Criminals often rely on tricking their victims to gain access to their passwords and other account information. This act of tricking is called social engineering, also known as a confidence crime, and it comes in many forms.
- A type of phishing e-mail where the criminal targets someone specific is called spearphishing. The spearphishing e-mail will look very much like the typical company e-mail that the real person uses.
- Example: The thief sends a trick e-mail (phishing) to a company employee he found on LinkedIn, making it appear to be from the company’s CEO or some other higher-up. The “CEO” requests sensitive information (like a password) or a wire transfer.
- The phone is used for phishing (vishing) in a similar manner. A vish is a combo voicemail and phishing.
- A fake invoice is sent to a company, mimicking ones that the business’s actual vendor routinely sends, requesting payment. Or it may look like any vendor that the company possibly does business with. Accounting often pays the fake invoice.
- Finder’s keepers finder’s weepers: The crook leaves a USB drive lying around, hoping someone will find it and greedily insert it into their computer, during which it will then unleash malware.
- Impersonating a vendor or other employee in person to gain access to a business.
Don’t Take the Bait
- Any time someone calls, you receive an email, someone comes in your office, or the door bell rings, be aware they may have scammy intentions.
- All bank accounts should have two-factor authentication. Even if passwords are compromised, this can prevent scammer account access.
- Train employees to be extremely judicious in what they post on social media such as the nickname of the company CEO.
- Never click links inside e-mails. Phishing specialists want you to click on links which will download a virus.
- Requests for money transfers or handing over sensitive data must be verified by the person making the request—in person or over the phone. Never hit the “reply” button.
- Money transfers should require two signatures.
- Free web-based e-mail needs two factor authentication.
- Vigorously train employees to recognize phishing maneuvers. This includes catching any anomalous features of e-mails supposedly sent by the CEO or other key figures in the company. Staged phishing e-mails should be regularly sent to see who falls for the bait.
- Examples of anomalous behaviors: The CEO suddenly wants to be contacted via a new e-mail, or suddenly her e-mail signature is different (“Kathy” instead of “Kathi”). Another suspicious change is that a CEO, for instance, suddenly signs off with “Sincerely,” when for years he’s been signing off with “Best.”
- Uncharacteristic behaviors may also occur with vendors (crooks posing as a longtime vendor).
Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.