Sidestep Social Engineering Scams

Cybercriminal activity continues to evolve as fraudsters develop more sophisticated tactics to trick victims and execute crimes such as identity theft, consumer fraud and financial abuse.

Many of the latest scams revolve around social engineering — using a false pretense to convince individuals to share personal information. The information may seem rather innocuous, and a victim might think there’s no harm in sharing it. But, it could be deviously deployed later to initiate an attack.

So, it’s critical to stay up-to-date about common schemes you might encounter so you can help prevent fraud. Let’s start by examining three types of tactics used by cyber fraudsters to perpetrate social engineering scams: phishing, vishing and SMiShing.

Phishing starts with an email that often looks like it’s from a trusted or legitimate source. The email will ask you to do something—usually click on a link or download an attachment.

The link typically takes you to a website that seeks to steal your information or attempts to download malicious software (or “malware”) onto your computer. Meanwhile, opening the attachment may infect your computer with malware.

Once the malware invades your computer a hacker can use it to look at personal documents saved on your computer, such as a tax return. They can also capture the keystrokes on your computer (or take screenshots of sites you visit) to harvest your logins, passwords and other sensitive information. After hackers steal your information, they’ll often try to access your bank accounts or contacts, or sell your data to other cybercriminals.

Security tips: Never click on a link or open an attachment from unsolicited sources, and don’t provide personal information when responding to an email request.

With this phone scam, a fraudster calls you and poses as a representative from a reputable organization to obtain your personal information. Vishing calls usually have a sense of urgency or panic to make you more likely to share the requested data.

Security tips: Only answer phone calls from numbers you recognize. Also, be guarded when providing your personal data by phone. Make sure the person asking for the information is from a legitimate organization and is who they claim to be. You can always hang up and call the organization back using a phone number found through a trusted source – such as the company’s official web site or perhaps a financial statement.

Short for “SMS phishing,” this occurs when a cyberthief tries to fool you into providing them with your personal information via a SMS or text message or attempts to get you to click on a link in the text. The fraudster may also try to download malware onto your mobile device.

Security tips: Just like with phishing emails, never click on unknown links embedded in a text message, especially from a sender you don’t recognize. If you have any doubt about the authenticity of the sender, don’t respond. Instead, do some research to verify the validity of the sender.

Once cybercriminals have your personal information, they can use it to execute a variety of social engineering schemes. Here are several of the most popular ones:

The Internal Revenue Service (IRS) calls saying you owe back taxes and threatens you with a lawsuit or jail time if you don’t immediately pay the debt with a wire transfer, prepaid card or gift card. What’s wrong with this scenario? If you owe taxes, the IRS won’t call you. Instead, the agency will contact you by mail. Also, the IRS will never ask for money using those payment options, or threaten to arrest or sue you.

Security tips: If you receive a call like this, hang up immediately without providing any personal or financial information. Then report the call to the Treasury Inspector General for Tax Administration (TIGTA) or Federal Trade Commission (FTC).

Using the name of an organization that’s similar to a well-known, reputable charity, fraudsters employ high-pressure tactics (usually during the holidays) to encourage you to donate on the spot.

Security tips: Ask for detailed information about the organization and take the time to confirm it’s a trustworthy charity. Don’t feel the need to give money on the phone. You can always donate later through the charity’s site.

Have you ever received a call from someone telling you there’s a serious problem with your computer? It’s likely a fraudster seeking remote access to your device in order to “fix” the issue. Instead, they’ll infect your device with malware.

Security tips: Never grant access to your device when you receive this type of call. Don’t provide the caller with any personal, account or computer-related information. Instead, ask the caller for their name, as well as the name of their company. Then hang up, and call back using the official phone number for the company.

Be leery of people you’ve met online – often through dating or social media sites – who initially seem romantically interested in you. But, as time goes on, they ask for money (usually by wire transfer or gift card) to pay for a medical emergency, the cost of travel to visit you or some other reason.

Security tips: Avoid sending money or gifts to someone you’ve never met in person. Ask anyone you meet online plenty of questions and look for discrepancies in their answers. If you feel someone is trying to scam you, stop all contact with the perpetrator immediately.

While the details of these schemes vary, they all involve a fraudster asking you to pay a small fee upfront in exchange for a larger return later. The payout you’re promised may be connected with an investment opportunity, lottery winning or special gift. After paying the fee, you’ll receive little or nothing of value in return.

Security tips: Don’t conduct business with someone you haven’t researched on your own to confirm their authenticity. You may want to search for information online about the individual, check with your local police, contact the Better Business Bureau, or speak to your lawyer or Morgan Stanley Financial Advisor.  Also, don’t sign any non-disclosure or non-circumvention agreement that’s designed to prevent you from independently verifying the credentials of the person offering the opportunity.