Phone-based social engineering threats are common.

This is Part III of a three-part series on the cybersecurity risks presented by social engineering.

Part I: Social Engineering – Email and Phishing

Part II: Social Engineering – In-Person

In this era of social distancing, we’ve become more reliant than ever on technology to communicate. In this environment, social engineering techniques are creating heightened risks from a cybersecurity perspective. Social engineering is broadly defined as the use of deception or manipulation to lure others into divulging personal or confidential information. Cybercriminals use social engineering to harvest access login credentials, financial information or other personal data that can then be used for profit, ransom, or as a wedge to open even further security holes.

In part three we discuss phone-based social engineering threats. Voice calls or text messages can be used as tools to trick or coerce people into creating a cybersecurity breach. It is a trivial matter for hackers to spoof phone numbers to make it look like a phone call or text is coming from a trusted source, when it is really coming from a criminal.

These calls are most effective when the call is picked up, but many leave a voicemail message asking people to call back the scammer’s number or visit a fake or compromised website. In most cases, an emotional appeal is made in an effort to get the target to drop their defenses and react spontaneously.

Examples of voice-based attacks:

* Particularly now at tax time, calls purporting to come from local revenue agencies are rampant. The callers use both the carrot and the stick in an effort to collect information from unsuspecting victims. A fake call can advise of a hefty tax refund to come, as long as the person can confirm their name, date of birth, and bank account number. Alternatively, the scammer can threaten an audit or interest charges: the victim is then bullied into providing personal information, or is directed by the caller to visit a phony website to enter credentials.

* Finance institution calls are very popular, and also use both ends of the emotional spectrum to try to steal confidential information. Phony credit services calls can present reduced interest rates or other enticements to get a person to talk through an application process on the phone. Calls purporting to come from banks or credit card companies can report overdrafts or unauthorized activity on bank cards. Concerned, the target then provides a birthdate, card number, expiry date, and/or CVV code (that three- or four-digit numbers on the back of your card) to the caller to try to clear up the problem.

* Prize-winner scams: calls from scammers can advise of cash prizes, trips, or other big-ticket winnings – the recipient again just needs to provide some “confirming” identification details before the prize can be awarded. These details are then pivoted out to use to breach security elsewhere.Sadly, given the pandemic, reports of callers pretending to be “house disinfectors” or “COVID-19 inspectors” are making the rounds. These calls also seek to harvest personal or financial information, or even confirm if a house or facility is going to be empty for so-called “disinfection”… so it can be robbed.

* Other scams capitalizing on today’s difficult situation involve phony investment schemes (looking to score on undervalued stocks and securities) or with fake charity appeals (looking for funds for hospitals, food banks, or equipment drives).

How to protect yourself:

* While it is routine for companies to ask personal questions to verify your identity when you call them, it is not accepted to practice for them to call you and start demanding personal, financial, or other sensitive information.

* Remember that the caller ID numbers are easily spoofed. Even if it looks like a call is coming from a trusted source, it may not be. If you have you have any concerns, and it is a cause that you are interested in supporting, offer to call back (at a phone number that you source yourself) or visit their website independent of information provided over the phone.

* Avoid answering calls from unfamiliar numbers. Responding to a voicemail message allows you extra time to stay calm, replay the message, and do your own background checking without being bullied into providing information or reacting quickly.

Hackers don’t only use voice to launch attacks on your phones. Fake texts are popular and easy for scammers to create and send. Readily available services on the Internet and Dark Web give scammers the tools they need to trigger text messages with phony alerts and weblinks in an effort to scare the recipients into action. Some common current examples:

* Riding on the rapidly changing news about the pandemic, phony texts from government agencies or law enforcement are coming out with frightening messages and a fake link to click on. When the recipient clicks on the link, they run the risk of compromising their phone, or being taken to a website that will attempt to harvest personal or financial information.

• * As with voice calls, threatening texts pretending to come from the CRA and IRS are being sent to coincide with tax filing time.
•  
• * With higher use of data and streaming services in recent times, phony warnings from telecom providers or entertainment companies are becoming more common, bearing warnings about data overages, account freezes, etc. The services are lifelines to the outside world these days, so any threat to them heightens fear in the recipient who may act before thinking.
•  

* On the wave of recent emergency alert bulletins issued at the provincial and federal level, fake texts have been sent containing links to sites hoping to gather personal information like name, email, and birthdate. Some even advise of mandatory COVID-19 testing by area, encouraging recipients to register by entering personal details.

• * In the U.S., where the 2020 census is underway, fake texts seeking registration information have also spiked recently.
•  

How to protect yourself:

• * As with fake emails, locate contact information from outside the text message (e.g., from a separate web link or a known contact centre phone number) and reach out independently to validate the message.
•  
• * Avoid clicking any links in text messages.
•  
• * If the texts (or calls) persist from an unknown number, consider blocking the number on your phone: this will prevent inbound contact from the number by voice or text.

The bottom line: maintain a healthy skepticism and don’t panic or over-react when receiving unexpected calls or texts. These are stressful times for everyone; don’t let theses scam trip you up.