The passing last week of international musical icon Prince marks a sad moment for the American arts. But it also poses a serious risk to computer users: when a celebrity death of this magnitude occurs, hackers invariably twist it around into a scam to try and steal people’s personal information?
But how, you ask? Simple: by sending out illicit emails (with or without attachments), Facebook posts, Twitter messages, texts on your phone, or website ads that purport to contain Prince’s last words. It’s as low down and rotten as it gets, but sadly it works: we’re all more likely to click a link when we’re feeling emotional about the death of a legend.
What are the consequences? If you (or someone in your company) inadvertently clicks a link for something like “Prince’s last words caught on video!”, you run the risk of introducing serious viruses or ransomware to your workstations or networks. Often, social engineering scams will go a step further and try to replicate an email address or domain name so that, for instance, if you communicate every day with firstname.lastname@example.org, you might not think twice to click a link in an email from email@example.com.
Other irregularities are common to such schemes. The email may address its recipient as “William” when everyone at the company refers to you as “Bill.” But the scammers are adept at doing their homework, probably researching public information about your company via LinkedIn or Facebook. Scammers then register an email domain that looks very similar to yours. Because these are real-time, targeted efforts to trick you, scammers will respond immediately if you reply to the email. Given today’s corporate culture and common lack of face-to-face communication, this back and forth usually makes the victim feel comfortable that it’s in fact a legitimate request.
Recent natural disasters in Ecuador and Japan, along with ongoing conflicts in the Middle East, mean that similar charity scams will continue to pop up, as well. It’s the same deal here: emails, social media posts, and web ads will ask for donations to a certain charity, but clicking on any links contained within will actually lead to illicit sites and probable infections.
Since social engineering scams like these are very real, costing real companies real money, CMIT Solutions recommends these steps to avoid them:
1) If you receive an email or social media request regarding a recent celebrity death, natural disaster, or financial request, be suspicious.
Want to know more about Prince? Google him and click on links from reputable news organizations. The same goes if you want to donate to charity — Google your favorite organization and donate via their official links, not those that pop up in front of you.
2) If you believe you’ve received a social engineering email, DON’T RESPOND and call your IT provider immediately.
Responding will allow the scammers to “set the hook” so to speak and only invite further communication, which increases the likelihood of you (or someone in your organization) accidentally clicking an illicit link. Contacting an IT provider who’s well-versed in these types of scams can also allow the false domain to be traced and possibly shut down.
3) Check email header, subject lines, and body copy meticulously for small errors.
Again, you can’t do this with every single email — but any message that involves celebrity deaths, natural disasters, or anything financials, including the transfer of funds, should be reviewed for minor spelling errors, extra characters, or naming discrepancies.
4) Do not open any email or attachment from any sender you don’t recognize.
Last year’s CryptoLocker virus spread primarily through malicious PDFs, audio files, and other attachments that computer users unwittingly clicked on. If you don’t know the sender and aren’t expecting a file, don’t click on it!
5) Avoid using free, web-based email for business purposes.
Establish a company website domain and use secure email accounts for all communications. Strongly consider a proactive monitoring or comprehensive network security solution, which should conduct regular malware scans and daily updates, as well as deploy strong firewalls and anti-spam protections that can filter out scams like the one described above — and alert security experts to spoofed or hacked accounts.
Social engineering schemes will never end — as long as there are computer users who click on illicit emails, hackers will keep trying. And even if social engineering disappeared tomorrow, something new will emerge to take its place. But awareness and vigilance can make the different — along with a trusted IT partner deploying the right solutions to keep your business safe. Contact CMIT Solutions today to find out how we protect our clients, their employees, and their networks.