A primer on phishing, spam relays & other social-engineering techniques to trick you, steal your money & compromise your data
A primer on phishing, spam relays & other social-engineering techniques to trick you, steal your money & compromise your data

In its 2021 Internet Crime Report released this past March, the FBI identifies phishing as the top cybercrime facing the United States, with nearly 325,000 incidents reported last year — up from 241,000 in 2020 and 115,000 in 2019. That’s a concern for every construction business looking to safeguard its records and information, because 90% of incidents that end up as a data breach start with phishing.

So, what is phishing? It’s a technique in which hackers put out some bait — something they think you’ll nibble at, so they can engage you — to get specific data, or pieces of information that by themselves seem innocent enough. When combined with other data they have found, bought or stolen, this gives hackers all the pieces they need to impersonate you and/or gain access to your network, email or shared files.

Spams & Scams

Phishing is one example of social engineering, which often involves tricking you into thinking you’re communicating with a trusted source, such as someone you know or work with. The unseen hacker presents themselves in reasonable communications, using scare tactics such as your password expiring, or claiming to be helping you because they noticed a problem with your computer. In each case, they’re trying to trick you.

Spam relays are another popular, insidious tool used by cybercriminals. The hackers find a server or network of servers and gain access. They use all these servers to send out bogus email messages and other bait, so it comes from multiple sources that regularly change.

There’s no way to block a specific sender or location because the hackers are using many computers and often the offending sources don’t even know they’re part of the problem. 

They could use 100 servers from 100 different companies to send thousands of phishing emails.

All these schemes exploit our familiarity with and reliance on online communication. You’re in a rush and don’t notice that the company name is misspelled or that the email address has a typo. You don’t know if you’re expecting a fax or a package and you’re curious about the notification you received. You struggle to remember your password, and the thought of it expiring makes you panic. Your office manager is tickled that you’ve trusted them to order surprise gift cards for the rest of the staff and eagerly shares your credit-card information. You didn’t know you had a new vendor, but you assume they’re legitimate and click the link to their invoice. You receive an email from Microsoft to confirm your password, so you type it in readily. Of course, these are all scams.

Just a Reminder

When children are young, adults repeatedly remind them to look both ways before crossing the street, not to talk to strangers, and to say please and thank you.

We take these commonsense precautions and courtesies seriously. But, with increasing numbers of remote workers — many of them relying on email as their primary form of communication — how often do you remind yourself and your team to beware of phishing schemes and other cyberthreats?

As the 18th century English writer Samuel Johnson said, “People need to be reminded more often than they need to be instructed.”

Here are five of the most common phishing attacks, as recently listed in an article in MSP Success magazine. These might be worth pinning up in the break room, reading in the monthly company meeting, and including in all new-hire documentation:

  • Notification that you’ve received a voicemail or fax.
  • Fake tech-support email alleging malware on your computer and requesting remote access to install software to fix the issue.
  • Business email compromise with a fraudulent invoice embedded with malware.
  • Phony emails from HR asking new employees to change their direct-deposit information.
  • Spoofing and social engineering attacks designed to trick employees to reveal confidential information.

Now what? Your IT provider can add filters, block unknown senders, and use tools to limit exposure — but you and your staff still play an important role in preventing cyberscams. Even with great security and alarms, you still have to lock the door yourself. In other words, if you have any doubt at all about an email or other communication, assume it’s a scam. Take the “zero-trust” position and wear out your delete key.