The new year will bring new scams from the hacking industry. The primary methodology is to use social engineering to prey on the target victim’s emotions. There is nothing new in this approach.
For example, when looking at what often drives a stock price, CNN Business uses the fear and greed index. This considers the emotional forces that drive stock prices; excessive fear drives a stock price down, excessive greed moves the price up. In either case, the baseline value of the stock is irrationally discarded based on investor emotions powered by fear or greed.
Social engineering in the cyber context is likewise driven by fear or greed. These social engineering campaigns are targeted to victims based on their fears or greed. The tax season is an example. Very soon, there will be email messages focused on how you need to access a website or download a file to help you save taxes, the greed aspect. On the other hand, there will be emails letting you know your back taxes are overdue, even if you do not have any, and the IRS will foreclose, unless you access a website, call a fake hotline, or download a file — the fear aspect.
The best way to combat these campaigns is through education and common sense. Education would include looking first at the sender’s email address. If the email sender’s domain, for example, is joesconstruction.com, and the subject is the seizure of your property by the IRS, then the email is not from the IRS. Common sense is knowing that the IRS will not threaten people, and no one is sending the police to arrest for your back taxes, nonexistent or real.
Other popular fears and greed scams are targeting business loans. The most popular target is the stimulus funds for the SBA Coronavirus Aid, Relief, and Economic Security Act (CARES Act) which includes the Paycheck Protection Program (PPP) and the Economic Injury Disaster Loan (EIDL) program. The scams aim to entice people to sign up for an easy way to be at the head of the line when applying for your loan. The fear component is often used in such terms as the money is running out; you will miss out if you do not apply here. Email lists of business owners are easy to get, and often the scammer will apply for a loan without the knowledge of the legitimate business owner.
Companies are now offering to assist with the loan application process for a fee, though the application process is free and relatively easy. In correspondence with the SBA, the first thing to do is validate the email sender’s address; if it does not follow the first-name.last-name@sba.gov format, there is a problem. Another thing to do is call the office and validate the contact. This holds true for commercial bank loans. In most instances, you are in conversation with the bank lender, and exchanging documents and information should not be a surprise. Again, the requirement is to always closely validate the sender’s email address, recognizing that a scammer often changes only a letter or two to make a unique email address.
In these examples and many more, fear and greed are powerful emotions that, when used, can drive people to act irrationally and impulsively. One of the reasons we get these emails is because they work; there is a hit ratio. Meaning out of every 5 million random emails sent out, a percent will respond, and from that number, another percent can be compromised. These scams are often categorized as business email compromise (BEC) attacks. In the FBI Internet Crime Complaint Center (IC3) Report of 2020, BEC was the leader in the number of complaints, about 19,400, with losses of more than $1.8 billion. A dead giveaway that the transaction is a scam is if the payment for whatever service is in cryptocurrency. Most legitimate businesses do not accept cryptocurrency.
Another scam affecting businesses is tech support fraud. This type of scam relies on fear. In this case, the target will receive an email from someone posing as a service technician, or there is an email informing the business there is a software vulnerability that needs to be closed, or there is dangerous out-of-date software, etc. The point of these notices is to present a problem and then to offer a solution through their technical support for a fee. At best, the scammer will do nothing but collect money for nothing. The most likely outcomes are that the scammer will have the target download malware, and then the attacker will own the target’s computer. In 2020, the FBI IC3 received about 15,400 tech support fraud complaints, translating into $146 million in losses. The actual number is most likely much higher than what is reported.
In the new year, the expectation is that both BEC and tech support fraud will increase. Ransomware attacks will also increase; it is the one that seems to get all of the attention. The attackers will not disappear as long as there is money to be made by leveraging human feelings and emotions to override common sense and good judgment. Hackers work nonstop to separate people from their money.
The most effective way to combat these, and related attacks, is through education. It is the knowledge of recognizing these scams for what they are which are the best defense.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at mikeo@171comply.com.