In today's dynamic cybersecurity landscape, social engineering scams remain a cunning and pervasive threat. Hackers exploit human vulnerabilities – our emotions, trust, and desire to be helpful – to bypass even the most robust data defenses. These scams target the weakest link: us.
As lawyers, we focus on protecting businesses from such social engineering attacks. No amount of technical safeguards can fully prevent these scams, making proactive identification and awareness crucial.
This blog will explore the evolving tactics of social engineers, delve into a report by Proofpoint, and provide actionable insights on how lawyers can help businesses identify and avoid these sophisticated scams. We'll shift the focus from individual vulnerability to the critical role lawyers play in safeguarding businesses from financial losses, reputational damage, and operational disruptions caused by social engineering attacks.
What is Proofpoint? Proofpoint provides email and cloud security, and assists in data loss prevention. Proofpoint analyzes 300 billion pieces of email and attachments per day. According to its website, its global data index was built on 1.5 trillion emails, 10 billion files, and 30 billion events.
The Tug-of-War in Cybersecurity:
In the fast-paced world of cyber threats, attackers continually evolve their tactics. For instance, attackers are now using phish kits to bypass multi-point-authentication, making them more sophisticated and challenging to pin down.
The Human Factor in Cyber Attacks:
A report by Proofpoint highlights the significance of the human factor in cyber attacks. It defines the human factor as encompassing human behavior, emotions, and motivations, which is often the weakest link in the cybersecurity chain. Attackers exploit this vulnerability through various means, including phishing, social engineering, pretexting, and quid pro quo. Scammers learn about your business or your ownership of a real estate, for instance, and will pose as knowledgeable in that area, engaging you in a very enticing, but fake, transaction.
Phishing: Cybercriminals send emails or texts that appear legitimate, hiding behind real companies, using real people’s names, and luring victims into clicking malicious links or entering sensitive information on fake (yet, well-designed) websites.
Social Engineering: Attackers trick people into participating in a fake transaction, using psychological manipulation. They will share copies of purportedly their passports and request that you share yours in order to finalize a business transaction. Ultimately, these communications with scammers over the phone and email lead to people voluntarily authorizing payments to scammers. Often, these scammers are American or speak without an accent. They are really cool, can crack jokes with you, have know-how in the industry within which they are perpetraring a scam, maintain a Google Maps listing using a real company's name that is registered with the Secretary of State. Their public appearance cannot be more real. Yet, they are scammers, and we, as lawyers, can still distinguish between real and scam transactions.
Quid Pro Quo: This tactic involves offering something enticing in exchange for sensitive information and later payment, like offering a business loan at a low interest rate, or approaching you, unsolicited, to buy your timeshare at a very high price and on behalf of some very wealthy individual.
Legal Practitioner's Role in Preventing Social Engineering Scams:
As a lawyer, Jane Kim helps individuals and small business avoid social engineering scams. Here's how:
- Assess the Situation: We gather information about the scam, the method of contact, information shared by the scammers, review written documents and emails, review the trsansction and whether it follows standard and legal protocols that make sense. Even if this is an international transaction, don't let scammers tell you that an American lawyer does not know Mexican or some other foreign law, and that the scammer is more knowledgable than your US-based lawyer. We practice international law, we can spot scammers whereever they might be!
- Advise the Client: Providing clients with informed advice about their legal options in dealing with social engineering scams.
- Representation in Court: This is the last resort option, if the client was already scammed out of a high dollar amount and is willing to spend more to ascertain real identities of these scammers.
Mitigating the risk by beefing up data security will not protect against social engineering scams, as people end-up voluntarily authorizing payment to the scammers.
Protecting Yourself from Scams:
Clients can take proactive steps to protect themselves from scams:
- Being skeptical of unsolicited emails or requests for personal information or offers to enter into an amazing business transaction.
- Avoiding clicking on links or opening attachments from unknown sources.
- Slowing down before clicking on known sources. If you look closer you might spot a phishing scam yourself. Some email providers like Google (GMail) allow you to see the "original" email code. At the very top it will show you if the sender's email Passed or Failed IP address protocols, such as SPF, DKIM, and DMARC.
- Using strong passwords and enabling two-factor authentication.
- Be wary of false urgency. Scammers are often aggressive and pushy.
- Staying informed about the latest scams and reporting incidents to authorities. Reddit is a good community forum to quickly gather information and deduce what it means for your situation (use Search just like you would on Google).
- Never lose common sense.
Conclusion:
Social engineering scams continue to pose a significant threat, exploiting the human element in cybersecurity. By understanding these scams and seeking legal advice as soon as you sense something is off with the transaction, individuals can bolster their defenses against cybercriminals. Together, we can create a safer digital environment and mitigate the risk of falling victim to these deceptive tactics. Stay informed, stay vigilant, and let knowledge be your strongest shield in the fight against social engineering scams.