Watch Out for These Signs of Social Engineering Fraud

Phishing is probably one of the most common and well-known social engineering fraud schemes today. Social engineering fraud refers to scams that rely on psychological manipulation to convince the victims. Google is reportedly blocking 18 million coronavirus scam emails every day and registered a record 2 million phishing websites in 2020. Even though phishing attacks are constantly evolving and becoming more sophisticated, there is still the basic laws that apply at the heart of an attack strategy.

Imitate, Motivate and Act

Imitation is the impersonation of a trusted source. A phishing message will always strive to look like it originates from a trusted organization or individual. Most cyber criminals try hard to make their messages look legitimate and convincing, using the same fonts and copying colors, logos and branding to fool people.

Motivation is the social engineering part of the phishing attack. Scammers tailor messages for one single reason — to motivate people to take action such as a click, reply, download, or tweet. Attackers exploit human instincts by crafting phishing messages that get victims upset, curious, infuriated, or anxious, in the hopes of provoking a response.

Act is the final step or the invisible hook that is lurking in a phishing attack. This could be a form that a user must fill out, a click on a social media post or instant message, or simply a visit to a site that could cause a drive-by download. After a successful click or download, the victim might be stuck with malware that can evade detection for a long time.

Even a carefully crafted phishing attack displays revealing signs that the email is neither legitimate nor trustworthy. Here are six common signs to watch for.

Suspicious Senders Address

One of the trademarks of phishing is that hackers create fake sender addresses that appear authentic. Many hackers use generic email domains like gmail.com or yahoo.com which makes them relatively easy to spot. Some might even use email spoofing to create fake email addresses where only the sender’s name is visible while the email address itself is hidden. As you might expect, many recipients of these emails don’t go above and beyond to check a spoofed sender’s address, especially on mobile devices.

Generic Salutation and Sign-off

One of the most obvious signs of phishing is that the message content addresses the receiver as a generic recipient instead of an individual person. This is a strong sign of phishing. For example, “Dear Depositor” or “Dear Customer.” Sometimes the phisher will use a first initial and last name, copying an email address in part.  Similarly, the email sign-off could be impersonal – typically, a customer service title or generic department rather than a specific person’s name and contact.

Subject Lines That Spawn Urgency or Raise Alarm

Creative attackers often use scare tactics in hopes that readers will click on malicious links, download attachments, or fill out forms due to worry, urgency, or confusion. The common message in these types of emails is that action is immediately required, payment is urgently needed, or sign-ins must happen now. For example: “New sign-on to your account,” “Suspicious activity detected,” “Password Expired,” and “Account closure” are all common subject lines one may find in a phishing attempt.

Fake File Attachments

In this style of phishing attack, an attachment is delivered along with an email message. Attachments may appear like a PDF or document, but are really an image with a hidden URL, while others could bring up a sophisticated impersonation of a fake login screen. In a recent example, fake meeting invitations impersonating Zoom calls surfaced online, targeting Microsoft users with fake attachments that took victims to bogus Zoom login screens.

Use of URL Shorteners

URL shortening is a common technique used by social media giants like Twitter, LinkedIn, and Facebook that reduces the size and complexity of longer website addresses (URLs) by replacing longer links with a shorter link. Hackers often disguise rogue URLs by using these shorteners, which prevents easy detection of known malicious sites or destinations. For example, instead of seeing an obvious URL that indicates a website in Ukraine, Romania or France, a shortened URL link does not reveal where a link will take them or what they will find when they get there. Readers must immediately recognize this red flag and avoid clicking on a shortened URL.

Social Engineering Red Flags

Because the underlying principles of manipulation remain constant, cyber criminals are known to apply similar techniques to other forms of communication. Sophisticated scammers are quick to target alternate channels like social media, telephone, and SMS. 

The best way to avoid phishing is by looking out for these tell-tale signs and steering clear of clicking on any attachments, links in emails, tweets, Facebook pages, and the like. Vigilance is not an inherent but an acquired trait, and it only comes through routine practice and experience. One of the most effective ways of acquiring this muscle memory is through ongoing simulated phishing exercises that train staff on newer, evolving techniques, creating a mindset of what they should be looking out for.