A social engineering scam is any scheme designed to trick people out of money or steal their personal information that uses or is delivered via digital communications. It’s important to be aware of any scam that can impact your business, yourself but especially your employees. Some common scams follow.
Social engineering involves manipulating individuals to obtain confidential information, such as passwords and bank details. Criminals prefer this method because it's often easier to exploit trust than to hack software. Recognizing who to trust is crucial for security, particularly in online interactions. Security professionals emphasize that the weakest link in security is human trust, as even the most secure physical measures can be compromised if someone unwittingly allows an intruder access.
Cold calling scams – also known as vishing
When someone calls you on your phone. They may be trying to sell you a fake product or service, or pretending to be from a legitimate organization or a government agency. These scammers are trying to get business payment or personal details from you and have various tactics to do this such as they may:
- Be overly friendly, making you think they’re local by commenting on local events and weather
- Intimidate or and threaten if they’re requesting payment of an ‘overdue’ bill.
- Know specific details about your business gained through public or stolen data sources.
- Ask your accounting staff to pay an administration or delivery fee up-front for the business to receive a tax refund or product.
- Pressure you into making a quick decision either by threat like legal action, or saying the offer or deal expires soon.
Ensure your staff on the front line taking queries on the phone, know what these scams look like to prevent any loss.
Tech support scams
These scammers use the names of familiar brands such as global software or telco companies to get ‘remote access’ to a device so they can access your business computer or network from another location.
Some of the reasons provided include:
- A virus infection harming others on the network.
- A free assessment to upgrade your operating system.
- Help check your computer’s security.
- The disconnection of your internet if you do not give access.
- Problems with your router or internet connections.
At times these scammers may also reach out using ‘pop up’ messages on your screen instead of calling on the phone. They will try to make you believe your device is infected or needs cleaning to speed it up or sell you free security software. At worse they’ll install rogue software like Trojans or keyloggers to record your computer use and gain your login information for online banking.
Email phishing scams
Phishing is when a scammer sends an email that looks like it’s coming from your lender, a government department, USPS, or US Customs. The email looks genuine but a key letter or number may be missing, or added.
The sender may request payment to release a package, claim a refund, or report fraudulent activity on your account.
When investigating a potential phishing email use the “Three W's”: who, what, and why.
Who
- Do I know the sender?
- Is the email spelled correctly?
- Does the email address match the email signature?
What
- What action does the sender want you to take?
- Does the email contain bad grammar, odd styling, or typos?
- Is this an urgent request?
Why
- Why do they want you to click on a link, download an attachment, or send information?
- Have they presented an unusual situation?
- What are the consequences for not taking action?
Fake invoice scams
A fake invoice scam is when someone sends a false invoice to your accounts email, hoping that the person paying the monthly invoices will pay it without checking the goods have been received.
Receiving unsolicited goods
This scam works by sending your business products or services that you haven’t ordered, along with an invoice, then a phone call to demand payment.
Unwanted subscriptions and trials
Scammers can also subscribe your business to software services without your knowledge. It could be when you’ve signed up to a free trial, but are unable to cancel their subscription once the payments kick in.
Government grant scams
Government grant scams are when scammers call businesses claiming to be from a department such as the “US Government Grant Department” and your business has been chosen to receive a grant. They’ll then ask for personal details in order to process the grant payment, or for an “administration fee”.
What to do
Create standard external contact rules of engagement, such as any contact from a business, customer or agency that is not known to you, contact that organization to check. Make sure that everyone uses the phone number or email they have on their official website, and do not use the one given by the person or in the email they have sent you.
Also:
- Provide training to your team to spot suspicious transactions, calls, emails, or any approach, especially those that are unsolicited.
- Make sure your team are aware of the consequences of fraud.
- Double-check all invoices for accuracy and legitimacy before making payments.
- Verify any new customer credit agreements, ask for referees, conduct a credit check and if they are online, review their social media profiles.
- Carefully read all contracts and agreements before signing. Consider having a legal professional review the documents to identify any potential red flags.
Next steps
- If you, your friend, or your business experiences an online incident, and report it to your local IT provider.
- Contact your local FBI field office to report the crime and file a complaint with the FBI’s Internet Crime Complaint Center (IC3).
- Get in touch with us immediately.
- Subscribe to Homeland Security email updates.
.