Protecting from Hackers who Attempt to Phish and Steal from You
Click on the YouTube link here: https://www.youtube.com/watch?v=ViNu4HdPuPs
As we’ve seen in the news, almost daily, phishing attacks are becoming more prevalent for all of us. Phishing attacks are a part of “Social Engineering”, which is an attempt to gain sensitive information from you to compromise your data/computer and to steal your information or cause you to pay money to free up your data. Social Engineering and phishing attacks are an entry into Ransomware, as one example of malware that is installed on your computer, which will lock up your files and will demand a ransom to allow you access to your data, some of which is highly sensitive!
In this article, we’ll cover several ways that hackers will attempt to phish you, including the top 3 ways that are:
1. Phone call issues
2. Email issues
3. Social Media issues.
Phone Call Issues
First on the list are phone call issues. Calls from an unknown number is a ‘classic’ way that scammers will social-engineer you. Phone calls from unknown phone numbers may be from a new friend, a VALID business that you’ve done business with or (often) are from a scammer. Keep in mind that a scammer will:
• Claim they’re from your bank, credit union, credit card company, etc.
• They will attempt to get your checking/savings account number, your credit card number, etc. (STOP: Remember — “Shouldn’t they already know this info?”)
• They may ask you to verify your number with them. (STOP: Consider — Ask them for their phone number — phone number of the bank, credit card company, etc. that they are representing — remember to get their extension too.)
• Since they have your phone number, if they text you a text with a link to click on ”… for verification” — just don’t do it. The link will, more than likely, contain malware.
• Get as much of their info (name, phone number, etc.) and call up the organization using the phone number listed on the organization’s website — NOT the phone number that they may have given you.
• If they give you a phone number, you can do a ‘Reverse Phone Lookup’
• The Reverse Phone Lookup can be found here: https://www.spokeo.com/reverse-phone-lookup
- The screen (at the time of the creation of this article) looks like the following image.
Please Note: This service will ask if you want to pay for additional info, but with the bit of free info provided to you after you enter the caller’s phone number, you can often determine if the call is from a legit phone number or from a scammer.
Email Issues
Second on our list is Email and some of the ways that scammers can fool you. Note, reviewing Email issues can be ‘trickier’ to spot, so take caution when opening any email.
With emails, here are a few items to look for.
First, If you expected an email from a colleague at work or a friend, do the following:
• Scan to see if the email address is correct. Does the email match the organization that it is reportedly from? In particular, if you work a ABCCompany.com, ensure that the email address is from @ABCCompany.com, and NOT from some other source
• Likewise, if you communicate with a friend often, ensure that the email address is the same as before (you can verify changes with your friend).
For any email, if the email is not personalized and uses such terms as “Dear Client,” or “Dear Customer,” this should set of a “red flag” of caution that calls for your further attention.
Also, scan the email for misspellings, grammatical errors, and mal-formed sentences. This is a clue that a translator app may have been used. While many hackers are from other countries, also keep in mind that some hackers are English-speakers, so bad grammar / bad spelling is only one possible indicator. Remember that emails from banks, credit card companies, etc. are proofread, so if you run into misspelling/bad grammar in emails from financial institutions or other organizations, this should raise another “red flag” of caution.
Look for urgency in the email. Does the message convey a sense of urgency? Urgent actions suggest a rapid response from us and often, we don’t think through the implications of a quick response. For example, I’ve received scam emails from “Amazon” asking me to verify a charge (usually a very large amount of money) for a purchase. Typically, the email will indicate “For your immediate reply” or possibly some other more-urgent sounding request. Keep in mind that when we are under a sense of urgency, we often make a quick judgement and overlook our usual careful review of an item. Urgency to respond can be another “red flag” of caution.
Related to ‘urgency’ is that scammers will often threaten you in an email. Threats include things like “a suspension of your credit line or credit card” if you don’t act. Or a threat to report you to the authorities. Keep in mind that banks and other organizations will send you a notice in the mail along with a proper response date and address to respond to. Scammers use threats to get you to take immediate action.
If the email contains an attachment, such as a .doc/.docx, .pdf, or other sorts of file types, if you did not expect it and (especially) if you do not know the sender, never open the attachment. There are many hacker tools that will allow a hacker to embed malware into what looks like a legitimate document/file. When this modified document/file is downloaded onto your computer, the malware can be setup to launch on your computer, causing many potential issues on your system.
If the email request personal information, including account numbers, names, addresses, phone numbers, place of employment, social security number, etc. — this is another ”red flag” — just don’t provide any information.
If the email contains a link, don’t click it. If your bank or financial institution requests that a document be completed, the organization will have a secure portal on the banking/financial institution that you log into and will be able to complete documents there. When in doubt — call your bank/financial institution. Once again, double check the email address. Does the email come from a free email site like yahoo, (yes) gmail, and other free sites? While there’s noting wrong, in general, with free email sites, remember that scammers cut their costs by using free tools. In addition, professional organizations don’t use free tools, as they are often not secure. Here’s a link to the top 10 free email sites: https://www.lifewire.com/best-free-email-accounts-1356641
Social Media Issues
Social media is a great venue to stay connected to your friends or (on some platforms) with other professional colleagues. But be wary of any social media link requests from (a) people that you don’t know and (b) people that have one or a few friends that you don’t know. Scammers use social media accounts to gain information about you, your likes, dislikes, location, and even when you go on vacation!
I have accepted linked requests in LinkedIn from people I do not know and many have bombarded me with training, eBook, courses that, quite frankly, I don’t need. Also, knowing that scammers will try to cull my information about me to build a profile to hack me, my policy is that I do not accept link requests from people that I don’t know. Likewise, in Facebook, especially Facebook Marketplace, the environment is rich in scammers. When interacting on FB, pay particular attention to text interactions, especially when selling. Scammers will attempt to have you click on a link or will prompt you provide them with some other information via a text message that they’ve sent you to gain access to your account.
I’ve been scammed
All is not perfect in my cyber world, so I write this article to share with you my experiential learning. I have been scammed over the years. Early on in the ransomware world — I clicked on a link about 10 years ago and my system locked up with ransomware. Luckily, I had backups of my files. It was early on in the ransom years — so mitigation was easier than it is now (the world of ransomware is much more sophisticated). Fortunately, I never had to pay a ransom and the system that I was using did not have sensitive information stored on it.
Also, I experienced a Facebook marketplace scam. The scammer wanted to pay for an item immediately and then pick it up at some time in the future (note the sense of urgency to pay). He indicated that he was out of town but was particularly interested in the item (again, a press for the sense of urgency). Sent me a google link with a verification number to my phone (essentially, he was attempting to reset my google account). He indicated to me that he needed the google text number to verify that I wasn’t a scammer (an interesting twist). The message sent to my phone was from google and had a reset password number. The message also said not to share this information with anyone else. However, the scammer convincedly said that the number would prove that I’m not a scammer and that I should provide him with the number to prove that I was legit. If I gave him the text number, he would have certainly reset my google account — which has quite a bit of personal data and CC data…. I’d be screwed!! I wonder how many FB users have fallen for this trick.
Summary: The Bottom Line
The bottom lie is to take caution always! Remember that sometimes you’re tired or hungry or just … when you are doing email, phone calls, or social media. When we’re tired/hungry, etc., sometimes we get a bit hurried. Take caution in Email, Phone calls, and Social media to protect yourself from scammers. Remember that this article is not a complete list and scammers will continue to be more and more creative to steal from you.
Also, consider hacking insurance (many insurance companies offer this as a rider to your homeowners/renter’s policy). Insurance will cover your losses, to some extent, and will help you recover your identity. Consider this option and dig into the policy to see how you are covered.
In addition, do some effective cybersecurity hygiene measures including:
• Apply Software updates for your PC/Mac from Microsoft/Apple. Many of the updates pushed out by Microsoft and Apple contain security patches. So, you’ll want to be on top of these.
• Apply updates to software from KNOWN vendors. If you use products from known vendors like Quicken, Oracle, etc., be sure to periodically apply their patches.
• ALWAYS have a good virus protection software — and remember some of the freebee software is from scammers, so use well-known virus software from the vendor’s website. Yes, sometimes you get what you pay for and free often doesn’t get you much.
In summary, I hope this article helps you to better protect your ASSets. Scammers are a particular breed of individuals and hopefully these measures will create a bit more distance between you and those who seek to steal from you.
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, PhD, MSc, CDNA, CISSP
· CMTC Email: rmcfarland@cmtc.com
· Email: highervista@gmail.com
· LinkedIn: https://www.linkedin.com/in/highervista/
· Website: https://www.highervista.com
· YouTube Channel: https://www.youtube.com/@RonMcFarland/featured
