Social Engineering Email Scams to Look Out For

Do you ever get the feeling that someone is watching you? In today’s digital age, it can be hard to know who might be keeping tabs on you. Fortunately, cybercriminals aren’t half as clever as they think they are. They tend to make obvious mistakes, letting us know they’re not the sharpest knives in the drawer. In other words, if something seems too good to be true or too suspicious to be genuine—it probably is.

That being said, there are still specific types of scams and email messages that seem so out of place that we have to ask: What are these people thinking? Keep reading to learn more about some of the most common cybersecurity email scams.

What is Social Engineering?

Social engineering is an attack that relies on manipulating people and tricking them into giving away sensitive information. While social engineering is often associated with human interactions, it can also be used in digital contexts.

In many cases, social engineering attacks occur when a hacker uses an account with the same name and email address as someone who already has access to a system. This tactic is called “social engineering with the same username and password.”

Other times, hackers might use an unauthorized account to obtain privileged access to a system. With access now granted, the intruder then conducts the social engineering attack.

Email Phishing Scams

A phishing scam is a fraudulent email that directs a person to visit an incorrect website and enter sensitive information. Once the information is stolen and put into the wrong hands, it is called a “phishing scam.”

There are several ways that a phishing scam might go about fooling people. For example, a malicious email might appear from a trusted person, such as a friend, colleague, or relative. The email might even include a link that directs the person to visit a website they trust, like Amazon.

Baiting

A bait is malware that a cybercriminal uses to lure a person into downloading a malicious file. The bait is usually disguised as a legitimate message linked to the file. Bait files are often used to spread malware through compromised websites. When a visitor visits the website, the site’s code will download the malware and infect the visitor’s device.

Cybercriminals use a variety of ways to lure people into downloading malware. For example, a malicious website’s code might trick you into thinking you must download a file to visit the website. You might also come across a link that looks like it comes from a friend or family member. Such links might appear in social media messages or emails.

Scareware

Scareware is malware that tricks you into believing a legitimate problem exists on your computer. After you pay to get rid of the supposed problem, the malware author demands payment again.

Scareware is often disguised as an alert that claims your computer is infected with a dangerous virus. What you are lured into paying is usually the “scare amount,” which is generally a few hundred dollars or more.

Another way scareware is used is to trick you into downloading malware, which then proceeds to charge your credit card or other financial accounts. Some of the most common scareware themes include medical problems, threats to children, and pornography.

Pretexting

Pretexting is a type of social engineering involving tricking someone into revealing sensitive information by impersonating someone in authority. For example, an attacker might pose as a technician and trick you into giving away your password.

A pretexting attack might also involve impersonating a friend, colleague, or family member. The attacker might call you and claim that they have missed you or that an emergency requires your attention. You might also be tricked into revealing sensitive information by an impostor pretending to be from a government agency, bank, or other financial institution.

Business Email Compromise (BEC)

A Business Email Compromise (BEC) is a type of social engineering attack that uses the credentials of an employee who works at a company to gain access to the system. Cybercriminals often use phishing emails to trick employees into clicking malicious links that give hackers access to their systems.

Another way BEC works is through “spearphishing,” — where an attacker sends a fake email that uses the email address of a legitimate employee. The fake email might use that employee’s and company names to fool the person into thinking it comes from a colleague. The fake email might also include a link that directs the employee to enter their credentials into a website.

Bottom line

Social engineering attacks are pretty sophisticated and involve various tricks to fool people. Besides, it is possible to steal sensitive information with little to no effort if you use a phishing email address or get tricked by a malicious website. The best way to protect yourself from social engineering attacks is to practice safe online behavior and resist manipulation.

Protected Harbor provides complete cybersecurity, including email filtering, secure network endpoints, employee training, and data recovery. The company’s mission is to protect the most sensitive digital assets from third-party theft, loss, or compromise.

We offer comprehensive protective solutions for both on-premises and cloud environments. We have a 24/7 service team with experienced technical experts who can expediently respond to critical incidents.

In addition to security monitoring and threat detection, Protected Harbor offers a full range of managed cybersecurity services, including antivirus protection, encryption, data backup, endpoint security, network security, and remote access.

Contact us today to get a free cybersecurity assessment and ransomware protection.

Top 5 Email Scams You Need to Look Out for This Month

Companies, especially in today’s modern world where hackers and scammers are on the rise, have been making increased efforts to train their employees in recognizing scams the moment they hit their inboxes. However, people still continue to fall for them.

The effects of data breaches are becoming more severe than ever. More than 15 million phishing emails were sent in 2021, and fixing them would have cost a business an average of $1.85 million.

So, why are people continuing to fall for these scams? Often for the same reasons they always have, such as carelessness, gullibility, curiosity, courtesy, and apathy.

Email is one of the most common ways for scammers to reach their potential victims and they are targeting all businesses, regardless of size. Hackers are becoming more sophisticated, making it increasingly difficult for companies to spot a scam before it’s too late. The best way to protect your company from scammers is by arming yourself with not only security but more importantly, knowledge.

Below we will discuss the top 5 scams you need to look out for this month.

1. The PayPal Invoice Scam

Traditionally, scammers will send an email asking you to transfer money to a third party. However, these scammers are now impersonating PayPal and asking you to send money to them. Scammers create an online PayPal account in the name of well-known companies, such as Risenest Technology, Target, or GoDaddy, to name a few. They next send a customized invoice via PayPal using that account. At that instance, PayPal alerts you that an invoice has been received.

The fact that the invoice notification is REAL makes it challenging. You may view and pay the scammers’ invoices on your PayPal app. The con artists want more, not just money. They can alter the invoice’s message to fraudulently indicate that you will be charged a subscription fee for their “service.” Then they tell you that you should phone a certain number if you have any questions.

The person who answers the phone if you call them will ask you to download “remote control” software to your phone. Avoid doing this! Scammers will access your device and take additional stored credentials along with your PayPal log-in information. With these, scammers can carry out other crimes like identity theft.

If you ever receive this email, call PayPal immediately to confirm whether the email in question is legitimate. Remember that an invoice’s source may be shady even if the email appears genuine. If they did NOT send this email, report it to the company as a scam so others can be warned. Check if a web address is safe, and never respond to any invoices or requests for money that you do not recognize.

2. The Official Looking Email Scam

An email that appears to be from a government official, bank, or other company you may do business with is one of the most common email schemes. The scammers will try to make the email appear legitimate by using a similar email address to the one used by the actual organization. They may also use official-looking letterhead, logos, and other branding details to make the email seem real. If you get an official-looking email, inspect the email address carefully against any other email communications you’ve had previously with that company. If something seems a little off, do NOT open the email—scammers often use malicious links or attachments to steal your sensitive information.

If you are ever in doubt, call the company’s customer service department immediately to confirm the email’s legitimacy.

3. The Aging Accounts Scam

A company’s financial department uses aging reports, also known as accounts receivable schedules, to track clients who haven’t yet made payments on items or services they purchased on credit.

It was discovered during some recent engagements that BEC fraudsters were attempting to obtain a copy of an aging report by using the identity of the criminals’ preferred persona: the company CEO. These scammers sent a straightforward request for the document using free and temporary email addresses and display name deception.

Unlike previous BEC scams, this one did not demand that the victim transfer money to a vendor bank account or buy gift cards for performing staff. Instead, they requested that the target provide them a copy of the accounts receivable (or “A/R”) department’s aging report.

The scammers’ next targets would be the clients of our fictitious organization once they had this information—customer names, outstanding amounts, and contact details. They can use this information to make an email account alias that appears legitimate, pose as a member of our finance team, and ask them to pay the unpaid debt listed on the aging report.

The scammers will probably provide incentives to pay off their “debts” more quickly, such as lowering their total debt if they immediately pay off their unpaid balance. The only thing left for the actor to do at that point is to inform the payee that the banking information has recently changed and to provide them with the most recent account information for a bank account that the hackers control.

We advise using a multilayered strategy to prevent your employees, companies, and clients from falling prey to this attack. Strong email protections against advanced email attacks are a crucial foundation layer to neutralize the threat because, logically, none of this can happen if the original CEO identity deception misses the mailbox of the intended target.

4. The “Problem with Your Delivery” Scam

These scams can be spread in various ways; some demand delivery payment, while others ask for your email address to track a parcel. The hackers frequently utilize fictitious tracking numbers, delivery dates, and times.

You will often receive these emails from companies like UPS, FedEx, or the U.S. Postal Service, but they actually aren’t from these companies at all.

Sometimes, if you were to send a package, these scammers may even claim that there was a problem with your delivery and that the recipient could not be reached. They will then ask you to resend the package using a prepaid label they provide.

The way this works is quite ingenious. They expect for you to fall for their scam and send the package back out using their label as instructed. After a few days, you will receive the package you sent out with their label—and the scammer will have your money.

To avoid this scam, don’t fall for the pressure to act quickly. Instead, contact the real company to confirm whether there was a problem with your delivery.

5. The DocuSign Scam

Attackers are sending phishing links and documents through the electronic agreement management company Attackers are sending phishing links and documents through the electronic agreement management company DocuSign.

A hostile actor first creates a free DocuSign account or compromises another user’s account. Afterward, they add a file to the account. The attacker then mails their target a DocuSign envelope. DocuSign then sends the recipient an email invitation. It asks customers to click on a hyperlinked “View Document” button to review and sign an electronic document.

Since the email is technically sound, it avoids detection. The phishing link is hosted on DocuSign’s servers, making it possible to reach a recipient’s inbox.

The signature procedure is the same as it would be for a genuine file. The receiver is redirected after clicking the link, which is the only difference. They arrive at a phishing website meant to steal their Microsoft, Dropbox, and other account information.

This method works because DocuSign files, including PDFs, Word documents, and other file kinds, continue to be clickable up to the final page. (To prevent attacks, DocuSign turns other uploaded document file formats into static PDFs.) When offered the option to download the file, a signer can access the link and embedded files, even if those resources are dangerous.

Users can defend themselves from phishing scams that pose as DocuSign by refraining from opening suspicious email attachments. Additionally, consider hovering over embedded links to see where those URLs lead. Use the DocuSign website to access documents directly. These factors can be incorporated into an organization’s security awareness training programs.

Conclusion

Scams are becoming more sophisticated and difficult to spot, especially in the ever-changing world of technology. If something seems suspicious, don’t react impulsively. If you receive an email that seems off, do not click on any links or open any attachments.

Instead, report it to your IT department to investigate further and then delete the email.

Protected Harbor email security solution can protect users against malicious emails, zero-day attacks, and phishing scams. The best part about this email security solution is that it comes with a spam filter that has the ability to block more than 99.9% of spam emails. Thanks to its AI-based phishing keyword detection, it can identify phishing emails and block them before they reach the user.

Contact us today and get complete protection against email threats with zero trust security, MFA, and end-to-end email encryption.

Keep your email and company data safe from hackers.