When a major data breach grabs the headlines, many are quick to blame technology. But human error and online scams are almost always to blame for cybersecurity incidents.
In July 2019, scammers impersonating representatives of a construction firm based in Roanoke managed to steal $2.5 million. The scammers set up a fake account and duped Cabarrus County officials into channeling the money into the account, thinking they were paying an invoice for the construction of West Cabarrus High School. To make matters worse, the victims only found out about it a month later when they received a missing payment reminder.
Unfortunately, these incidents are far too common. Like most cyberattacks, everything started with a simple phishing email sent by a scammer impersonating someone else. Rather than trying to exploit vulnerabilities in technology, they relied on building trust by masquerading as someone else. These scammers shouldn’t be confused with hackers, because they’re often not even technologically competent — manipulation is their main weapon.
Building trust through knowledge
Most phishing scams can be found in the spam folder. These are normally scams carried out en masse targeting thousands or even hundreds of thousands of individuals in the hope that someone will take the bait. Such scams are immediately recognizable to most people, and today’s spam filters generally make sure they never see the light of day.
It’s the targeted social engineering scams that business leaders really need to worry about. The Roanoke attack was successful simply because the hackers were impersonating a local company and targeting a local organization that had a contract with the company. The email didn’t look particularly suspicious; hence, it caught the victims off guard, as they were expecting to make a routine payment already.
These targeted phishing scams, also known as spear phishing attacks, rely on building trust with the victim so they’re more likely to click on a link or download malware. These scams normally appear to come from someone the victim knows, such as a colleague or business partner. In such cases, the scammer will demonstrate personal knowledge about the victim. This particular breed of criminal relies a lot on things like social media profiles and other publicly available knowledge to build an intimate profile of their target before launching an attack.
What can you do to protect yourself?
Because phishing scams are a human problem rather than a technological one, you can’t rely on technical measures alone to prevent and mitigate them. There are solutions that can greatly reduce your organization’s susceptibility to phishing, such as email filtering and intrusion prevention systems. Multifactor authentication is also important because it adds an additional verification layer, such as a fingerprint scan, which attackers generally can’t exploit.
Unfortunately, not even these solutions would have been able to protect Cabarrus County officials. Hackers duped the victims into sending money to a fraudulent bank account before taking out the money and disappearing with it. The only way to protect against such scams is to make sure you and your employees are fully prepared.
Email addresses can easily be spoofed, and any outgoing payments and account details should be verified with the recipient before any further action is taken. Staff should also be trained to be cautious of every link, attachment, and website they see online. Simulated phishing scams are a great way to test your staff’s cybersecurity awareness and prepare them for real-world attacks. Security training should also be conducted regularly to keep your company alert at all times.
Tech Squared provides cybersecurity solutions and support to organizations in Roanoke looking to secure their digital assets and drive business growth. Call us today to fend off online scammers and cybercriminals.
