BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

FBI Issues Warning If You Privately Message People From Dating Apps
Google Security Update—Serious Warning For Millions Of iPhone, iPad Users
U.K. Government May Still Use Chinese Surveillance Kit Well Into Next Year
A Season Of Health Breaches, A Season Of Changes
Samsung’s ‘Exciting’ Galaxy Update Starts iPhone Security Battle
New iOS 18 AI Security Move Changes The Game For All iPhone Users
Edit Story
InnovationCybersecurity

5 Techniques To Foil Scammers and Criminals

Joe Gray
Former Contributor
Opinions expressed by Forbes Contributors are their own.
I write about Cyber Security and the impact it has on business.
This article is more than 4 years old.

every

Getty

You're almost certain to have received a call from a number that may seem local or someone you know only to answer the call and it is someone else. Additionally, you have probably got calls from "The Microsofts," The IRS (with a Washington state phone number), "Card Services" or any other plethora of ruses. While these are mostly scammers operating outside the United States, scamming you out of your credit card number or social security number is not the only objective that some of these calls seek to achieve.

Within cybersecurity, there is an act called vishing. This is a portmanteau of voice (sometimes VOIP) and phishing. This is a subset of the discipline known as social engineering (attacking the human element instead of technology) that seeks to collect information and gain access similar to how phishing does. This has become a significant threat to businesses, especially when combined with phishing or other more technical attacks. Due to the rise in scammers targeting businesses, companies have started including these within their security testing.

In these tests, the attacker, with authorization, will call employees of a company with a ruse (also known as a pretext) and talk to the employee. The attacker will attempt to influence or manipulate the employee into performing an action or providing information. Some of the actions could include clicking a file sent in a phishing engagement or navigate to a website. The information solicited could range from passwords or password reset question answers to company crown jewels. Here is a non-exhaustive list of recommendations to thwart such attempts at home, at work and beyond.

Do not answer calls from unfamiliar numbers if you can

It is understood that in some instances and roles, you cannot simply ignore a call. In instances when you can, do so if you do not recognize the number. If it is important, the caller will likely leave a voice message. If not, you can still search for the number and see what other people are saying or see who it belongs to. Within this realm, also consider the time of day that they are calling. Is this normal for the organization that they are claiming to be?

The IRS will likely never call you at 8:30 PM on a Saturday to tell you that they are suing you. In fact, per the IRS, they will not call you. They will mail you a notice and if they send a representative to your home or place of business, they will have proper identification. The check will be made out to "United States Treasury" instead of iTunes gift cards or prepaid credit cards.

From the vein of unwanted calls, some cellular providers are implementing spoofing and scam protection for all customers. In other cases, there are applications like Hiya, TrueCaller and RoboKiller that will handle these calls for you. Some of these are free services and others require a payment or subscription.

At home, you are free to ignore calls all you want. If these are happening at work, reach out to your security or cybersecurity department for guidance. It is also wise to involve your manager and possibly Human Resources if it could impact your ability to do your duties as assigned.

Send emails that you're unsure of to tech support/cybersecurity

This article did not address phishing very much, but continuing from the discussion about how criminals may try to steal your data, phishing is a real threat in this instance as well. If you receive an email that appears to be a phish, involve your cybersecurity team or whoever owns the email system. They can provide a second (or third) set of eyes from a technological perspective and give you guidance. In more mature companies, the IT or cybersecurity staff or a contracted partner may be able to open any files or links on a dedicated system to make sure it is not malicious in an act that some refer to as "detonating."

If the email claims to be from another employee or a vendor, partner or customer, feel free (within the confines of company policy) to call them, message them via external chat clients or walk to their desk and ask if they sent the email. Do not respond via email, and avoid any built-in chat features if you can. This is a vital step in preventing Business Email Compromise (BEC).

Do not publish much information about yourself publicly unless you have to

Depending on your role, you may have to publish information about yourself to do your job. Salespeople and recruiters are two examples of such roles. Even in these roles and especially in non-public facing roles, there is limited efficacy in posting everything about yourself. For most people, very little is required to be made public. Keep some things limited to colleagues, friends and necessary connections.

For example, you do not have to publish where you work on LinkedIn. You could use acronyms of your company name or put something ahead of it such as your involvement in a volunteering organization or church. This will limit what is able to be scraped and cut down on scammers being able to readily associate you ass an employee of the company for which you work. It will also help you to see if someone who is messaging you is using such a service or bot when they send you a cold sales pitch message.

In past roles, I was open about where I worked and scammers took note of this, leading to me getting as many as 60 calls per day. Once I changed it from the company name to an acronym, it drastically declined. Salespeople will do the same thing regarding leads. While it is beneficial to have information about where you work, it is not compulsory to put everything out there.

Additionally, if you work with specific systems or technologies, it is also prudent to avoid putting specific technologies (i.e. MySQL versus SQL database technologies) and especially specific versions (i.e. Oracle ERP version 12.2.4) on your public profiles. This allows would-be attackers to see what technologies are in use and see if any known vulnerabilities or exploits exist that could allow them to perpetrate a cyberattack and gain unauthorized access. It is best to stay vague and leave it off LinkedIn and Indeed. Save it for the resume that you share with potential employers in private settings.

If called, find a way to get off the phone and offer to call them back

If someone calls you to attempt vishing, your best defense is to get off the phone as soon as possible. Use an excuse, such as an urgent meeting if you want to be more polite. Offer to call them back. Scammers will likely try every way possible to avoid you getting off the phone. They may offer to call you back. You need to have the ability to call them back after you're able to vet that this is a legitimate call. Alternatively, just hang up if you need to. Make up a story if you need to, just get off the call as quickly as you can without giving legitimate information. Finally, you could also provide the caller with information if you know for a fact that they are a scammer. Just make sure the information is believable but incorrect.

Utilize access controls on social media

The final way to help with this problem is to use access controls on social media. Set posts to be viewable to friends only or friends of friends. The information you post on social media will be viewable to your friends and connections, as well as anything you post to a group be visible to people of that group, friends and non-friends alike.

Also, consider avoiding posting sensitive data or information that could be used against you on public posts, such as local news, sports teams or other pages that are inherently public. Another step in controlling your online persona is to set your employer, relationship data and other data points in the about section to friends, friends of friends or only me. This reduces where potential attackers can go to seek more information about you. There are other locations that they could use to gather this information, but it doesn't have to be your social media platforms.

Conclusion

Similarly to phishing, this problem will likely never go away. The best thing that can be done is awareness and training. Condition yourself and employees to be vigilant for these operations. Establish clear reporting guidelines and criteria for when they happen, both successfully and unsuccessfully. Implementing this advice doesn't mean that anyone has to be rude or disrespectful, although scammers may choose to become that way. This is a means to protect your company, your family and what is important to you.

Follow me on LinkedIn
Joe Gray
Joe Gray