Be #ScamAware: Check for tricks before you click
It’s important to stay vigilant and sceptical of unsolicited requests for information. Always verify the identity of the person or organisation making the request and remember to pause and think before clicking on any links.
At Gateway Bank, we want to help our members avoid fraudulent scams when they appear — with this in mind, we’ve created a quick guide to social engineering fraud and methods, so you know what to look for and how to protect yourself.
What is social engineering?
Social engineering is a psychological tactic cybercriminals and hackers use to manipulate people into divulging sensitive information they wouldn’t normally share. This kind of attack doesn’t rely on technical means like exploiting a software vulnerability or stealing a password but exploiting human psychology and emotions.
In 2022, the Australian Competition & Consumer Commission (ACCC) reported that Australians lost a record $3.1 billion to scams — an 80% increase in the losses recorded in 2021. Social engineering techniques are getting harder to detect and defend against — scammers are exploiting human emotions like fear, curiosity, and trust.
Examples of social engineering attacks
Social engineering attacks are often hard to pinpoint — an attack might come as a phone call, a phishing email or a text, or hackers might access your computer or phone remotely to steal data. You might not even realise it’s a security threat at the time, as successful social engineering attacks play into your emotions and existing accounts or affiliations.
Knowing the signs and being cautious of unsolicited communications is crucial. Here are four common social engineering attack types to keep an eye out for.
Phishing emails are fraudulent emails designed to trick you into divulging sensitive information, like passwords, credit card numbers, or personal information. These emails are usually disguised as legitimate emails from trusted sources, like banks, social media sites, or government agencies.
Phishing emails often use social engineering tactics, like urgency or fear, to persuade you to act. For example, the email might claim that there has been suspicious activity on your account and prompt you to click on a link to "verify" your account information. The link will then take you to a fake website that looks legitimate, where you’ll be prompted to enter your login details or other sensitive information.
These emails can also contain malicious software and attachments, like PDFs or Word documents, that, when opened, install malware on your computer. This malware can steal sensitive information, like passwords or credit card numbers, or allows others to take control of your computer.
It’s crucial to be sceptical of unsolicited emails and always verify the sender and content of the email before clicking on any links or entering any information. We also recommend keeping your computer’s security software up to date with the latest security patches and using antivirus software to detect and remove malware.
Phone scams aim to trick you into giving away sensitive information or money. Scammers use social engineering tactics to gain your trust and persuade you to act. Examples of phone scams include:
- Spoofing and caller ID manipulation: Scammers use technology to disguise their phone numbers, making them appear as legitimate or known entities like banks on the caller ID. This tactic aims to gain the victim's trust and increase the likelihood of the call being answered.
- Robocalls: Beware of automated calls that deliver pre-recorded messages, as this can be an attempt to trick individuals into taking certain actions, such as pressing a specific button or providing personal information.
- Government or law enforcement scams: The caller pretends to be a law enforcement officer, tax official, or government agent, claiming that the target owes money, has legal issues, or is involved in criminal activities. They pressure the target to provide personal information or make immediate payments to avoid supposed legal consequences or unpaid taxes.
Be cautious of unsolicited calls, even if the caller ID appears to come from a trusted company or source. Never give out personal information or money to anyone you don’t know or trust over the phone. If you feel uncomfortable or suspicious and can't verify the caller’s identity, hang up immediately. If in any doubt always call back the company after verifying their number through other legitimate sources like their official website.
In a pretexting attack, the scammer creates a false scenario or pretext to gain your trust and extract information from you. The attacker might impersonate someone with authority or create a false sense of urgency or importance to persuade you to provide sensitive information.
Pretexting comes in various forms, but some common examples include:
- Pretending to be a bank representative: The attacker might call or email you claiming to be from your bank and ask for personal information or account details under the guise of a security check or a routine update.
- Creating a fake emergency: The attacker might claim there’s an urgent situation, like a security breach or a family member in trouble and ask the victim to provide sensitive information or take immediate action.
- Tech support scams: Scammers often pose as technical support personnel from well-known companies. They may call or email individuals, claiming there's a technical issue with their computer or software. They'll request remote access to the victim's device and may install malware or request payment for fake services.
Unfortunately, pretexting can be hard to detect because the attacker has done their research and has created a believable story or scenario. With this in mind, it’s important to be cautious of all unsolicited requests for information or action and always verify the identity of the person or organisation making the request.
Baiting is where an attacker offers something desirable, like a gift card or a software download, in exchange for personal information or access to a device. The goal is to entice you into “taking the bait” and providing the requested information or access.
Examples of baiting attacks include:
- Free gift card scams: The attacker might offer a free gift card in exchange for completing a survey or providing personal information.
- Free software downloads: The attacker might offer a free software download, like a game or productivity tool, containing malware or a virus. Once you download and install the software, the attacker can access your computer or steal sensitive information.
- Fake job postings: The attacker might create a fake job posting that requires you to provide personal information or pay a fee to apply.
- Lottery scams: The scammer claims you’ve won a lottery or sweepstakes, but you must pay a fee or taxes to claim the prize.
Like pretexting, baiting attacks can be hard to detect — the attacker offers something desirable you might be tempted to take. To protect yourself from these social engineering attacks, it’s important to be cautious of offers that seem too good to be true and always verify the identity of the person or organisation making the offer.
Impersonation tactics involve scammers pretending to be someone else, often a trusted individual, to deceive and manipulate their victims. These tactics rely on creating a façade of credibility and trust to exploit individuals for financial gain or to obtain sensitive information. Here's how scammers use impersonation tactics in more detail:
- Family and friends’ impersonation: Scammers may impersonate family members or friends to trick victims into sending money or providing sensitive information. They may claim to be in an emergency or dire situation, tugging at the victim's emotions. In this scenario, scammers typically send a WhatsApp or a text message from an unknown number, impersonating a friend or family member, claiming their phone is lost, stolen, or broken, or that they’ve forgotten or lost their bank card, asking the victim to transfer money.
- Social media impersonation: Scammers create fake profiles on social media platforms, impersonating individuals, or organisations. They use these profiles to gather personal information, spread misinformation, or conduct phishing attacks by engaging with users and gaining their trust.
- Impersonating a coworker or manager: The attacker impersonates a company executive or a coworker, typically through email, and instructs employees to perform actions such as transferring funds or sharing sensitive company data. They exploit the authority associated with the executive's position, or the connection to a coworker, to deceive employees.
By adopting these personas and strategies, scammers exploit human psychology, trust, and emotions to achieve their malicious objectives. Awareness, scepticism, and verifying identities before sharing personal information are crucial steps in protecting oneself against impersonation scams.
What to do if you suspect you have been scammed
Social engineering attacks can be devastating, both financially and emotionally. However, there are steps you can take to minimise the impact and learn how to identify social engineering threats in the future.
If you believe you have been scammed, you can take the following steps:
- Cease contact: If the scammer is still in contact with you, stop all communication with them immediately. Do not give them any further information or money.
- Report the scam: Report the scam to the appropriate authorities. You can report scams to the ACCC via their Scamwatch website or by calling their Scamwatch hotline at 1300 795 995. You can also report scams to your local police.
- Protect your accounts: If you gave the attacker sensitive information, like your banking details, contact your bank immediately to notify them of the scam. They may be able to stop any fraudulent transactions and advise you on protecting your accounts.
- Change your passwords: If you provided any login credentials, like your email or social media accounts, change your passwords immediately. Use strong passwords and enable two-factor authentication if possible.
- Consider credit monitoring: If the scam involved sensitive financial or personal information, consider enrolling in a credit monitoring service to detect any unauthorised activity or attempts at identity theft.
- Educate yourself: Learn more about common scams and how to protect yourself from them in the future. The ACCC's Scamwatch website has a wealth of information on common scams and how to avoid them.
- Be cautious moving forward: Exercise caution when interacting with unknown or unexpected contacts, especially if they request personal or financial information. Trust your instincts and verify the authenticity of any requests or offers before acting.
Remember, acting quickly is important if you think you’ve been scammed. The earlier you report the scam and take action to protect your accounts, the better your chances of minimising the damage.
How we protect our members from social engineering attacks
At Gateway, safeguarding your privacy and security is important to us, which is why we have a range of security measures in place to protect you.
Our online banking platform is fortified with firewall protection, encryption, automatic timeouts, secure SMS code authentication, incorrect password access lock, and last login time checks, among other security features.
Our support team will never ask for your online banking login credentials or PIN via email or phone.
We’re committed to offering the highest level of security and constantly update our systems to ensure we’re offering the highest level of security.