The holiday season is a time for sharing, caring, and shopping – the prime time for cybercrime, specifically social engineering. This time of year, social engineering takes many forms as cybercriminals take advantage of those who are good natured and participating in the holiday cheer. Let’s take a look at a few approaches to identify risk and how you can protect yourself:
Pretexting, the practice of presenting oneself as someone else in order to obtain personal information, takes more effort than just sending an email to potentially thousands of recipients. Here, a cybercriminal may create a familiar identity or identify themselves as an authority figure and then ask you to confirm personal information. By the time you’ve confirmed your identity to a “trusted” source, you have been played like a fiddle.
“Hey – this is Ben from Human Resources. This year we are giving all employees a $5,000.00 bonus! However, our system is down, and we want to make sure you get the bonus on time. Can you please confirm your bank account information?”
Who wouldn’t jump at a 5k bonus! However, should you fall victim, you will soon find out the bonus was too good to be true. A Human Resources department would never call and request such information in an unsecured manner. Hang up and report the incident to your security team ASAP. This will prevent your co-workers from becoming victims too.
Whether it’s a holiday party in the office, an in-house Thanksgiving a happy hour for clients, or just walking into the office after lunch, be aware of those around you. If you scan a badge to enter a secured space and the person behind you doesn’t, they’ve tailgated. If you know the tailgater, then politely remind them to scan their own badge for entry. However, if you don’t – stop them! Tailgating is physical form of social engineering used to obtain personal and confidential information.
And please don’t fall for the newbie:
“Hi – I’m Dave and I’m new! I’m still waiting for my badge and I left my phone by the coffee, can you let me in?” ….10 minutes later Dave is found snooping around CEO’s office on the hunt for trade secrets.
While you may not know everyone at the holiday happy hour, it can’t hurt to ask and introduce yourself.
As we know, phishing is a method by which cybercriminals send emails pretending to be from a reputable organization in a malicious attempt to obtain personal information. This time of year, an email may come in the form of charities asking for donations, advertisements from popular retailers, or any circumstance to prompt the sharing of critical information.
However, most emails contain red flags that may alert users to a possible phishing attack:
- Grammatical errors
- Offering prizes
- Creating a sense of urgency
- Requesting personally information
- Requesting user IDs and passwords
- Threatening with consequences
- Making demands
Also, keep in mind that these emails often look very authentic. To avoid falling for a phishing attempt, do not click links embedded in emails. Instead, it is best practice to exit the email and go to the official website and proceed from there.
Phishing has a cousin! Meet “Vishing”. Instead of emails, vishing uses the old-fashion telephone to illegally obtain personal information.
“Hi my name is Kevin, I am from (insert charity name here), would you consider donating to help puppies in need during the holiday season?” …Next thing you know, Kevin has a new boat.
Phone calls asking for donations should be taken with caution. These attempts ask you to pay over the phone and in doing this, copious amounts of personal information and financial information is provided to the cybercriminal.
The best way to proceed is to thank the caller for making you aware of the charity and hang up. This will allow you time to investigate the legitimacy of the organization. However, should you find that this call is a potential scam, you may report the “visher” to authorities.
To conclude, cybercriminals constantly invent new ways to illegally obtain personal or confidential information, therefore, it’s important to be extra vigilant during the holiday season. Don’t open attachments in suspicious emails; be wary of phone calls that request too much information; and know those authorized to be in your secure environment.
You are the first line of defense against social engineering, don’t be a turkey and get gobbled up!
LEAD PRIVACY ANALYST