I have two points to make with this short post and I’m going to start with the one that’s easier to swallow: fake help desks. Here’s the long and short of it. Scammers are buying online ads to push phony technical or customer support help desk phone numbers to the top of search engine results. The goal is to trick unsuspecting people who have a problem they feel they need immediate help with into mistakenly dialing one of these phony numbers. Should they do so, instead of reaching a legitimate customer support center representative at a major corporation along the likes of an Amazon or Facebook, they’ll be interacting with a scammer who definitely does not have their best interests at heart.
While more than a few have fallen prey to this particular scam, it gets worse. For example, if you were to ask Siri, Alexa or Google Home to look up a customer support number and place the call, how would you know if the correct number was indeed dialed? All I can say is humans and voice assistants can be, have been, and will continue to be hoodwinked.
So, what’s to be done? It really isn’t that hard. Now that you know that search engine and voice assistant results are not 100 percent error-free, always go to a company’s official website to search for the correct contact information for customer support.
I chose to share information about this kind of scam, however, to make a second and far more important point, which is this. Were you aware of this scam? If so, are you confident that everyone else who works at your firm, staff and attorneys alike, is also aware of it and would know how to avoid it? If not, your firm may be more vulnerable to a cybersecurity breach than you might believe.
For lack of a better description, the social engineering attack vectors, methods, and scripts that cybercriminals use to try and dupe as many as they can are continually evolving and changing. And the best defense to social engineering threats is regular ongoing training because of the dynamic nature of this threat.
At least quarterly, if not monthly, set aside 10 to 15 minutes for a firmwide mandatory training session and have someone share a blog post, a short article, or a brief training video that focuses on a current threat because there really is no other way to keep people informed. Look for help from your IT support, sign up for and share the free security newsletter from the SANS Institute called Ouch! or consider working with a company like KnowBe4, which can handle all your training needs. I know it’s hard, but knowledge is power and when it comes to preventing cybercrime, your firm needs all the power it can get.
Mark Bassingthwaighte will be hosting a Social Engineering webinar on October 9, 2019, “How to Prevent Phishing for Your Firm’s Weakest Link.” Sign up today: https://alps.inreachce.com/Details/Information/fcc9d856-7152-418e-95c1-2d9013a47f5c?ref=featured