You get a Paypal invoice for several hundred dollars that will be debited from your account in 24 hours. You hover over all of the links – it looks legit. You cannot let your account be drained of your hard-earned money – so you click the link and it takes you a legit Paypal invoice. What do you do? You didn’t purchase anything and you sure as heck are not about to let that money to be taken – so you call the Toll-Free number on the invoice to dispute the charge.
AND – NOW – they got you.
You are frustrated; distracted and the caller on the other line is here to help! They offer up a handy dandy tool for you to download to allow them the ability to research the issue on your system. You download the tool because you do not want to be charged this ridiculous, errant charge.
BOOM – they have full access to your machine.
The hackers are using well-known social engineering tactics to catch you unaware. They know you may be savvy – and you may look at the links and ‘think’ you are being smart. BUT – they first use the Loss Aversion technique. We are naturally afraid to lose more than we are to gain – so if someone says they are taking your money vs giving it to you (which you instantly think is a scam) – they have started the play on your human tendencies.
Once they have you engaged – then they push you with a sense of urgency. 24 hours – if you don’t respond – your money is gone! This is Urgency Bias. Social engineering play #2.
And then lastly, they are leaning on the Halo Effect – which is our familiarity with a brand and its reputation which we tend to trust more easily.
So – how do you combat this? Learn about safe online behaviors. Train your staff to be more vigilant in plays on your emotions, senses or urgency, etc.
The way to not get caught in this particular phishing scheme is to go directly to your PayPal account and look for the charge there. If it is not there – it is most 100% a scam. And don’t ever call the number on the invoice – open a dispute directly with PayPal (if you do find a non-solicited invoice in your account).
The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails… and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.
Brian Krebs, krebsonsecurity.com
Read more about Social Engineering tactics and why they work in the this great Infimasec piece –Hackers use our minds against us…