What is Social Engineering and How Do Online Scammers Specialize?

Social engineering, an online scam involving building trust in order to steal information, is on the rise. Here’s what you need to know about social engineering attacks, including how hackers can specialize and target particular industries and organizations.

You may think criminals who are interested in stealing your money aren’t very discriminating, but when it comes to online scams, you’d be surprised. Hackers are focusing on specific industries and organizations, likely those that seem like easier targets. They use tactics to first gain trust, only to later steal information and/or money from their victims.

In recent headlines from Milwaukee and Cleveland, fraudsters are targeting churches and schools who have remodeling or construction projects underway. In Milwaukee, a church was defrauded out of over half a million dollars. The scammers, posing as the church’s construction company, sent the church a letter claiming the construction company changed to a new bank, and to route the money there. To take things further, the hackers also called the church to ensure they received the letter, and worked on building the relationship via phone and email until the payment went through. The construction workers never received the money, and the church may not be able to recover the lost funds.

In Cleveland, email hackers targeted a Catholic church, walking away with $1.75 million. The online scammers broke into two church staff members’ emails, getting the information they needed to pose as construction workers and convince the church to wire payments to a fraudulent account. In this case, the church feels confidence that they will be able to reimburse these funds through an insurance claim and investigation, and they decided to follow up by improving their cyber security by hiring a firm.

In both cases, the churches had built trust with the online scammers, to the point they felt comfortable wiring money to previously unused accounts. Fraudsters, instead of sending millions of fake emails out in the hopes someone might click through and disclose sensitive information, are instead spending significant time researching and approaching their targets. They are calling their targets on the phone. They are impersonating construction contractors. They are even going as far as mailing forged letters on official-looking letterhead, and weaseling into ongoing conversations between the nonprofit and the construction firms.

This practice is called “social engineering.” It is a specific kind of cyberattack where the perpetrators are trying to trick trusting individuals into disclosing information or initiating transactions on behalf of the attackers. The losses exceeded $2 million in just these two cases, but they are far from anomalies. Plus, for-profit businesses are just at risk for social engineering attacks as churches, or other non-profits, are.

While these targeted attacks can look very similar to genuine messages from contacts you already know, it’s important to stay vigilant and look out for clues that something may be coming to you via social engineering. Here are some signs:

• Watch out for emails that look like a reply to something you didn’t ask for
• Be wary of requests for information that don’t make sense to you, especially if the requests are for information like bank account numbers, Social Security numbers, date of birth, or addresses
• Watch for faked emails or slightly misspelled domains
• Poor grammar or spelling errors might be a clue that the message is from an online scam
• Password change requests should always be treated as suspect

Remind your colleagues to always verify requests for information by contacting an existing relationship with any vendors/businesses involved in the relationship.  Do not call the numbers supplied on letters or emails.  Look up contact information in your separate, pre-existing contact records.

One of Ronald Reagan’s famous quotes was “Trust, but verify.”  When it comes to cybersecurity, “Don’t trust, and also verify.”  If you would like an assessment of your cybersecurity preparedness, talk to Chortek.  We can help.