Be Aware of Social Engineering Scams
Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables.
Some time ago we were stunned by a discussion with a law firm that had almost been scammed into sending several hundred thousand dollars overseas. The incident involved what turned out to be a fraudulent check from a “client” and a request to transfer funds.
What floored us was the firm’s response to the situation.
As we talked about what happened, the lawyers recognized they were fortunate to have listened to their firm administrator’s advice to not release any funds until the deposited check cleared. But even after the check did bounce, they felt unable to do anything about it, or have the situation investigated, because of a perceived attorney-client relationship and the loyalties they believed flew from that. The scammers had invested enough time in becoming involved with the firm that, even after nearly being taken in, the lawyers felt confidentiality trumped. Wow. Whoever was behind that scam knew what they were doing.
We wish we could say this particular story was unusual, but we can’t. In the years since, these types of scams have only gotten more frequent and sophisticated, and it’s allowing to social engineering.
The Psychological Manipulation
Social engineering, in the context of cybercrime, is about the non-technical aspects of the crime. It’s the use of psychological manipulation to trick people into doing something that isn’t going to be in their best interests. The goal may be to obtain confidential information, steal personal identities or money, gain access to computer network resources — and the list goes on.
These attackers have any number of methods at their disposal. If the goal is to insert some rogue software on your computer network, perhaps they leave a flash drive in the parking lot or send a free digital music player to a “lucky winner,” who happens to be a member of your staff. Of course, once the device is connected to your network, to see what’s on the flash drive or to start enjoying that unexpected prize, your network is compromised. This type of attack is called baiting.
Other methods include, but are by no means limited to, fake callbacks from technical support, where the attacker randomly calls numbers at a business until someone falls prey; pretexting, where the scammer impersonates a bank employee, tax authority, insurance investigator or the like to trick someone into disclosing information; and phishing.
Phishing is something we all need to know more about because of the sheer number of phishing attacks.
Phishing is the criminal attempt to trick another into providing personal or sensitive information such as a birth date, address, credit card number or username and account password by requesting a response to an email or text message. Many of us have a sense of this general approach and would delete an email that says our bank account will be closed unless we open the attachment, or unless we click on some link to verify our log-in credentials, simply because the email obviously doesn’t come from our bank. But what if the email does purport to be from the correct bank, replicates the look of the bank’s website and has all the correct, official logos? What if, instead of asking you to verify log-in credentials online, the email instructs you to call a number and the automated system asks for your credentials?
Phishing attacks have become very sophisticated. Not only are the above examples real, there are many other approaches out there. We’ve heard stories of someone receiving an email from a close friend, stating that friend had their wallet stolen, was stuck in London and was hoping they would wire some money to help them return to the States. Another story is receiving an email that claimed to be from Microsoft, wanting them to know about a serious security problem in their software and advising they immediately click a link to download the necessary update so that they would remain secure. Honestly, almost anyone would fall for that last one if the email’s level of sophistication were that good.
In truth, the possible variations on phishing attacks seem to be limited only by the imagination and programming skills of the criminals behind them. Unfortunately, we’ll keep seeing these attacks, and they’ll continue to evolve because they work.
Training and Other Prevention Tips
Hopefully, you now have a sense of how ugly the situation has become. The upshot is that it’s time to get in front of the problem because no one else is going to take care of it for you. It simply isn’t possible for your IT support to protect your systems from all phishing attacks because the attacks are directed not at hardware, but at the people who use your systems, including you.
The good news is there are a few things all of us can do to protect our personal information as well as our client confidences and it begins with training. Everyone in your firm should be made aware of the nature of phishing attacks and learn how to spot them.
Here are some steps:
- Keep all software updated with critical security patches as they become available.
- Use reputable antivirus tools as well as spyware identification and removal tools on all computers that are part of the office network — and don’t overlook remote and mobile computers such as home computers, personal laptops, and computer tablets.
- Check with your IT staff or consultant to see if you are running the most current version of your Internet browser. If your browser has anti-phishing capabilities built in, make certain this functionality is enabled on all devices that are on the network or that log into the network remotely.
That said, the most important piece of advice is to remember that no matter how sophisticated your security systems and tools are, the user will always remain a vulnerability. Awareness and training will continue to be key and should occur on a semiannual basis to keep the issue front and center. Everyone in your firm needs to be on the lookout for phishing emails or text messages because law firms have a significant amount of valuable data on their computer systems that scammers want.
Do you need help finding a reputable Managed IT Services provider for your Law firm? Contact us today for a free consultation. Our team of Outsourced IT Support experts can help you find the best managed IT provider for your needs.