Recognizing email threats and social engineering
Hackers take advantage of our trust and natural willingness to be helpful by employing social engineering techniques to break our usual cybersecurity practices. Fraudsters can trick you into performing actions or divulging confidential information via email, phone calls, social media and other interactions, which could lead to a compromise of your data or assets.
In the past five years, the sophistication of tactics used to commit fraud has significantly evolved. Historically, fraudsters have hacked into email accounts and attempted to guess online banking passwords. Recently, attempts have included actions such as porting victims’ mobile phone numbers to cellular devices the fraudsters control, and gaining entry into computers via remote access scams, which exposes all of a victim’s confidential data, not just banking details. In 2022, cyber criminals are now focusing on cryptocurrency transactions, as recovery of crypto assets is incredibly difficult once funds are sent via that platform.
Recognize the types of social engineering email threats
- Email phishing: Fraudsters attempt to trick individuals into replying to or clicking a link in an email that may appear to be legitimate. Phishing emails can contain malicious software (malware) or attempts to convince the recipient to divulge sensitive information such as confidential data or account credentials. Spear phishing, a more targeted form of phishing, can use information collected online or via social media to make the email, and request within it, appear more credible.
- Email spoofing: Fraudsters mimic or spoof an email to convince targets that the email they are receiving is from a known and trusted source. This can be done by modifying the header in a malicious email to pose as a trusted sender — for example, @deancoLLC.com can appear similar to a known vendor @cleancoLLC.com. Similarly, a fraudster can copy a logo from a known company to trick their target into thinking it’s a credible email.
- Email account compromise: Fraudsters use a victim’s legitimate username and password to gain access to his account to send, receive and view their target’s email. Through an email account compromise, they are looking to capture information such as details on upcoming financial transactions or to manipulate a wire transfer into their account.
- Voice phishing: Fraudsters spoof or mask the caller ID to make the call appear it is coming from a known or legitimate contact to make the call appear authentic. Through vishing they will voice phish individuals into providing their personal or financial information.
- Text phishing: Fraudsters spoof or mask the phone number of the sender to make the message appear it is coming from a known or legitimate contact to make the call appear authentic. Through SMiShing they will phish individuals using SMS text messages to trick individuals to click on a link or call the phone number provide and disclose personal or financial information.
What you can do
- Recognize phishing email warning signs, such as poor grammar and spelling, urgent language, hyperlinks or attachments, fake logos, a vague email address and no or vague contact information.
- Do not assume a request is genuine just because the requester knows information about you or your company.
- Do not call unknown numbers. Always use the telephone numbers that appear on your statement or on the company’s website.
- Confirm the identity of the requester via an alternate, verified method, and check the email address: scammers often use spoofed email addresses to send what seem to be legitimate requests.
- Be cautious of clicking on any links or attachments sent to you in emails or text messages.
- Limit the information you post on social media. Every account is a venue for a hacker to gain intelligence on you.
- Create strong and complex passwords, change them frequently and never share them. Leverage multi-factor authentication for additional security.
- Update operating systems and anti-virus software on computers and mobile devices to the latest versions, as soon as they become available.
- Encrypt sensitive information such as account numbers, tax information or other personal information before emailing it.
- Educate your employees about threats in the fraud landscape and how they can mitigate risk. Consider implementing a fraud awareness education program.
- Implement a social media policy for employees to ensure critical information about staff with privileged responsibilities and their roles is not available to the public.
- Employ additional spam reduction solutions or filters, if needed, to help reduce the risk of malicious emails reaching employees’ inboxes.
- Implement the email authentication protocols Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-based Message Authentications, Reporting and Conformance (DMARC) to greatly enhance the authenticity of the emails your organization sends and receives.
- Use a proxy internet filtering service to help block employees from visiting potentially malicious web pages and links found in spam email.
If you believe you have been targeted by a fraud scheme or your login credentials have been compromised, contact J.P. Morgan immediately. For more information on how to protect you, your family or business, please contact your J.P Morgan team member.
This article is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The information provided in this article is intended to help clients protect themselves from cyber fraud. It does not provide a comprehensive listing of all types of cyber fraud activities and it does not identify all types of cybersecurity best practices. You, your company or organization is responsible for determining how to best protect itself against cyber fraud activities and for selecting the cybersecurity best practices that are most appropriate to your needs. Any reproduction, retransmission, dissemination or other unauthorized use of this article or the information contained herein by any person or entity is strictly prohibited.