Many people think they now have enough awareness to not open sketchy emails and click on dubious links. But the truth is hackers have gotten better. A lot better. Your employees may be immune to requests for money from a Nigerian prince, but are they in tune enough to take a closer look at official looking emails from company vendors and partners, internal employees they know and regularly communicate with, or from their own personal bank?
Social engineering is the act of manipulating people into performing actions or divulging confidential information. The term applies to deception for the purpose of gathering information, or computer system access. In many cases the victim may not even know they granted access to a corrupt third party and left the entire company’s system and data vulnerable. In many cases, this includes just clicking on a hyperlink or opening an attachment. In other cases, an email may request you to input information, such as usernames and passwords or account numbers.
It’s important to note that many of these emails now get by advanced spam filters. All business owners and employees must be diligent in inspecting each part of an email for these Social Engineering Warning Signs.
FROM
The email address domain. Hackers will use real business names and add innocuous extra words in order to not attract attention (such as Person@myronsteves-support.com). Or misspell the business name, hoping you won’t notice; example: person@myronssteves.com.
In some cases, the sender can make it look like the email is from someone you know and their real email address. The from line may look like this:
From: "Michael Miller - mmiller@myronsteves.com" <oprxceo@comcast.net>
It appears to be from Michael, and your eyes will read his email address first, but in reality, it’s from the scam account oprxceo@comcast.net.
You don’t recognize the senders email address and it’s someone you don’t normally communicate with, and the email has embedded hyperlinks or attachments.
You recognize the sender but haven’t communicated with this person recently, and the email seems out of the blue.
It’s from someone outside your organization and is unrelated to your job duties.
It’s from someone inside your organization, or someone you regularly communicate with (such as a vendor or customer) but the email is unusual or out of character.
TO
The email is to an unusual mix of people that doesn’t seem to have much correlation with each other in terms of job function. You might notice everyone’s last name starts with the same letter.
You are cc’d along with other people that you don’t know.
HYPERLINKS
Hover over the hyperlink, but don’t click. Is the link the pops up in the hover box different than the typed one in the email?
There’s a hyperlink in the email but no other content or explanation.
There are misspelled words in the hyperlink.
DATE
The email is sent at an unusual time, such as in the middle of the night.
SUBJECT
The subject is unrelated to the content in the email.
The subject contains a message that sounds urgent.
The subject is attention grabbing and piques your curiosity.
It’s a reply message (RE:) to something you never sent or requested, and you don’t recognize the content.
CONTENT
The sender asks you specifically to click on a link or open an attachment.
The email has bad grammar or spelling errors. (Although this one is becoming less common as hackers become more sophisticated.)
The content does not make sense coming from that particular sender.
The content feels “click-baity”, as in trying to get you to open something funny or embarrassing.
The content is offering something for free (such as a media download) or says you are winner.
ATTACHMENTS
Don’t open anything until you know the email is legitimate!
The attachment doesn’t make sense from that particular sender (remember, the sender could be someone you know) or doesn’t match the content or subject of the email.
The attachment is a different file type than you usually handle. Even PDFs, JPGs and Word documents can contain malware if opened.
Encourage coworkers to get in the habit of practicing skepticism when checking email. It takes extra time, but it’s worth it to prevent employee and customer data from falling in the wrong hands.
Every small business should consider getting Cyber Liability insurance so they have help when trying to recover from cyber attacks. Contact Myron Steves Brokerage today to learn more submissions@myronsteves.com.