Cyber criminals are getting increasingly sophisticated at using social engineering tactics to bypass the two-factor authentication systems used to secure victims’ accounts, as Symantec’s 2016 Internet Security Threat Report (ISTR) reveals.
According to the report, the Gmail scam – named after the most exploited email provider – was fairly common in 2015. It made use of the password recovery feature offered by email providers such as Gmail, Hotmail, and Yahoo Mail to steal user access credentials. Taking Gmail as an example, this is how the scam works:
- The cyber criminal obtains a victim’s email address and mobile number (both of which will probably be publicly available).
- Posing as the victim, the criminal contacts Google, asking for the victim’s password to be reset.
- Google texts the victim the code.
- Posing as Google, the criminal texts the victim, saying unusual activity has been detected on the victim’s account, and asking for the code that has just been sent.
- The victim sends the verification code to the criminal.
- The criminal can now access the victim’s Google account.
Understand the basics of phishing
Social engineering tactics are at the heart of phishing attacks. They exploit human feelings like concern and curiosity to push victims to perform a specific act, be it to provide information, click on links, etc. The more you know about this topic, the less chance you have of falling victim. Get to know the basics of phishing attacks with the Phishing Staff Awareness e-learning course. Discover the different types of phishing scams, how they work and, above all, how to spot them and avoid being caught in the net.