Defending Against Deception: Your Guide to Social Engineering and Phishing

Safeguarding your organisation requires a strong defence against common online scams like social engineering and phishing. These threats, which often lead to data breaches, specifically target a club's trusting network of volunteers. By learning to identify key phishing red flags and implementing practical cybersecurity tips, you can significantly enhance your overall data protection strategy, ensuring the security of your members and your association.

Did you know that in 2008, the US Department of Defence was infected by malware, which infected over 300,000 computers and took the Pentagon 14 months to remove fully?

How did the dastardly hackers achieve this, you might be asking. Did they get on their shadiest hoodie, turn their spooky lighting on, hunch down over their laptop typing furiously, before victoriously declaring, “I’m In.”

 

 

Nope. They simply left some malware-laden USBs lying around near a US military base. All it took was for one curious person to pick up a USB, wonder what was on it, and plug it into a computer on base.

My point is, I think a lot of people fundamentally misunderstand what typical cyberattacks, hacks, and data breaches actually look like. It rarely involves someone furiously typing away, hacking through a firewall or something. It's far more often about clicking the wrong link, entering your details into a seemingly legitimate form, talking to someone online you think you can trust, or simply plugging in a curious-looking USB.

So today, let’s take a look at some common security risks and scams, and how your club can effectively avoid them.

What Is Social Engineering?

Social engineering is the umbrella term for the psychological manipulation of people into performing actions or divulging confidential information, typically for financial gain. Unlike technical hacking, social engineering involves a scammer directly contacting a potential victim and using lies, tricks, and psychological tactics to convince them to hand over money or personal details. The classic "Nigerian Prince" scam is a famous example.

Social engineering is a leading cause of data breaches globally, and it's particularly insidious for clubs and associations. This is because they often rely on a network of trusting, passionate volunteers who may not have extensive security training, making them a prime target for scammers who know how to exploit trust.

Scammers are after two key things with these attempted scams. The first, and most obvious, is money. They either want to trick you into sending money directly to them or get your bank and card details so they can steal money from your accounts.

The second is your personal information and data, including your name, email address, phone number, and street address. They want this information for a few different reasons:

• To make stealing money from you easier: They can use your information to bypass security questions or reset passwords.
• For identity theft: They might use your details to open new accounts or take out loans in your name.
• To sell to other criminals: Your information can be very valuable to other scammers on the black market who will use it for fraudulent purposes.

Understanding the different tactics scammers use is the first step in defending against them. So, with that in mind, let’s talk about some of the most common types of online social engineering that you may face. 

Phishing

Phishing is the most common type of social engineering attack, using digital communication to impersonate a trustworthy entity. Attackers will use fraudulent emails, text messages (smishing), or phone calls (vishing) to trick victims into revealing sensitive information. A common phishing tactic is a text message claiming you have unpaid road tolls or a text from “Australia Post” claiming that there is an issue with your delivery and you need to supply them with details so they can fix it. 

Baiting

This tactic uses the promise of a reward or a service to lure a victim. The attacker may offer something for "free", like a movie download or some free software, but in reality, it's a way to install malware or steal credentials. 

Pretexting

This involves creating a fabricated but believable pretext to gain trust. A scammer might call and pretend to be from your bank's fraud department, claiming there's a problem with your account, and then use that story to get you to reveal personal details. The idea being that if the call, email or text appears coming from an institution you already trust, you’re more likely to believe their requests. 

Pig Butchering Scams

This delightfully named scam is a particularly complex and long-term scam, and it's a cruel one. The term "pig butchering" comes from the idea that the scammer "fattens up" the victim (the pig) before "butchering" them (taking their money).

The scammer usually contacts their victim online, often through dating apps or social media, and builds a deep, long-term emotional connection. Once they have gained trust, they introduce a fake investment opportunity, usually cryptocurrency, or reveal a fake personal financial crisis. They will often convince the victim to send a small amount of money at first, and for investment scams, they might even show a small "return" to build confidence. They will then convince the victim to send more and more money, sometimes all of their life savings. 

There’s a lot to say on the subject of pig butchering, and not nearly enough time. These can take months and months, with scammers dedicating large periods of time to these scams. My point is that this isn't someone texting you and asking for money within a day; it can take months, and they can seem very real and genuine. 

Here is a news article from the ABC about a 26-year-old Australian woman who lost her life savings to one of these scams. I'm sharing it to illustrate the point that these are involved, convincing scams that anyone can fall for if they are not wary. 

Imposter Scams

Another very common type of online scam is where a scammer impersonates a friend or family member to try to swindle money from their victim. A simple text message can look like this:

"Hi Mum, my phone's died and I'm using a friend's. My card just declined at the shops, can you please send $500 to this account (account details here)? I'll pay you back as soon as my phone is charged. Sorry, just stuck at the checkout. Talk soon, love you."

A text like this is effective because it creates a strong sense of urgency. It's designed to make the recipient act first and ask questions later, as they believe their family member is stuck and needs immediate help.

These scams can also be very detailed. Scammers often stalk people's social media accounts to learn more about them, downloading photos and getting a better understanding of their movements. They then use this information to set up a fake social media profile and reach out to you. They might even know your relative is on holiday and include a specific detail about their hotel or trip, which makes their request for money seem all the more believable.

AI is becoming more sophisticated, and it is now possible to use AI to create and then leave high-quality, natural-sounding voice messages on your phone, which sound just like a friend or family member. This type of scam is often referred to as “Vishing”, a portmanteau of voice and phishing. 

The AI may be able to take examples of people’s voices from YouTube, social media, and other sources to recreate the voice and then leave scam messages. So, be cautious around voice messages, particularly if the person who is allegedly leaving them is someone who is actively on social media or has their voice and face online regularly. This isn't science fiction; there are already several social media influencers who have found that AI is creating convincing videos of them with what sounds like their voice being used to promote brands and products they've never heard of. The technology is very much there, and scams like this are only going to become more common. 

Okay, so that’s all quite worrying and dark, so before we start talking about how to spot these scams, here’s a picture from the 2024 Nikon Comedy Wildlife Awards to lighten the mood a bit. 

 

The caption the photographer gave this photo was “Alright Mate Back off- this is my bird”. 

Red Flags: Spotting Potential Scams 

Now that we’ve talked about some common types of scams, let's go over some practical tips to make spotting them a little easier.

1. Always use a secondary source. If your bank texts you asking you to sort something out, don’t click the link they sent. Go to their website directly and do it there. Scammers are trying to funnel you to their site or payment portal, but by independently looking up the company's site, you move yourself out of their control.
2. Watch out for urgency. Scammers often create a sense of panic to get you to act without thinking. They might say your account will be locked, your card has just been charged for a new phone, or that a limited-time offer is about to expire. A real company will not pressure you to act immediately.
3. Check for strange requests. Be very cautious if an email or message asks for your passwords, bank details, or other personal information. Your bank or a legitimate company will almost never ask for this information directly.
4. Hover over links before you click. If a message has a link, a quick trick is to move your mouse cursor over it without clicking. A small box will appear showing you the real web address. If the address looks suspicious or doesn't match the company's name, don't click it.
5. Look for bad grammar and spelling. Scams are often sent from other countries, and the message may contain unusual phrasing, typos, or grammatical errors. A real company will almost always have professional, well-written messages.
6. Be suspicious of "too good to be true" offers. If an email or message promises you a large reward, a huge discount, or an unbelievable prize, it's probably a scam.
7. Verify the sender's details. Scammers can easily fake the sender's name. For an email, always check the actual email address it came from. For a text or call, be wary of unusual numbers. If you’re unsure about any contact, Google the company's number and call them to ask if it’s legitimate.

Here's a good example of all these tips in action. The other day, I got a phone call from a charity I have donated to in the past, and they were calling to ask me if I would donate again. I was more than happy to; it’s a good cause, I trust the organisation, and I was willing to donate then and there.

However, out of an abundance of caution, I told the man who called me that I would donate, but I would just jump on their website to do so, as that was easier for me. I did this because if the call were legitimate, the charity would have no issue with it; a donation is a donation, and it doesn't matter how they get it. If the call weren't legitimate, however, this would be a problem for them, as I wouldn't be paying over the phone or clicking any link they sent me. I was going to search for their website independently and make a donation, which would have taken me out of their control and ensured that the money would go directly to the charity's account, not theirs.

When the caller started trying to convince me that the website wasn't very good and that it would be "so much easier" to just donate over the phone, I knew it was likely a scam, so I hung up and blocked the number. I'll be honest, I'm only 95% sure that this call was a scam, so I didn't cuss him out for impersonating a refugee charity. But it doesn’t matter, because I still donated; I just did it separately via their website. The charity got my money, my details stayed secure, and in the likely event that it was a scam, the scammers got nothing.

Before we close out, let me leave you with another great photo from the Nikon Comedy Wildlife Awards. 
 

Other Online Security Tips

Hopefully, you know a bit more about online scams now and some of the varied forms scams can take. I hope it was a reasonably interesting read; it’s a dense topic, but we got through it together. 

For some tips on what you can be doing to keep yourself and your members safe online, check out 6 Security Tips To Keep Your Membership Organisation Safe. 

For information on what Member Jungle is doing to help keep you safe, have a look at How does Member Jungle protect your data?