As Canadians have moved more of their daily activities online in the wake of the coronavirus pandemic, they need to be increasingly vigilant about protecting themselves from digital scams. Cyber criminals continually adjust their tactics in response to developments that can make consumers more vulnerable, sometimes leading to monetary losses or incursions into their privacy.
Many Canadians are still working from home, learning remotely, relying on e‑commerce and using more digital channels. As we continue to move online in greater measure, so do the criminals. Fraudsters are ramping up their efforts to trick Canadians into unwittingly giving up personal information and/or sending money for bogus schemes.
Cyber criminals may use human psychology and the art of manipulation to scare, confuse or rush you into opening a malicious link or attachment, or into providing sensitive data through a process known as "social engineering." This is often the Trojan horse through which cyber criminals get through cyber defences to access consumer accounts.
In recognition of Cyber Security Awareness Month this October, it’s important to remind Canadians to slow down, think critically and not take the bait cast by social engineers.
Social engineering explained
Social engineering exploits human psychology, rather than using technical hacking methods, to gain access to systems or data. Put simply, it’s the tactic of using human impulse against a target to get them to do what they normally would not (or should not) do. Criminals leverage our basic urge to respond to urgent requests, be useful or help a friend or colleague in need, and to lure us into inadvertently providing information that can be used to commit financial scams.
Social engineering has been around for centuries — it has simply been ascribed a new term. It's essentially the same tactics that grifters and con men have long used to separate people from their money by exploiting basic human weaknesses or blind spots. Like P.T. Barnum, modern cyber criminals are using social engineering techniques to draw them in, harvest their sensitive information such as login credentials or account details, and use that information to masquerade as the legitimate person. Ultimately, fraudsters can circumvent cyber defences without the need for sophisticated hacking.
With your personal information in hand, cyber criminals can:
- Gain unauthorized access to customer bank accounts (i.e., account takeover)
- Coerce or trick a bank customer into sending money to an account controlled by the criminal, believing them to be legitimate (i.e., scams)
- Illegitimately open accounts or apply for credit using stolen credentials (i.e., identity theft)
Easier to hack a brain than a computer
The role of human error in successful cyber security attacks has been long observed. In fact, there is a well‑worn cliché in information security (InfoSec) circles: the weakest link in computer security is the human. Some InfoSec experts go so far as claiming that it’s easier to hack a brain than a computer. Or more exactly, you can have the strongest firewalls, the most expensive intrusion detection and a complex security system, but it can be undone by human error caused by well‑intentioned impulses.
As cyber security controls have greatly improved at financial institutions and other organizations over the years, it’s more important than ever to focus on the human dimension as a key factor to strengthen the overall security chain.
From weakest link to strongest defender
Social engineering fraud has been on the rise, compounded by the pandemic, in particular telephone, SMS and business email scams. These attack vectors largely rely on social engineering techniques and have been leading to monetary losses for both financial institutions and consumers. Looking at the Canadian Anti‑Fraud Centre’s top 10 frauds targeting Canadians in 2020, several top scams involved social engineering, including identity theft, personal information fraud and phishing, to name a few.
To be sure, financial institutions go to great lengths to keep Canadians’ money safe and protect their personal and financial information. The CBA and its member banks take extensive steps to protect their customers’ information by publicizing the latest threats and through continued investment in layered fraud detection and mitigation technologies.
The realities of a connected world, however, mean that cyber threats are not limited to our systems and technology. In the digital era, security is a shared responsibility and customers have an important role to play. To that end, the banking sector is committed to promoting cyber security best practices to help customers better protect themselves and their devices against a rising tide of digital fraud.
Cyber security is primarily about knowing who and what to trust when it comes to protecting your digital information. For the consumer, it’s about slowing down, thinking critically and getting to know the red flags.
Three ways to spot social engineering
- Using fear as a motivator. Sending threatening or intimidating emails, phone calls and texts are other techniques social engineers will use to scare you into acting on their demands for personal information or money.
- Suspicious emails or texts that include urgent requests for personal information is a major red flag that that someone is trying to trick you.
- Too-good-to-be-true offers or unusual requirements. If an online contact offers you free access to an app, game or program in exchange for login credentials, beware. Similarly, free offers online can often contain malicious code or malware.
In line with Cyber Security Awareness Month, the CBA has developed helpful toolkits for consumers and businesses to protect themselves from the most common cyber threats and to optimize their cyber hygiene.
Visit these links to access CBA Cyber Security Toolkits and other resources.