By: Stephanie Petrashko
Some online criminals find it easier to exploit human nature than to take advantage of security holes in their computer systems. We’ve all received a telephone call from someone telling us that our computer has all sorts of problems with it, or an e-mail message from someone claiming to be a distant relative and urgently asking for assistance in the form of monetary donations. But how do you know whether those calls and e-mails are legitimate?
Social engineering is a type of information technology crime that involves manipulating people to perform certain actions that break normal security procedures. Criminals rely on the natural helpfulness of people to gain access to their computers, gather confidential information and/or commit fraud. Tricks – such as e-mail hoaxes and false telephone calls – are performed to secretly install malicious software on people’s computers or to manipulate them into revealing their passwords or other sensitive personal information.
Last year, callers posing as Microsoft representatives attempted to scam Canadian consumers by offering “technical support” for non-existent computer problems. They milked unsuspecting victims out of hundreds, and sometimes thousands of dollars by telling them that their computers would crash if they didn’t hand them over to “tech support”. The scammers often sought credit card information by asking the user to visit a certain website, where the information could be “securely” entered. Other times, the user was asked to purchase something, or for remote access to his/her computer to fix “urgent technical problems”. According to Microsoft Canada, nearly 80% of Canadians who received a phony Microsoft call fell victim in some way, and approximately one in three recipients experienced computer problems after the call.
So, what can you do to protect yourself and your organization from social engineering? Be wary! Never trust any unsolicited calls or e-mails from people offering support for computer problems or asking you to perform a certain action. Never follow the caller or sender’s instructions by visiting a certain website, purchasing or installing software, sending money, or divulging any of your personal information. Educate your employees on the issue of social engineering to protect your organization from attacks. Many scammers tend to pose as vendors or CEOs of companies in an attempt to give an employee at their targeted organization an immediate reason to trust them. If you’re suspicious of a certain caller, it can pay to ask questions to verify his/her identity. Similarly, avoid clicking on links that you receive in unsolicited e-mails, hover over links to see their full URLs, and manually enter website addresses to protect yourself from falling victim to e-mail attacks.
If you suspect that you’ve been targeted by a bogus phone call or e-mail, we encourage you to report the incident to the Canadian Anti-Fraud Centre.