Social Engineering Scams Can Come in the Mail, Too

Social Engineering ScamsSocial engineering scams can come through any communications channel (e.g., email, web, social media, SMS, phone call, etc.).

They can even come in the mail as the Nextdoor warning below shares.


Source: Nextdoor

They can even come in person and on the television. 

The Nextdoor website warning reminds readers that social engineering scams can come using any communication method. In this case, someone is receiving a fake “refund” check supposedly from American Express. Although unstated, I am sure the “Chase Bank” letter strongly states the person should deposit the refund check into their bank account and then send some portion of it to someone else for some made-up reason (e.g., taxes, etc.). For example, the refund check totals $10,000, and they are instructed to send $1,500 for taxes.

Most people do not know that their bank will readily accept realistic-looking fake checks (that anyone can easily create) and give them the money or transfer it to some other account. But within a few days, the bank will finally verify that the check is fake and the depositor will be on the hook for the full amount of the check. It is sad that in today’s electronic world, a check cannot be verified in seconds before it is deposited into someone's account and their account balance is updated. 

Fake check scams have been going on for as long as we have had checks. The famous “Catch Me If You Can” Frank Abagnale was forging checks in 1965 and he did not invent the crime. Early “Nigerian scams” were first spotted in the late 1800s. The Internet just made all scams a lot easier to perform and scale. 

Most of us are often warned to be on the lookout for email phishing scams. A smaller subset is warned about social engineering scams via SMS messages, the web, social media, and other digital channels. An even smaller subset is warned about social engineering scams via phone calls, even though they are quite common. The FCC and CISA warn about all those types of scams all the time.

However, few people receive training on how to recognize social engineering scams in person or especially via paper “snail” mail. But social engineering scams come in hundreds of different varieties across every possible communication channel. 

The key is to learn how to recognize, mitigate, and report scams, no matter how they arrive. At KnowBe4, we want people to be extra skeptical of any message, no matter how it arrives, if it has these two traits: It is unexpected and it is asking you to do something you have never done before (at least for that purported requestor). We graphically represent these two common traits of social engineering scams below:











Legitimate messages typically have these traits. My boss often asks me to do things I have never done before and came through expectedly. But if you get a message, even from your boss, with these two traits, it cannot hurt to verify using a trusted method (i.e., call the person on a known good phone number, etc.) before performing the request, because any message with these two traits is at higher risk for being malicious. So, when in doubt, “chicken out”, and verify before performing.

If you teach yourself (and your co-workers, family, and friends) to be extra skeptical of any message with these two traits, you will go a long way in reducing the risk that you (and they) will fall victim to a social engineering scam, no matter how it arrives.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews