Information Security Officer

We all think we’ll dodge the phishing or scam bullet, but that’s not always the case. Hackers are only improving their tactics, and we are falling for them. 

According to the FBI, 2020 was the year with the highest number of attacks like phishing, identity theft, personal data breach, non-payment/non-delivery, and extortion, totaling $4.2 billion in losses. 

The only way to avoid it is by educating ourselves and knowing how to beat the hackers. That’s why we sat down and spoke to our Information Security Officer. 

Here’s how it went:

Who is more susceptible to scams? 

Generally speaking, it’s not about your education, it’s about your personality. We have to stop thinking that people with a higher education get scammed less. Here are a couple examples of possible victims: 

If you’re into making easy money

Victims that are naïve and believe in earning easy money are the perfect target. Scammers can identify them through social media, phishing emails, and even phone calls. So be sure not to easily fall for “too good to be true” deals. 

If you have a higher education

As for people with a higher education, they can be tricked into a scam if a hacker communicates in a manner that resonates with their knowledge in finance, trading, etc., This can result in them [the victim] believing that the hackers are legit professionals just like them. 

If you have hefty funds

Other possible victims include people who have hefty funds in their accounts or cryptocurrency holders. For example, leaked & exposed data of cryptocurrency holders from breached crypto trading platforms. Those are categorized as quite desirable, high-reward victims because their assets are digital and easily anonymized if stolen.

Quite recently one very popular crypto trading platform was hacked, exposing the data of millions of customers. This info can be used to target them in the future. So these things happen much more often than you think whether you want it or not. 

If you’re non-tech savvy

These victims are quite often targeted by phone scammers. Threat actors prefer to target elderly people offering some IT or finance-related services. 

For example, services that remove non-existent computer viruses, services that help prevent bank fraud, etc. are given in return for gift coupons, redeemable codes, or even mailed-in cash. Also, this group of victims easily falls into the trap of malicious links and attached files. And it’s not their fault. Some of these traps can be quite sophisticated, even tech-savvy users fall for them.

Once you feel that you are good at spotting such frauds – educate your loved ones. Spend some time and effort on it. After all, they are the ones who taught you how to use a fork and knife back then. 

The rule of thumb here – if something sounds too good to be true, it probably is.

Could you tell us more about what principles of persuasion scammers use? 

Hackers use social engineering techniques more than you think. Studies show that more than 99% of cyberattacks require human interaction to succeed. 

This means that 99% of cyberattacks could have been prevented if victims wouldn’t fall for psychological (not technical) traps. And things can get even worse if a social engineering attack is paired with a technical attack.

For example, when making scam phone calls, hackers most often spoof the phone number (technical trick). So, the victim may see a legit phone and believe they are speaking to someone they know. Now comes the time for psychological tricks such as: 

  • Manipulation: they convince people that they’re friends and want to help them. 
  • Professional jargon: they use overly complicated terms to come off as professional. 
  • Evasion tactic: they avoid looking suspicious by mumbling answers to the victim’s counter questions (people psychologically are too shy to ask the same questions more than twice more) or by changing their intonation.
  • Referencing sources: they mention legit sources that are tied to the victim by gathering info via a background check or checking the supply chain. 

In short, they do their homework in order to get the recipe for a successful scam. 

What should people do if they know they’re talking to a threat actor? 

In any case, it’s best not to stay long on a call or give away any information about you or someone you know. Even if they [scammers] imply that some information is correct, which it might be, don’t confirm it. If you don’t play along, they will consider you an undesirable target. 

Let’s see this  as a hypothetical situation: 

  • You receive a phone call from the bank. 
  • The person on the other end introduces themself and says your full name along with your personal identification number or bank account number. 
  • They end their question with, “Is that right?” 

They use this tactic to lower your defense because they provide correct and private information at the very beginning of the call. Try answering with  “No, this is incorrect information,” and see how they react. This will throw them off guard since most of the time, they follow a script, putting you on their blacklist. After all, they value their time too. They need results like scams per hour to make a profit. 

If a hacker obtains your email, should you change it?  

Yes and no. If it’s a business email, then it might be expensive to change it. But I would personally lean toward not changing the email because then you’d be changing emails quite often. Simply be more careful after receiving some suspicious email. That email could be a probing attempt without any malicious payload, with a real attack yet to come.

So what should you do if you receive a suspicious email? 

It’s a good idea to avoid opening suspicious emails altogether. Here are some ways to identify them: 

  • Check the sender’s address. Is it someone you know? Is the email from a reputable company but being sent from a consumer-grade domain? Are there spelling mistakes? 
  • Read the subject line and check the preview text. If it sounds like they’re asking you to do something urgently, think twice before opening it. If it’s your friend asking you to transfer them some money, talk with them via other communication channels – e.g., chat or call your friend and check with them. 

Once you’ve gone through both steps and determined it is a phishing email, delete it. The reason is, when you open it, the hacker gets information back indicating that this email address is actively used. Hence, they can target you again later on.  

Also, to be extra safe, you can use email clients that prevent automatic loading of remote content, e.g., images. Because an image included in an email may be downscaled to 1×1 pixels (so-called “tracking pixel”) and added to an email. These pixels are used to track your actions via email and submit information such as OS version, browser type, IP address, etc., about your device.  

How can we protect ourselves from being hacked?

I always suggest using common sense, paired with a good antivirus/firewall software. And don’t forget to update your software for both apps and operating systems. Remember – any device can be hacked. 

If you want to add one more layer of security, use a VPN. A proper VPN encrypts the communication between your computer and the websites you’re trying to reach. So, intercepting your data and identifying you becomes much more difficult. 

The last line of defense is you. 

What do you have to say to people who claim that they have nothing to hide?

Having or not having something to hide – it’s not something you can decide. Hackers will decide for you. 

Anyone can become a victim of a cybercrime. No matter if you are a stay-at-home parent, a CEO, a student, or a small business, educating yourself in this sphere of knowledge will benefit you in the long run.