Risk
Technology

Cybercrime and Punishment

A primer on phishing, spam relays and other social-engineering techniques designed to trick you, steal your money and compromise your data.
By Catherine Wendt
August 4, 2022
Topics
Risk
Technology

In its “2021 Internet Crime Report” released this past March, the FBI identifies phishing as the top cybercrime facing the United States, with nearly 325,000 incidents reported last year—up from 241,000 in 2020 and 115,000 in 2019. That’s a concern for every construction business looking to safeguard its records and information, because 90% of incidents that end up as a data breach start with phishing.

So, what is phishing? It’s a technique in which hackers put out some bait—something they think you’ll nibble at, so they can engage you—to get specific data, or pieces of information that by themselves seem innocent enough. When combined with other data they’ve found, bought or stolen, this gives them all the pieces they need to impersonate you and/or gain access to your network, email or shared files.

Spams and Scams

Phishing is one example of social engineering, which often involves tricking you into thinking you’re communicating with a trusted source, such as someone you know or work with. The unseen hacker presents themselves in reasonable communications, using scare tactics such as your password expiring, or claiming to be helping you because they noticed a problem with your computer. In each case, they’re trying to trick you.

Spam relays are another popular, insidious tool used by cybercriminals. The hackers finds a server or network of servers and gain access. They use all these servers to send out bogus email messages and other bait, so it comes from multiple sources that regularly change. There’s no way to block a specific sender or location, because the hackers are using many computers and, often, the offending sources don’t even know they’re part of the problem. They could use 100 servers from 100 different companies to send thousands of phishing emails.

All these schemes exploit our familiarity with and reliance on online communication. You’re in a rush and don’t notice that the company name is misspelled or the email address has a typo. You don’t know if you’re expecting a fax or a package and you’re curious about the notification you received. You struggle to remember your password, and the thought of it expiring makes you panic. Your office manager is tickled that you’ve trusted them to order surprise gift cards for the rest of the staff and eagerly shares your credit-card information. You didn’t know you had a new vendor, but you assume they’re legitimate and click the link to their invoice. You receive an email from Microsoft to confirm your password, so you type it in readily. Of course, these are all scams.

Just a Reminder

When kids are little, we repeatedly remind them to look both ways before crossing the street, not to talk to strangers and to say “please” and “thank you.” We take these common-sense precautions and courtesies seriously. But, with increasing numbers of remote workers—many of them relying on email as their primary form of communication—how often do you remind yourself and your team to beware of phishing schemes and other cyberthreats? As the18th-century English writer Samuel Johnson said: “People need to be reminded more often than they need to be instructed.”

Here are five of the most common phishing attacks, as recently listed in an article in MSP Success magazine. These might be worth pinning up in the break room, reading in the monthly all-staff meeting and including in all new-hire documentation:

  1. Notifications that you’ve received a voicemail or fax.
  2. Fake tech-support emails alleging malware on your computer and requesting remote access to install software to fix the issue.
  3. Business emails with a fraudulent invoice embedded with malware.
  4. Phony emails from HR asking new employees to change their direct-deposit information.
  5. Spoofing and social-engineering attacks designed to trick employees to reveal confidential information.

Now what? Your IT provider can add filters, block senders and use tools to limit exposure—but you and your staff still play an important role. Even with great locks and alarms, you still have to lock the door. In other words, if you have any doubt at all about an email or other communication, assume it’s a scam. Take the “zero-trust” position and wear out your delete key.

by Catherine Wendt

Related stories

Risk
Mitigating Four Major Risk Factors in the Construction Industry
By Julia Holden Davis
ESG, inflation, the supply chain and weather pose major risks to the construction industry. Knowing them is the key to understanding and mitigating them.
Risk
Surety Trends to Keep an Eye on in the Construction Industry
By Oliver Craig
Even a market as sure as surety bonding is expecting trends and uncertainties in 2024. From interest rates and credit availability to labor and insurance, challenges and opportunities abound.
Risk
Three Tips to Help You Find the Right Security Partner for Your Construction Site
By Jamine Moton
Securing the jobsite starts with securing a partner that is right for your company's brand and values.

Follow us




Subscribe to Our Newsletter

Stay in the know with the latest industry news, technology and our weekly features. Get early access to any CE events and webinars.