Keeping your guard up in the face of socially engineered phishing scams

Most of us are familiar with phishing emails, with the tell-tale signs of a dodgy emails easy to spot. But, phishing scams are becoming more sophisticated and harder to catch, and aren’t slowing down in volume. Although phishing began on email, it now happens on all digital channels with the ACCC even warning consumers of the spike in ‘Hi Mum’ scams via SMS.

When it’s time-consuming to hack into a sophisticated site, hackers can get the job done by abusing someone’s trust or manipulating their feelings. This is where social engineering comes in. But there are steps we can take to ensure our credentials are kept out of the hands of cybercriminals, in our working and professional lives. Cybercriminals are always looking for ways to get our personal data, the lesson learnt is: don’t make it easy for them.

What is social engineering?

Cyber criminals are always looking for the easiest way to exploit a user’s online information. With over 60% of the world’s population online, individuals have more passwords to keep which has created a void of proper cybersecurity practices and a basic understanding of it.

This has left individuals exposed to risks by giving hackers the easy fodder to enter a database – statistics suggest that 46% of all data breaches are a result of human error. Even those who believe they are digitally literate and have password-secure accounts, social engineering is very effective at conning them into giving them their information.

Hackers use this technique to dupe victims into giving them confidential data, such as passwords or banking information, so they can accomplish their goals with ease.

Sometimes social engineering takes advantage of the trust people have in colleagues or companies. Other times, it preys on people when they’re feeling vulnerable or fearful. So many of us rely heavily on tech for everything from work to grocery deliveries to social media, it’s more important than ever to spot the signs of a social engineering attempt.

What are the common social engineering hacks?

Phishing is the most common type of social engineering hack with the most success resulting from compromised credentials. This involves people being duped into revealing their login credentials to an unknown user which are used to breach an account and steal information.

This social engineering attack continues to impact Australians – the OAIC Notifiable Data Breaches report has consistently found over the past 4 years that phishing via compromised credentials has accounted for ~30% of cyber incidents. While phishing is still very prevalent on email, it has expanded across all digital channels. Smishing, although nowhere near as successful as compromised credentials, has sharply increased in the past 12 months.

The spike in ‘Hi Mum’ scams is a perfect display of emotional manipulation. Scammers also work on victims over a long period of time through dating apps such as Tinder, and often spend weeks on one target to receive their information. Once a connection is made, cyber criminals may attempt to emotionally manipulate their victims into sending them money.

These attacks prey on people who may be feeling vulnerable and seeking human intimacy, and as a result are very effective. According to Scamwatch, Aussies lost $37m in 2021.

Social engineering scams are even happening in the workplace through business email compromise (BEC). This remains a major threat, with the average loss per successful event has increased to more than $50,600. Hackers can usually gain access to the corporate network in a very short space of time by impersonating work colleagues to steal information.

By simply investigating their target online in advance, cyber security criminals are able to craft a more authentic, genuine message that has a better chance of gaining the victim’s trust.

What tips can people use to protect themselves?

By understanding how social engineering scams take place, individuals can know where and how to spot when something looks off and what to do if they fall victim.

  • A password manager is critical to protecting yourself from compromised credential phishing attacks by helping users create and maintain long and complex passwords.

Most password managers can also auto-fill in your credentials related to a specific URL, so they don’t submit information on a phishing URL. Using a password manager app can also help you identify websites with malicious intent by displaying an icon in the browser bar to indicate that it’s a known site. The app will not display the icon if an entry was misspelled via a phishing attack.

  • Be suspicious of random and unexpected messages. If you receive a message that is unsolicited, even if the message looks legitimate at first glance, be wary that any user or message you are not familiar with could be an intended scammer.
  • Don’t assume the apps you know and love are safe. With individuals becoming increasingly aware of phishing via emails, hackers know this too. Which is why they’re increasingly trying to reach you via the apps and sites you trust. They know they have a better chance of catching you with your guard down on social media in particular.
  • Don’t assume your business communications are safe. If you received an email from a co-worker that looks off, listen to your instincts. Reach out to that co-worker using another method of communication, like a phone call, and make sure they actually sent you that message.
  • Use multi-factor authentication (MFA) to give you an added layer of protection particularly if you’ve experienced a social engineering attack. Despite a hacker gaining access to your password, using MFA means they won’t be able to get into your account unless they are also able to provide another form of authentication that you’ve already picked out in advance, like a passcode from an authenticator app.

Lloyd Evans is the Head of Identity at LastPass JAPAC.