According to a 2021 report by PurpleSec, the vast majority (98%) of today’s cyberattacks involve some form of social engineering. Hackers who carry out these types of scams often pose as a known and trusted source to their victims, such as a boss, coworker, friend, relative or a legitimate institution such as a bank or the IRS. They then exploit that trust to dupe victims into fulfilling a fraudulent request for sensitive information or money.
Small businesses are frequently targeted in social engineering scams, so it’s important to educate yourself and your workforce on some key red flags that could indicate fraud.
Types of social engineering scams
While social engineering comes in many forms, here are four categories of scams that cybercriminals frequently carry out:
Phishing or smishing
Phishing, the most common type of social engineering attack, occurs when a cybercriminal sends an email or text message (also called “smishing”) that encourages the victim to click a link or attachment and enter sensitive personal data or financial information. These messages typically have some sense of urgency or incorporate a threat.
A well-known example of phishing is when a person receives an email from their bank claiming there is an issue with their account and they’ll need to log in to address it. If the victim doesn’t know to look for signs of fraud, they may insert their bank information into a phishing website and send it straight to a hacker.
Pretexting
Pretexting is an impersonation scam where bad actors pose as a known individual, such as a company executive. These criminals will most commonly ask a victim to carry out a business-related financial task or share personal information to “confirm their identity.” If a hacker gains access to a business’s personnel files and email addresses, it is relatively simple for them to contact employees and pose as their boss or HR director and make such requests, which the employee may not even question.
[Read more: 3 Security Threats Your Business Should Be Preparing for Now]
Vishing
Vishing attacks happen over the phone and typically involve a scammer telling their victim they are “under investigation” or need to pay a fine to resolve an issue with the organization they claim to represent. According to a 2020 study by BeenVerified, some of the most common phone scams of the last year involved criminals who posed as delivery companies, government agencies like the Social Security Administration and credit card or debt collection companies.
Baiting or quid pro quo
A baiting attack occurs when a scammer entices their victim with some sort of offer. This could be a fake promotion for an online retail store or free media, such as music or movies. These attacks typically exploit curiosity and aim to trick users into getting their login credentials.
Social engineering ‘red flags’ to look for
Chris Arehart, SVP and product manager of crime, kidnap and ransom at Chubb, said some social engineering scams, especially phishing emails, are “virtually undetectable from legitimate messages,” which makes it easy to fall for them. However, he noted there are some key warning signs in the content of the message or sender address that may indicate potential fraud:
- Messages that create a sense of urgency.
- Requests to work confidentially or work with a person who is introduced in the email communication as a lawyer.
- Requests to perform unusual financial tasks such as transferring funds or changing corporate payment information.
- Business-related messages sent from a public domain, such as a free email service.
- Incorrectly spelled email addresses or legitimate-looking domain names with unusual characters.
- Misspellings and poor grammar throughout the email.
- Suspicious attachments you weren’t expecting to receive.
- Links that point to a different or unrecognized domain when you hover over them.
“In recent years, these common red flags have greatly decreased, making it much harder on the recipient to screen for legitimacy using only what they see on the screen,” Arehart told CO—.
[Read more: Defending Your Business From Cyber Threats]
What to do if you think you’ve encountered a social engineering scam
If you receive a suspicious-looking email, phone call or text message, do not respond to it. Eric Breece, director of cybersecurity at Sunrise Banks, recommended asking yourself these questions:
- Is this a communication that I would normally receive from this individual or organization?
- Is this a request that the individual or organization would ask of me?
- While I may feel like I can trust this individual or organization, is this something they would normally initiate?
- Are they asking to change a process that may seem reasonable, but is out of sync or not normal for the individual or organization?
If you believe you’ve been targeted by a social engineering scam, Breece says it’s best to go straight to the source to confirm the request. If it’s not a known individual (like a boss or colleague) whom you can contact through a different channel, go to the official website of the organization the scammer claims to represent and look for a phone number to call, he added.
If you’re unable to confirm that the request is legitimate, immediately report the incident to your IT department and to the authorities, especially if you’ve already clicked a link or given the scammer any sensitive information.
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.
Follow us on Instagram for more expert tips & business owners’ stories.
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.
