Trick no Treat

5 scary ways a hacker tries to trick you!

1. You’ve won!

We’re all savvy to the Prince from a far off land who wants to share his wealth with us, or the long-lost relative who, on their death-bed, wants to give us their worldly savings… but  what about the more down-to-earth notifications of good fortune? The ‘you’ve won an iPad’ pop-up, the tax refund email, the $100 supermarket gift-card text?

A lot of these notifications can look incredibly genuine, but be careful! Take a good look at the message; where has the message come from? Is the spelling all correct? (Many bogus notifications have poor grammar and mis-spellings). Are there any brand logos? How do they look? Compare them to a logo visual that you know is authentic. 

Copying logos or company fonts can be tricky and a poor logo imitation can be major clue to a message not being genuine.

And finally, take a moment to think before clicking… is the prize / offer too good to be true? If so, it probably is.

Don’t be drawn in!

2. Sorry we missed your delivery!

But you didn’t order anything!… Or did you?… Perhaps someone has sent you an early birthday present or is just being thoughtful?!

There are many scam messages about missed deliveries being sent, mostly via text. And as we approach (dare I say it!) Christmas, more and more shopping will be done online with a greater confusion over what is being delivered and by whom.

If you receive such a message stop and think, have you actually ordered anything recently that you’re still waiting on? Since the onset of Covid-19 many delivery companies have preferred a non-face-to-face delivery method, and are leaving parcels at properties in a safe place and taking a photo. 

As this has become more the norm, if you have the opportunity, make sure you advise the merchandiser or delivery company of a nominated safe place for your parcel to be left, even if you’re going to be home!

And try to take note of who will be delivering your parcel. Many merchandisers will now specify the delivery company they use and provide tracking details and timings.

3. Your account has been compromised

The fear factor technique. Banks will never ask for your personal data over the phone, and generally most companies won’t ask you to divulge data by phone or online… but what if you receive an email telling you to take urgent action, that looks genuine, and directs you to login to the business web page via a link – it’s going to the webpage… it’s got to be ok, right?

Wrong!

Hackers have wonderful ways and tools to create very good replicas of websites which will trick you into entering your details.

And it could be any entity you might use online. Just the other day I received the email claiming to be from Facebook alerts saying that “someone tried to log in to your account.” The email identified the type of device used, of which I knew I didn’t have.

For a split second I considered using the button to ‘report user’. However my instinctive suspicion stepped in and instead I logged into my Facebook account and checked on the devices recently used in the security section of settings.

An alternative, quick check of the “From” part of the email can determine if it came from a legitimate Facebook email address. Generally you’ll find an address that does not make any reference to Facebook.

4. Forge personal contact

Disastrous relationships don’t just come from swiping right! (and to caveat, I’m sure some successful relationships develop from the ‘swipe’!) In this world of social media, it’s so easy for a hacker to form a perceived genuine relationship with you. And they’re not all so unsubtle as to directly ask you for money for their ‘flight to see you’ or the ‘life-saving’ operation they can’t afford.

As they build up your trust and as conversations flow, you may openly give general information about yourself but you will also unwittingly release private details that could easily form part of your most crucial passwords! The hacker can then start to build quite a picture of varying data to make up your online persona that can be imitated.

Be mindful of the personal details you give to someone you’ve just met… especially if it’s only been online.

And whilst considering personal details… whilst ‘personality’ tests and ‘get to know you’ quizzes that are posted online can be fun, again, consider the information you are parting with.

What’s your film-star name? Take name of your first pet and your mother’s maiden name…

What was number one the year you were born? When were you born?…

How much do you know about the town you were born in? Where were you born?…

Ooh great, I’ve got your date of birth, the town you were born in, your mother’s maiden name, and possibly part of a password (first pets, schools, teachers, favourite films, songs lessons are all commonly used in passwords).

5. Bait and Switch Attack

A less commonly heard phrase, the attacker uses relatively trusted avenues eg ads to trick you into visiting malicious sites. A hacker will purchase advertising space on a website that can sometimes be legitimate, and places a reliable-looking ad with a link that can be used to download malware or convinces you to reveal personal data.

It can be difficult to distinguish between genuine and fake, so use common sense. As stated before, if something looks too good to be true, it probably is.

Try to stick to websites you know and trust and use a good VPN as the best ones tend to remove suspicious code from web pages you are visiting.

Ultimately think before you click!

Tricking isn’t just for Halloween and the treat can be great for the hackers and ghoulish for yourself!

There are many cyber security organisations around the world that offer help and advise. The NCSC in the UK provides a wealth of useful to individuals and businesses alike. Find out more at: www.ncsc.co.uk

The three major websites offering advice, information and resources for the US are:

– Homeland security: www.dhs.gov/topic/cybersecurity

– National Cyber Security Alliance: staysafeonline.or

– National Initiative for cyber security careers and studies: niccs.us-cert.gov/