Cybercriminals are notorious for capitalizing on vulnerabilities. And the current public health crisis — which is causing fear, confusion, and a growing need for information and connection — presents the perfect opportunity for exploitation. As myriad COVID-19-themed scams continue to make headlines, it’s imperative that you learn how to spot social engineering attacks, and follow these practices to prevent falling victim to them.
Identifying and avoiding social engineering attempts
Cybercriminals often cast a wide net, using various means of communication — primarily email, social media, text messages, and phone calls — to target individuals and businesses alike.
Here are a few tips to help you and your employees recognize and steer clear of social engineering scams:
#1 If it’s urgent, be skeptical
Scammers try to create a sense of urgency to make you act first and think later. But don’t rush — take a moment to review if the message is genuine or a scam. If it purports to be from a reputable company, you can call their customer support (using the number on the company website and not the one in the message) to confirm its legitimacy. But more often than not, real companies will be the ones to call you if there’s any urgent information they need to relay or ask.
Likewise, if the sender pretends to be someone you know, send them a text or call them to check if the message really came from them.
#2 Check the source
Phishing emails are typically poorly crafted, exhibiting imperfect grammar and spelling. But the more sophisticated ones are harder to distinguish. One way to verify these, though, is to check their source.
Look at the domain name — the part that comes after the @ symbol — of the sender’s email address. For personal emails, this is often gmail.com, yahoo.com, or outlook.com, but reputable organizations typically have their own email domain, such as @who.int (for the World Health Organization) or @fbi.gov (for the Federal Bureau of Investigation). Search the domain name on Google, and if only the domain comes up and no other search results appear, then it’s likely a sham.
You can also use sites like WHOis and ICANN to look up when a website and its corresponding email domain name was set up and who owns it. Even if the domain name checks out, it won’t hurt to further confirm the identity of the sender by looking up their name on Google or the organization’s directory.
#3 Check the recipient
Another way to identify a phishing email is by checking the recipient. As mentioned in the beginning, cybercriminals often cast a wide net, so look out for overly generic salutations like “Dear valued customer” or “Dear account holder.”
Also, be wary if your name is not in the To: or CC: field or anywhere in the email. At the same time, keep an eye out for emails sent to multiple people, especially if the recipients look like they were chosen at random.
#4 If it’s asking you to download something, don’t do it
Don’t open links or attachments from people you don’t know — or even from people you do know, if you aren’t expecting them to reach out to you. Whenever you click on a website or a file from a dubious email or text, you stand a good chance of infecting your device or systems with malware. It pays to err on the side of caution and follow the first three tips to verify the contents of the message before clicking on any links or attachments.
#5 Don’t believe offers and unexpected prizes
As the famous adage goes, if something sounds too good to be true, it probably is. Especially if an email mentions anything about money or prizes in exchange for help or information, it’s very likely a scam. You can’t win a lottery you didn’t enter.
Protecting your business from social engineering attacks
Given how rampant social engineering scams are, it's likely that you'll encounter them. But there are actions you can take to reduce the risks of falling victim to them. These include remaining vigilant and ignoring any request for personal information and passwords, especially. Likewise, reject requests for or offers of help from unknown senders, unless you have thoroughly verified its legitimacy. Additionally, hold security awareness training and testing programs for your employees to teach them how to deal with cyberattacks.
Investing in security software is also an effective way to protect your business from social engineering attacks. For instance, if you or any of your employees unknowingly downloaded or opened a suspicious file, an anti-malware program can detect and remove this, and prevent other malware from infiltrating your systems.
To help protect your Houston business from increasingly sophisticated cyberattacks, partner with Safebit . We provide small- and medium-sized businesses with a host of proactive IT solutions, from managed services to security to support and consulting. Talk to us today and bid farewell to all your IT worries. You can also download our FREE eBook, which covers a comprehensive list of cybersecurity solutions that will keep your systems and devices safe from malware and data breaches.