Exploiting Brand Trust
Big brands have a powerful influence on consumers. Brands are designed to generate customer trust and loyalty. Scammers take advantage of this by masquerading as well-known companies. In this way, they trick victims and gain their trust. The average person is also time poor and has a full inbox. Cybercriminals hope we won’t think twice about clicking emails from the brands that we know and love. They’re betting that in our rush to clear our unread emails, we might click on their email links. We might download nasty ransomware files, or plug our credentials into a phishing page that they’ve created to mimic the real thing. Here’s an example. You could get an email from your bank, telco or energy provider. That email may ask you to confirm your account details or log into an email portal like Office 365. Many of us will take a few minutes to click through. We then go about our normal day, completely unaware that our account has been compromised.
Cybercriminals hope we won’t think twice about clicking emails from the brands we know and love. They’re betting that in our rush to clear our unread emails, we might click on their email links.
Using Curiosity to Kill the Cat
Everyday, our email filtering servers intercept “phishing emails”, or emails that are designed to steal your data. These emails evoke emotions like fear, and create a sense of curiosity or urgency to trick us. Because it’s human nature to be curious, we click on unfamiliar links in emails that seem intriguing. We can’t resist taking a peep at those business opportunities that land in our inbox. This leads us to submit our confidential data through dodgy emails. Similarly, extortion threats use the power of fear to gain our information. How do scam emails evoke emotion? They use urgent subject lines like ‘Action Required,’ or include time-sensitive instructions. For example, you could get a notification from your bank saying that suspicious activity has been detected in your online banking. The email tells you that your account will be deleted if you don’t confirm your identity within 24 hours. This makes people take action immediately, without thinking too much about the email’s credibility.
Leveraging Professional Relationships
Cybercriminals use social engineering to scam their victims. A social engineer uses publicy available information to accurately pose as a Microsoft executive via a personalised email that demands urgent action like making a financial transfer or revealing confidential information. Email fraud like this is also sometimes called whaling, Business Email Compromise (BEC) or CEO Fraud. A whaling attack takes advantage of the relationship between the target and the CEO or other senior executives. By mimicking a high-ranking executive, whaling uses the power that the executive has over their subordinates to drive immediate, unquestioning action. These attacks are very much a hack against a human, rather than against a computer.
A social engineer uses publicly available information to accurately pose as a Microsoft executive via a personalised email that demands urgent action like making a financial transfer or revealing confidential information.
Working During Silly Season
It’s pretty simple psychology, actually. If you’re going to try and trick someone, it’s best to do it when they’re busy or distracted. And there are specific seasons of the year when people are busiest. The End-Of-Financial-Year (EOFY) period is one example of this. During those times, companies are reconciling their numbers and filing tax returns. They’re in a panic to get financials finalised and paperwork filed with the Australian Tax Office. As a result, employees receive a lot of invoices, bills, payroll and finance-related documents. They’re also so busy that they let their guard down. Black Friday and Cyber Monday also make people vulnerable to cybercrime. These one-day sales pressure customers to complete their purchases as soon as possible, in case they lose the deal to someone quicker. Tempted by those time-sensitive deals, shoppers readily click on scam email links without taking their usual precautions. This time-critical tactic is a classic phishing technique which discourages people from checking the validity of the email.
Please reach out to us on (08) 9418 4119, or email firstname.lastname@example.org to let us know if you would like our assistance securing your companies email systems.