Contact Us

How to Avoid Getting Scammed by Fake Emails, Txts & Phone Calls

Go Back

Social engineering is a form of psychological manipulation and is what cyber criminals use to scam us over email, txt message and phone calls. It is where someone with criminal intentions attempts to influence someone else to accomplish goals that aren’t in their best interest.

Why does social engineering exist?

Easy. It is considerably easier to exploit somebody’s good nature than it is to find and then successfully exploit technical vulnerabilities in software or hardware. Hollywood films have built this stereotype of hackers to be hooded figures sitting in dingy bedrooms typing code to hack into our accounts from hundreds of miles away. This can be the case but often, attackers are well spoken individuals highly skilled in the ability to build rapport with strangers. They portray a trustable persona and use an element of urgency in the interaction to secretly coerce us into not thinking too much.

Social engineering is actually the cornerstone of hacking because it is used to;

  • Convince us to open a malicious attachment or link in an email
  • Gather login credentials (usernames and passwords) or financial information (bank card information)
  • Perform surveillance on you (understand how you work, how your computers are configured and how your home WiFi network operates)
  • Use publicly available information (the stuff we have on social media profiles) to either build rapport with us and convince us they are authentic, or answer security questions and get access to our accounts by pretending to be us
  • Gain physical access to our devices (e.g. mobile phone, laptop or even someone’s house)

Before we understand how to protect ourselves from social engineering attacks, we must first understand the methods they employ. It is typically performed in three different ways; Phishing (via email), Vishing (over the phone) and Smishing (via text message).

The 3 Attack Methods

1. Phishing

‘Phishing’ is social engineering performed over email. Phishing has come a long way from the basic emails we all used to get from the Nigerian president who had woefully bad grammar! Today, attacks exploit world events (e.g. national disasters like Tsunami’s and terrorist attacks) to make them more convincing. They are branded almost exactly the same as the genuine messages and they’re able to ‘spoof’ email addresses to make it look like they are coming from someone you know. For example, the actual email address might be xvd34@russianhacks.com but when it arrives in your inbox, the “From” box shows it looks like it’s come from Jess, your after-work knitting class buddy you recently added on Facebook.

Some people advise that we should use a dedicated ‘phishing filter’ on our email but this is, in my opinion not necessary as our email provider (e.g. Hotmail) already have multiple mechanism in place to prevent spam. It’s also easier to learn how to recognise it so none are effective than it is having a specific filter. Did you know around 97% of people around the world are unable to identify a sophisticated phishing email ? With a little help, you will soon be part of the elite 3%!

Phishing isn’t just strictly limited to emails. Social media sites often have messaging functionalities too. Things called ‘spam bots’ are created by hackers to contact you on these social media messaging services to try and convince you to either click on fake advertisements or disclose your personal information. A research report published two years ago by a group of Italian researchers found a whopping 8% of all Instagram accounts were fake spam bot accounts!

There are a couple of things we can do to easily identify a phishing email. The best two methods involve using your mouse (cursor) to investigate the senders email address and the inevitable attachment or link that’ll be contained in the email;

  • Is there an attachment or link? Any attachment or link that often has a generic name, e.g. “Invoice February 2017” should ring alarm bells. Never click on the attachments or links as these are designed to deliver malicious software to your device! Instead, for links take your mouse and hover over the link or button (without clicking on it!) and it’ll display the real destination of the website it’s taking you to. If it isn’t official looking (amazon.co.uk) like shopping9-amazon.co.uk then steer clear! If you’re still unsure about the link, go to urlvoid.com which will check if its malicious or not! For attachments, right click on it and use your anti-virus software to scan it for viruses.
  • Who is the sender? Similar to investigating suspicious links using your mouse, we can do the same with the sender’s email address. When we hover our cursor over it, it’ll reveal the actual email address (which may be different to the one being displayed to us). If it does then delete it straight away!

If it passes the two steps above but you’re still unsure, you can do the following;

  • Does it ask for information? Banks and large organisations already have our personal details from when we first opened our account with them. If they need updating, they never do this via email. So, an email asking you for personal or financial information is most likely phishing.
  • Study the branding. Compare the fonts and colours used in the branding of the email versus the actual branding on the official website. i.e. if the email is meant to be from HSBC, then manually navigate to their official website (do not use the link in the email!) and compare the colours and fonts.
  • I’ve seen some really impractical advice state that we shouldn’t open any links in e-mails, even if you think the sender is familiar. This completely disregards the fact that links in email are critical for things like online shopping receipts and can be very useful to send one another! Just follow the steps above to check the links before clicking on them.

Remember, that your kids can be the weak link in the family. It’s no good us parents being great at spotting phishing emails if our kids are clicking on malicious links and have their devices riddled with malware. Malware by it’s very nature, is highly adept on getting itself onto other devices once it has compromise one so beware!

Top Tip: What parents can do is make spotting phishing emails fun! Either make your own emails to send them (create a free Hotmail or gmail address) and send them some dodgy looking stuff. If they reply or click on the link then you know they’ve failed! You can test your families newly acquired phishing spotting skills here! Loser does the dishes!

2. Vishing

‘Vishing’ is social engineering performed over the phone (“voice-phishing”). Attackers will adopt a fake persona (e.g. bank clerk, lawyer, policeman, hotel receptionist) on the phone to convince you they are someone they are not. This lulls us into a false sense of security and they coerce us into providing information over the phone.

Case Study: Emma Watson

In June 2016, Emma Watson a British businesswoman was building her new venture, a children's nursery. One day, she got a phone call from her bank's fraud team. They informed her that they had stopped some unusual transactions on her account, but because the account had clearly been compromised, she had to transfer her money into some reserve accounts they had set up in her name. However, this was not her bank’s fraud team at all and Emma lost £100,000 to the fraudsters by transferring her money straight into their account. Barely any of the stolen funds have been traced or recovered.

After Emma’s disheartening story, here is one to put a smile on your face...:)

Case Study: Burger King

In April 2016, the Burger King restaurant in Minnesota (USA) received a phone call. The caller purported to be from the Fire Department and claimed that the restaurant was over-pressurised and could explode at any moment. The caller instructed all the employees to break all the windows to “relieve the pressure”. Amazingly, the phoney caller convinced them and they proceeded to smash up their own restaurant! A funny example, but testament to how persuasive a skilled social engineer can be in building rapport and influencing people over the phone.

3. Smishing

‘Smishing’ is social engineering performed over text message (“SMS-phishing”) on your mobile phone. Fortunately for us, the cyber crims follow all the same attack principles as vishing and phishing so much of the advice on how to spot them is the same. In smishing attacks, text messages will appear to be from a reliable and trustworthy source but will undoubtedly ask you to visit a malicious (but seemingly legit link) or reply with certain personal details.

Case Study: 3 Santander Customers 

In March 2017, three Santander customers had £15,000, £12,000 and £9,200 stolen in a smishing scam. The bank refused to reimburse their money as the customers were convinced to give the fraudsters their login credentials. In this scam, the fraudsters spoofed the messages to appear under existing conversation threads the victims already had from their genuine bank on their iPhones so that they wouldn’t suspect anything. The text messages provided a phone number to call and when they called the ‘bank’ back, were convinced to provide access to their online banking accounts and generate their security code. Money was then stolen directly from their accounts.

More and more companies are using text message as a means of communicating with their customers, but for those who do they will be exclusively for notification purposes only and will never request information over text.

Recognise a social engineering attack

Whether it is phishing, vishing or smishing there are a number of common themes to these kinds of attack;

  • Demonstration of Publicly Available Information: fraudsters will use information gleamed off publicly accessible social media websites (e.g. Facebook, Instagram, LinkedIn, etc.) to give you a false sense of security. They will drop in your name, home address, telephone numbers, even some bank details, to masquerade as a genuine member of a legitimate organisation. As such, we should try and resist the Temptation to Over-share on Social Media as information that is never shared publicly cannot be used against us.
  • Urgency: due to the psychology involved, often an element of urgency is injected. For example, your bank account is currently insecure and needs action to secure it, there is a price offer that expires in a set amount of time, etc. This coerces us into taking action before we have had the opportunity to fully think things through.
  • Phone Spoofing: do not think that because a call comes up on your phone as “Barclays Bank” or “HSBC Fraud Team”, that it actually is! Criminals have ways of ‘spoofing’ the number they’re calling from to make it look authentic.
  • Background Noise: if there is literally no background noise, or you can hear noises that wouldn’t normally be coming from an office environment (e.g. baby crying) then be aware! Some criminals are wise to this and will often play fabricated sound effects (sometimes simply from a hi-fi system) that emulates the sounds from a typical call centre.
  • Automated Does Not Mean Legitimate: fraudsters have started employing the use of automated calling systems (known as an IVR – Interactive Voice Recorders) to emulate the types of systems used by large companies. These are those annoyingly slow voice menus they triage your call through to ‘put you through to the right person’. Don’t be fooled by these - just because there is an automated system asking for your details, this does not make it legitimate!

Top Tip: for those pesky security questions you have to set, never use the real answers! For example, Question: What’s your mother’s maiden name? Answer: Cake! This way people cannot use social engineering or your social media accounts to find out the answers.

I hope you feel much more comfortable now, confident in the knowledge you’d be able to identify the mains types of social engineering attack! If you’re interested to find out more, come to my online community at simplecyberlife.com. We’d love to have you there!

Hacked Social Media Recovery Handbook!

Pop your email into the form below and we'll send you the link to your free handbook!

We hate spam and won't send you mindless marketing emails. We share some internet safety tips. You of course can unsubscribe at any time.

Free Protection Checklist!

Pop your email into the form below and we'll send you the link to your internet safety protection checklists!

We hate spam and won't send you mindless marketing emails. We share internet safety tips. You of course can unsubscribe at any time.

Free Cyber Bullying Handbook!

Pop your email into the form below and we'll send you the link to your free handbook!

We hate spam and won't send you mindless marketing emails. We share some internet safety tips occasionally. You of course can unsubscribe at any time.

Free I've Been Hacked Handbook!

Pop your email into the form below and we'll send you the link to your free handbook!

We hate spam and won't send you mindless marketing emails. We share internet safety tips. You of course can unsubscribe at any time.