, threats, or a sense of urgency to manipulate users into responding swiftly
Phishers can use social platforms, and other media to target their victims and aren’t worried about taking advantage of confusion during a crisis. The major signs of a fake social account include:
- A profile photo that they have downloaded from somewhere else online
- If they either have thousands of friends or just a few (generally less than 10)
- An account that is strangely absent of regular activity
- Having no mutual friends with the person who friend requests you
- An odd biography, including a person who was born in Wilmington, Delaware but went to school in Mumbai, India and now owns a beauty salon in Nebraska
Always trust your gut and don’t accept a friend request from somebody you don’t know.
Baiting is similar to phishing in many ways. However, the cyber criminal will entice their victims with the promise of goods. For example, baiters may use the offer of a free movie download to trick users into giving them their login information. During this time of social distancing, many people may fall for this trick due to isolation and boredom.
Baiting is not restricted to digital schemes, either. In July, 2018, state and local government agencies received Chinese postmarked envelopes that included a jumbled letter and a compact disc (CD). The premise was to pique interest so that recipients would load the disc and inadvertently infect their computers with malware.
Pretexting is another type of social engineering where cyber thieves steal personal information through a fabricated guise, or a good pretext. In these types of cyber attacks, the scammer will ask for specific bits of information from their victim to confirm their identity. In actuality, they will use the data to commit identity theft.
Pretexting works by building a false sense of trust with the target. This requires the scammer to create a credible story that leaves no room for doubt. Pretexting can take on many forms, including scammers masquerading as HR personnel, as Verizon found in its 2019 Data Breach Investigation Report.
4. Quid Pro Quo
Similar to bating, this type of social engineering promises a perk in exchange for sensitive information. The benefit is typically a service, whereas baiting promises goods.
One of the most recent quid pro quo attacks involved scammers impersonating Social Security Administrators. They contacted random victims to tell them that there had been a computer issue on their end and asked those individuals to confirm their Social Security Number.
How SecurityScorecard can help
Every organization must remain vigilant during this trying time. It is only through good hygiene – both personal and digital – that we can stop the spread.
SecurityScorecard allows you to take a proactive approach to managing social engineering risks. By leveraging our platform capabilities, you gain an outside-in view of your organization’s cyberhealth and better understand the risks in your IT infrastructure.
SecurityScorecard Ratings provide you with the ability to continuously track your cyber-health, helping to prevent social engineering attacks before they can happen.