Attack type spotlight: 🌟 Social engineering 🌟

I have a rule of thumb for the internet these days: Most of the things you see online are probably fake.

This is hardly news, especially for influencers and influencer marketing. We know there’s nothing but hot air behind the lavish lifestyle of the majority of popular individuals on TikTok, Instagram, and elsewhere. 

But what I’m talking about is a lot more sinister than that. I’m talking about fake people, fake jobs, fake IT support, fake software, fake investment platforms, fake everything.

Why does this concern you?

Because these things are weapons used against you and your business. 

They’re part of a scam tactic called social engineering.

Perhaps the most popular social engineering attack is the “fake IT support” one.

A small business owner named Sarah runs a family-owned bakery. One day, as she was browsing, a message pops up, saying her computer picked up a virus and that she needs to call Microsoft and get it fixed.

She calls the phone number shown on the screen. A person picks up, they’re kind and professional, and they ask Sarah to install a Remote Desktop program (TeamViewer, AnyDesk, or similar).

Sarah complies, and grants direct access to her computer. Within moments, the “IT guy” on the line installs multiple information-stealing programs on the computer, which grabs payment information, passwords, and other sensitive data, and uploads them to a server under the hackers’ control.

By the time Sarah figures out what’s going on, she’s locked out of her social media accounts (which are essential in driving business to the bakery) and she loses access to her money and needs to call the bank.

Furthermore, her email account is used to target other companies who will have no clue that it’s not Sarah that’s sending them a virus.

One wrong move, and now Sarah needs to spend her time putting out fires, instead of building her business.

Fake jobs, anyone?

Another popular social engineering tactic these days is the fake job one. This one is particularly popular among IT pros.

A criminal will fake an entire company: 

• They will create a fake CEO (they’ll use AI to generate profile pictures, so you won’t find them by searching for images)

• They will create a fake company and website (pros can do it in 15 minutes)

• They will create fake social media accounts (LinkedIn, Twitter, Discord, etc) and fill them with fake followers (you can buy thousands of followers from Thai scammers for as little as $10)

Then they’ll reach out and offer a really cool job position. It pays great, the benefits are even better. All you need to do is pass a trial, or go through an onboarding process. These things usually require you to download and run a program. Unfortunately, the program is malware, and both you and your company are toast.

All of these things actually happen. In fact, one such attack resulted in a company losing $600 million (yes, million).

So if there’s one thing you should write on a post-it note and stick to your screen it would be - Question Everything. Whatever you do online, don’t take it at face value. Verify people’s identities. Do your due diligence on companies, potential partners, and third-parties. And remember: if it’s too good to be true, it probably is. 

Stay safe everyone!

• Sead from SmallBiz CyberWiz

P.S.

If you enjoyed this newsletter and appreciate these tips, please share this newsletter with your friends and colleagues, it would help a lot!

Image credit: pix4free.org