Bad guys are increasingly targeting you through your smartphone. They send texts that trick you into doing something against your own best interests. At the moment, there is a mystery shopping scam going on, starting out with a text invitation, asking you to send an email for more info which then gets you roped into the scam.
Always, when you get a text, remember to “Think Before You Tap”, because more and more, texts are being used for identity theft, bank account take-overs and to pressure you into giving out personal or company confidential information.
Here is a short video made by USA Today that shows how this works: Think before you Tap video
Social engineering (in the context of information security) is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. To put that into a perspective that everyone can understand, social engineering is the art of criminal manipulation. Criminals try to manipulate you into giving up sensitive information like passwords, account information or access to your computer to install malicious software. (Alternatively, this software can give criminals access to your accounts, passwords and control of your computer.
Criminals use this tactic because it works. Humans tend to see the good in everyone. It is usually easier to use a person’s natural inclination to trust than it is to discover other ways to hack your software or computers.
Experts agree that the most vulnerable part of any security system is the human operating it. No amount of locks, deadbolts, alarm systems or guard dogs will protect you from that pizza delivery guy you are trusting at face value. If you let him in without first checking to see if he is legitimate, you are exposed to whatever threat he may represent. The Energy Credit Union would show our members more about how to help protect yourself from social engineering risk and notice common red flags that can help you to determine what to look for when dealing with criminals who are potentially attempting to manipulate you through a fraudulent email. Lets look at how scammers can manipulate an email to catch you!
Who is the email from?
- I don’t recognize the sender’s email address as someone I ordinarily communicate with.
- This email is from someone outside my organization and it’s not related to my job responsibilities.
- This email was sent from someone inside the organization or from a customer, vendor, or partner and is very unusual or out of character.
- Is the sender’s email address from a suspicious domain (like micorsoft-support.com)?
- I don’t know the sender personally and they were not vouched for by someone I trust.
- I don’t have a business relationship nor any past communications with the sender.
- This is an unexpected or unusual email with an embedded hyperlink or an attachment from someone I haven’t communicated with recently.
Who is the email to?
- I was cc’d on an email sent to one or more people, but I don’t personally know the other people it was sent to.
- I received an email that was also sent to an unusual mix of people. For instance, it might be sent to a random group of people at my organization whose last names start with the same letter, or a whole list of unrelated addresses.
When was the email sent?
- Did I receive an email that I normally would get during regular business hours, but it was sent at an unusual time like 3 a.m.?
What is the subject of the email?
- Did I get an email with a subject line that is irrelevant or does not match the message content?
- Is the email message a reply to something
Are there any attachments?
- The sender included an email attachment that I was not expecting or that makes no sense in relation to the email message. (This sender doesn’t ordinarily send me this type of attachment.)
- I see an attachment with a possibly dangerous file type. The only file type that is always safe to click on is a .txt file.
Are there any hyperlinks?
- I hover my mouse over a hyperlink that’s displayed in the email message, but the link-to address is for a different website. (This is a big red flag.)
- I received an email that only has long hyperlinks with no further information, and the rest of the email is completely blank.
- I received an email with a hyperlink that is a misspelling of a known web site. For instance, www.bankofarnerica.com — the “m” is really two characters — “r” and “n.”
What is the content of the email?
- Is the sender asking me to click on a link or open an attachment to avoid a negative consequence or to gain something of value?
- Is the email out of the ordinary, or does it have bad grammar or spelling errors?
- Is the sender asking me to click a link or open up an attachment that seems odd or illogical?
- Do I have an uncomfortable gut feeling about the sender’s request to open an attachment or click a link?
- Is the email asking me to look at a compromising or embarrassing picture of myself or someone I know?
Here is a PDF for quick reference. Remember to stay vigilant and safe!
Scammers will try many different ways to trick you out of your hard earned cash. There have been reports of other customers of large financial institutions falling victim to fraud. This time with the account alert systems. If you enjoy getting our alerts please remember that The Energy Credit Union would not solicit any personal information from you via these alerts. Do not reply to these alerts if you are prompted in any way. If you are unsure please contact the branch directly at 416-238-5606 with any questions.
The Energy Credit Union does not send text messages or emails that ask you for your password for online and mobile banking, Personal Identification Number (PIN) for either your Member Card or credit cards, account numbers for any type of account, answers to your security questions, or access code for adding payees.
Here is a link to an article that tells how a couple in Nova Scotia got scammed when they replied to a text they received from what they thought was their financial institution.
- Beware of “What type of STAR WARS character are you? Find out with our quiz! All of your friends have taken it!” or other similar quiz type posts. They require you to crate a quick profile, and you enter your info and cell number, as instructed. After a few minutes, a text turns up. It turns out you’re more Yoda than Darth Vader. You’ve also just unwittingly subscribed to some dubious service that charges $9.95 every month. Be wary of these bait-and-switch games. They tend to thrive on social sites.
- By their very nature, social media sites make it easy for us to stay in touch with friends, while reaching out to meet new ones. But how well do you really know these new acquaintances? That person with the attractive profile picture who just friended you — and suddenly needs money — is probably some cybercriminal looking for easy cash. Think twice before acting. In fact, the same advice applies even if you know the person.
- Beware of chain letter type posts. It may appear in the form of, “Retweet this and Bill Gates will donate $5 million to charity!” or “Stop animal cruelty! Click like and share!” Both the cause and claim are fake. So why would someone post this? Once the page has a sufficiently high popularity rating (by getting lots of “likes”) , the scammer either removes the page’s original content and replaces it with something else (usually malware or scam advertising); Many well-meaning people pass these fake claims onto others. Break the chain and inform them of the likely ruse.
Better be safe than sorry! Social media is a great way to stay in touch but remember that you are in charge of your own safety online!