Gone phishing… how to spot the scam
15 October 2018
Jake Moore, Cybersecurity Expert at ESET UK advises us on how to stay ahead of the scammers in the age of cyber deception.
It’s week three of European Cyber Security week, and this week is focused on how to identify deceiving content – a very important skill when staying safe online and keeping your cash in your pocket.
Being conned out of cash is unfortunately not a new concept. Scam artists have been tricking people out of their hard earned cash for centuries, but it’s only within the last 10 years or so that we have seen this shift to the internet. Not only is this crime still happening, but the speed, convenience and anonymity of the internet has made it an even bigger threat.
Scams that use the internet, known as cyber enabled crime, use the same method as before - the art of manipulation. Social engineering is the latest phrase to cause intrigue: it is a powerful tool offering the ability to manipulate people using cyber-crime and psychology.
"Cyber-psychology is the study of the human mind and its behaviour in the context of human interaction and communication of both man and machine, further expanding its bounds with the culture of computers and virtual reality that take place on the Internet" - Wikipedia
When it comes to conning someone on the internet, it can be frightfully simple. Techniques such as creating a duplicate site that looks genuine can lower the guard of a victim who then intentionally types in sensitive information, such as card details or a password.
More targeted scams such as ‘spear phishing’ require personal information to target victims without suspicion. Using information found on the internet, scammers are able to act as a friend or a familiar entity and send a convincing but fraudulent message to their target, manipulating their way in.
Real-world hustlers have proved to be excellent psychologists. They have identified these patterns and principles before anyone else. These behavioural patterns are not just ideal opportunities for scams and criminal activity, but also reveal the security weaknesses of “the human element”. This highlights a potential risk for any system, especially for businesses.
Also of interest: Smishing and the evolving social engineering threat
So how do they work?
Distraction is at the heart of many fraud scenarios. Street cons are referred to as 'misdirection', but in fact, a better term could possibly be ‘distraction.’ The audience will always follow the thing that is offering the most interest. If their focus wanders then the illusion is lost. This is exactly how distraction scams work and these can be delivered using the internet with ease.
Even very private and suspicious people will let their guard down without thinking sometimes… Just think... if a TV production company researcher emailed you and said: "Hi! We love what you are doing and we need someone like you to be part of a documentary we are making for ITV, are you interested?" Boom! Your guard is down whilst you think about what you will wear on national telly. The next minute, you're downloading a "declaration form" which turns out to be ransomware extorting your company for a couple of BitCoin!
Also of interest: Refusing to invest in cyber security: is the NHS making a big mistake?
In the past, I have been asked to see if I could hack into an email address (ethically of course) at a local Digital Innovation Show on stage in Bournemouth. I thought it would be fun to start by engineering my target's passwords by trying my luck on his personal information such as his daughter’s name and football team (which by the look of his face, I am sure it was the football team!).
Anyway, I didn't have too much time to play with alternatives such as ".1" at the end of them so I headed over to his "security questions" by 'forgetting his password' which included the name of his first school and the make and model of his first car. As you can imagine, these weren't too difficult to find. In fact, I came out and asked the guy six weeks prior what his first car was knowing that I would need it on stage.
So, back at the show, within minutes of entering these answers, I was given access to change his password to something brand new which would give me full control. I didn't fill in this entry as that would be committing a computer misuse act, but being offered this opportunity in front of him made him worry. A lot. Funnily enough, he actually told me afterwards that he thought I in fact had hold of his Google search history so was relieved!
The psychology behind a cyber-attack reverts back to simplicities. Reduce the suspicion and a hacker will be in before you have had a chance to make your morning coffee. Social engineering proves this in multiple ways on YouTube and you will be shocked at how easy it is.
So how can you avoid being a victim, like my poor target on stage? Change your passwords so that they are all unique, very long and avoid using anything that could be guessed or expected – steer away from birthdays of loved ones, for example. Download a robust password manager and implement two factor authentications on all accounts where possible. And always be aware of the golden rule on the internet: ‘if it sounds too good to be true, it probably is.’