This past tax season, Vermonters experienced a slew of encounters with “social engineers,” criminals who attempt to commit fraud, ultimately stealing money or identities, via a simple phone call. The State of Vermont, the Office of the Vermont Attorney General, and several police agencies in the region have all released advisories about the proliferating scams, attempting to prevent more Vermonters from falling for these schemes.
It is very clear that this type of scam is not particular to Vermont, but it is important that we all understand this threat and how we can prevent being taken in. I decided to investigate.
What exactly is social engineering?
A social engineer is someone who contacts individuals directly, whether by phone or email, and tricks people into revealing personal information or sending money. Here are some examples:
- In Vermont, social engineers reportedly telephoned random Vermont tax payers, posing as Internal Revenue Service representatives. They informed the victim that they still owe taxes, and demanded immediate payment by phone, usually using a credit card.
- Cyber security professionals are very familiar with this sort of attack. Some of the gravest cyber-security concerns come from attacks that can be perpetrated without the attacker even knowing much about computers. They simply need to know how to lie, and they can do this with words, and lots of confidence.
- Phishing schemes are another great example of this type of fraud: A criminal sends an email to a victim, pretending to be someone that they’re not, usually an IT Department employee, or a member of the government. Once the criminal convinces the victim of their legitimacy, they then convince the victims to hand over different login credentials, social security numbers, or other personal information.
Every year, social engineers use these types of schemes to scam unaware victims out of thousands of dollars.
Although it can be challenging to protect yourself from a social engineering scam, here are some ways you can avoid falling victim to a social engineer, and steps to take if you have already fallen victim.
Protect yourself from fraud:
- Never provide personal information via email. Most legitimate organizations understand the dangers of email scams, and will not solicit personal information in this way.
- If any individual asks for personal information over the phone, or via an email, be suspicious. It is much easier to ask someone to confirm their identity, then to have to repair the damage of identity theft or fraud later.
- If a company does ask you to send personal information to them in a way that appears suspicious, try verifying that request firs. Contact the company on your own, using contact information that is different from the information provided to you by the scammer. That way, you know you are using legitimate information.
If you have fallen victim to a social engineer:
- If you are afraid that you have wrongfully provided someone with personal financial information, contact your financial institutions immediately. Much can be done to avoid loss if action is taken quickly enough.
- If you realize you many have given out logon credentials (usernames and passwords) to the wrong person, go to that login portal, and change your password immediately.
- Consider reporting the scam to the police. If there are enough victims reporting the crime, law enforcement usually investigates and takes action.
To sum it up, the best way to avoid becoming a victim of social engineering is to be vigilant and trust your gut. If something doesn’t feel right, don’t give the social engineer what he or she wants. And, if you have fallen victim, act immediately to prevent damage to your finances and identity.
Neal Hopton is an intern with the Information Security department at the UVM Medical Center. He is pursuing his Master’s degree in Information Security and Assurance from Norwich University. He enjoys spending his free time skiing, biking and surfing.