Social Engineering Scams Can Come in the Mail, Too

Social engineering scams can come through any communications channel (e.g., email, web, social media, SMS, phone call, etc.).

They can even come in the mail as the Nextdoor warning below shares.

Source: Nextdoor

They can even come in person and on the television. 

The Nextdoor website warning reminds readers that social engineering scams can come using any communication method. In this case, someone is receiving a fake “refund” check supposedly from American Express. Although unstated, I am sure the “Chase Bank” letter strongly states the person should deposit the refund check into their bank account and then send some portion of it to someone else for some made-up reason (e.g., taxes, etc.). For example, the refund check totals $10,000, and they are instructed to send $1,500 for taxes.

Most people do not know that their bank will readily accept realistic-looking fake checks (that anyone can easily create) and give them the money or transfer it to some other account. But within a few days, the bank will finally verify that the check is fake and the depositor will be on the hook for the full amount of the check. It is sad that in today’s electronic world, a check cannot be verified in seconds before it is deposited into someone's account and their account balance is updated. 

Fake check scams have been going on for as long as we have had checks. The famous “Catch Me If You Can” Frank Abagnale was forging checks in 1965 and he did not invent the crime. Early “Nigerian scams” were first spotted in the late 1800s. The Internet just made all scams a lot easier to perform and scale. 

Most of us are often warned to be on the lookout for email phishing scams. A smaller subset is warned about social engineering scams via SMS messages, the web, social media, and other digital channels. An even smaller subset is warned about social engineering scams via phone calls, even though they are quite common. The FCC and CISA warn about all those types of scams all the time.

However, few people receive training on how to recognize social engineering scams in person or especially via paper “snail” mail. But social engineering scams come in hundreds of different varieties across every possible communication channel. 

The key is to learn how to recognize, mitigate, and report scams, no matter how they arrive. At KnowBe4, we want people to be extra skeptical of any message, no matter how it arrives, if it has these two traits: It is unexpected and it is asking you to do something you have never done before (at least for that purported requestor). We graphically represent these two common traits of social engineering scams below:

Legitimate messages typically have these traits. My boss often asks me to do things I have never done before and came through expectedly. But if you get a message, even from your boss, with these two traits, it cannot hurt to verify using a trusted method (i.e., call the person on a known good phone number, etc.) before performing the request, because any message with these two traits is at higher risk for being malicious. So, when in doubt, “chicken out”, and verify before performing.

If you teach yourself (and your co-workers, family, and friends) to be extra skeptical of any message with these two traits, you will go a long way in reducing the risk that you (and they) will fall victim to a social engineering scam, no matter how it arrives.