The standard-issue phishing attack relies on sheer numbers as the key to its success; by sending tens of millions of emails, the chances of hooking a few thousand victims is pretty good, regardless of how sophisticated the message itself is.
But there is another type of phishing attack, known as spear phishing, which exchanges quantity for quality, by using insider information to target businesses. Spear phishing attacks are smaller in scale but arguably more effective than their poorly-spelled, randomly-selected cousins.
In a spear phishing attack, you might get a message at your job that appears to come from someone you work with, often a member of management or from another department. This message may request information about financial accounts, login and password information, ask you to open a file or link, or ask that you authorize a wire transfer from your employer’s account. If you comply with these directions, you will make your company vulnerable to financial or data loss.
Most established businesses have a website that reveals the names of management, the board of directors, and people from various departments, which gives would-be cybercriminals the information they need to impersonate an insider.
Communication is the key to preventing spear phishing attacks. Think about any request received via email – is this how the head of the IT department or the CEO really talks? Why are they sending you a file out of the blue? Is it your job to initiate wire transfers? The best defense is to simply confirm with the apparent sender if the message is legitimate or not. Spear phishing attacks use some of the same techniques as regular phishing emails, such as disguised links or infected file attachments. It pays to double-check before you take any action.
I thought I was onto some clever application of the “duck test” for the title of this post, about how “if it looks like a scam and quacks like a scam,” but I really couldn’t make it sound anything other than monstrously insane, so I dropped it and went with the title you see above.
Anyway, the old repayment scam has been explained a thousand times here, there and everywhere. You’re selling something on Craigslist (for example), and a buyer contacts you, usually from out of state. They send their payment, but instead of $200, it’s a cashier’s check for $3,200. “Cash it and use the extra for shipping, then wire the rest back to me,” they say when you contact them.
What happens next is fairly predictable: you cash the check, send the item, wire the excess money (thousands of dollars) to someone, then find out a week later that it was a counterfeit check and that you’re on the hook for the loss caused to your financial institution.
But did you know that scammers also target businesses with the same tactic?
And if you’re a business owner, you might fall for it because what might strike you as suspicious during a private sale might seem less so in a business context. I’ve heard of several cases where retail businesses, attorneys and rental property owners have been victimized by this scam.
However, the principle applies in every context, whether in a person-to-person or a business transaction: if someone sends you a cashier’s check and tells you to cash it and wire money back to them, you’re almost always dealing with a con artist.
If it hasn’t already happened to you, it will: you’re going to lock your keys in the car, lock yourself out of the house or find out that a lock rusted shut over the winter.
You’re going to need a locksmith.
It happens to everyone, and yet it’s a need now complicated by con artists; it seems locksmith scams are on the rise.
Typically, victims start by searching online for a locksmith. They call a random listing and get a reasonable-sounding estimate over the phone. When the “locksmith” actually shows up, however, they start adding charges until the price is completely out of line. Since most people in need of a locksmith are in a tight spot, they often end up paying. Sometimes, as a bonus, the phony locksmith will damage your property.
How do you avoid this scam? Choose a locksmith now, before you need one. Either get one you’ve used before and already know to be trustworthy, or check out the Better Business Bureau and online reviews. Make sure you’re dealing with an actual local business instead of having your call routed to a national number, and refuse to use any locksmith that only accepts cash payment.
Once you’ve got your locksmith, save the number in your mobile phone and keep it handy at home.
When you’re away from home, it’s a little trickier to choose one on the fly, but you can still watch out for warning signs like rapidly-escalating costs and cash-only operations.
This item from Arizona sort of blew my mind. I’d never even thought of a setup like this before, and I read about fraud every day.
It’s a scam that targets chain businesses like fast food restaurants and convenience stores. It starts with a phone call to the store late in the evening from someone who claims to be from upper management in the company.
The victim store is told that there was an incident earlier in the day; for example, a customer was injured or food poisoned. To avoid a lawsuit, they are instructed to give a bag of money (and sometimes, cases of food) to a taxi driver waiting outside.
Of course, the caller is just a thief, and the driver usually isn’t even in on the scam; he just had instructions to make a delivery.
First, if you’re an employee at a chain business, know this: legal matters are not settled with bags of money handed to taxi drivers. If someone is food poisoned or injured at a store or restaurant, there is an official, documented process by which such things are handled.
Second, if you’re an employee, also know this: if someone who claims to represent upper management calls, you need to verify who they are. Never give out personal information or store information to someone just because they claim to be an executive in the company. Anyone can claim to be anyone on the phone.
Finally, if you’re one of those executives, and you called one of your stores requesting information that might be considered sensitive, ask yourself this: how would you react to an employee who refused to give out information without a way to verify your identity? Would you become angry? Would you fire them on the spot? Or would you see that this is exactly the kind of person you want working for you?
Just something to consider.