Scammers pretending to be the Chinese Consulate office have recently started contacting people in the hopes of obtaining your bank account or credit card information.  This social engineering attack has been recognized by the Federal Trade Commision (FTC).  An attack like this reminds us that scammers are always trying new tactics to rob people by simply tricking them into making a mistake.  This article intends to help you learn how these attacks work and how to identify them.

What is Social Engineering

According to SANS.org, social engineering is a psychological attack where an attacker tricks you into doing something that you shouldn’t do.  This concept is not new. Con artists have been attempting to steal money from unknowing people for thousands of years.  Scammers are essentially con artists using today’s technology to aid them in stealing.  What makes this tactic so effective is that today’s technology allows them to not be physically seen and contact millions of people around the world either by phone call or email.

Take for example the recent attack from scammers pretending to be the Chinese Consulate.  According to the FTC’s website, people across the country have reported getting a call or message saying they have to pick up a package at the Chinese Consulate office, or they need you to give them information to avoid being in trouble with the Chinese Consulate.  We actually had multiple people at FIS receive this phone this week!  This type of phone call is a perfect example of what social engineering is and what it is trying to accomplish.

Another example is a CEO fraud, which is an email attack that most often occurs at work.  The way this attack work is a scammer researches your company and identifies the name of your boss or coworker.  This is especially easy to obtain here at the University of Pittsburgh as most information like this is public knowledge.  The attacker then creates an email pretending to be that person which asks you to take some sort of action such as wiring them money or emailing sensitive company/employee information.

You should know that social engineering attacks are not limited to emails and phone calls.  They can occur in any form.  The best thing you can do is be as informed as possible on the subject and never, ever send money or sensitive data over the phone or via email if someone is asking for it.

How to Detect a Social Engineering Attack

While social engineering attacks are dangerous and tricky, stopping such an attack is simpler then it seems.  Often times, common sense is your best defense.  Listed below are some of the more common clues of a social engineering attack.

• Someone creating a sense of urgency that requires immediate action.  For example, you may receive a phone call from someone claiming to be from a computer support company that tells you your computer is infected and you need to purchase their security software or risk losing all of your computer data.
• Someone asking for information they should not have access to such as bank account numbers or social security numbers.
• Someone asking for a password.  Legitimate companies will not ask you for your password.
• Something that seems too good to be true.  For example, being notified you won an iPad or the lottery.
• Receiving an email from a friend or coworker that contains verbiage that does not sound like it’s from them.

If any of those scenarios occur, you should take appropriate action such as hang up the phone or delete the email.  In the instance of receiving an odd email from a friend or coworker, it is recommended to reach out to them through some other means of communication.  For more information, please submit a ticket through the FIS portal or review your security awareness training.