How To Spot a Social Engineering Scam
3 Steps to recognise a Social Engineered Scam targeting your business.
The average office worker receives around 121 emails per day. Email is so common and relied upon in our work and lives — it's no surprise cyber scammers are using email to target individuals and extract sensitive information from businesses.
Socially engineered messages are a present threat to businesses of all sizes. They can be highly convincing and highly effective when deployed correctly.
Employees today are typically handling multiple emails and requests at any given time. Scammers know that we're busy and multi-tasking — and they use that to their advantage. Technology can help block and flag potentially illegitimate emails, but humans are still the final line of defence in any organisation.
What are socially engineered messages?
Socially engineered messages are carefully designed digital traps whereby an 'attacker' (a cyber scammer) has the intent of manipulating a 'receiver' (the person receiving the message) into certain actions. These actions could range from opening a malicious file attached to an email, or visiting a deceptive website, to provide sensitive information such as passwords or financial details.
Scammers can masquerade as a legitimate entity, such as a bank, a service provider, a colleague, or even a friend. Attackers capitalise on trust to deceive others into complying with their harmful requests.
The most damaging social engineering attacks tend to involve domain spoofing, whereby an business has not properly secured their domain name and the attacker is able to send emails that 'spoof' (look like) they are coming from the business's own trusted domain.
Who is at risk?
Anyone in an organisation can receive a socially engineered message. Although, certain roles may be particularly attractive to attackers due to their access to sensitive data or control over financial resources.
These include:
High profile individuals
Senior managers and their staff
System Administrators
Staff members from HR, sales, finance and legal areas of a business.
Scammers may send out messages in bulk to a company, hoping that even a small percentage of successful deceptions will yield results.
How to spot a Social Engineering Scam
The following three steps can help reduce the likelihood your business being compromised by a social engineering scam:
1. Scrutinise the Sender
Does the message come from a known and trusted source? Be wary of sudden requests or unusual communication, especially if they’re asking you to perform an action like clicking on a link or sharing sensitive data. If in doubt, contact the supposed sender through another channel to verify the message.
2. Consider the Content
Examine the language and tone of the message. Socially engineered messages may strange spelling or grammatical errors, or a tone that doesn't match the usual correspondence, or a generic greeting that doesn't address you by name. These are all red flags to prompt you to take a step back and consider the content again.
3. Evaluate the Urgency
Scammers often use a sense of urgency to push their victims into action. If the message insists on immediate action or applies high-pressure tactics, it could be a sign of a socially engineered attempt.
If you spot something suspicious, it’s important to notify another staff member immediately. If you’re a client of ShadowSafe, notify our team if you think you’ve engaged with a scammer in any way.
You can also forward suspicious emails to thislooksdodgy@shadowsafe.com.au
Help your team spot threats
Awareness is the first step to reduce the effectiveness of socially engineered messages in any organisation.
At ShadowSafe, we offer Cyber Resilience Training to businesses with employees of 10 or more.
Our training is more than just a one-time program, it's an Human Risk Management System that helps you promote a 'security culture' ongoing — one that encourages all employees to be mindful of their approach to technology and security.
Learn more about PeopleSafe.
