Convincing AI-generated photographs, deepfake technology, and human-like chatbots make it hard to know what’s real. Even when you’re dealing with a real person, it might not be the person you think it is. Cybercriminals are everywhere, and they’re going after both individuals and businesses. To stay safe online, you need to know how to spot a bad actor.
Anyone Can Be Duped
Not all cyber ploys are as obvious as the foreign lottery and Nigerian prince scams. You might not fall for a phishing email with bad grammar and sent from an obviously phony email address, but don’t assume you couldn’t be fooled – some schemes are convincing. It only takes a moment of letting your guard down to fall for one.
Imagine you’re the CFO of a company and you receive a request for a wire transfer from a vendor. Since it’s a standard request and the email address checks out, you authorize it. Later, you find out the vendor’s email was hacked and the request came from a scammer. The money you wired is gone.
Now imagine you’re an HR professional and an employee sends a request to have his paycheck sent to a new back account. Since you have all the paperwork you need, you make the change. A week later, the employee is wondering where his paycheck is. He never requested a change – it was a hacker.
Phishing, spear phishing, and business email compromise schemes are everywhere. If you click the wrong link or provide information (or funds) to the wrong person, you could give cybercriminals everything they need to infect your computer system, drain your bank accounts, or steal your data.
How Much Do You Really Know?
The FTC has a phishing quiz for small businesses. It’s a safe way to test how much you really know and only takes a minute or so to complete.
Even if you perform well, though, keep in mind that cybercriminals are always changing their tactics. For example, Wired warns that hackers can use ChatGPT to run numerous scams in multiple languages. These AI-generated messages may be more convincing than previous attempts.
Learn the Red Flags
Some schemes are more convincing than others, but there are some red flags that will help you spot many common scams.
- Be wary of urgent requests. Scammers often create a sense of urgency to trick you into acting without thinking. They may say they need funds today or that there’s a mistake you need to correct now. They may plead or threaten. Don’t fall for it – urgency is often the sign of a scam.
- Second-guess unusual or unexpected requests. It’s possible for vendors to change their bank account information, but it’s not normal. Requests like this may seem plausible, but you should treat them with suspicion.
- Check all email addresses and URLs. Scammers often pose as legitimate contacts or companies and may have the names, logos, and other public information they need to make the message convincing. However, they often use email addresses and URLs that are slightly off. It could just be a difference of one letter. Having said that, bear in mind the correct email address or URL does NOT guarantee the message is safe. Cybercriminals can spoof email addresses, URLs, and phone numbers.
- Pay attention to the details. Does a supervisor who normally calls you by your first name, suddenly address you by your last name? Is a client who normally uses perfect grammar suddenly send you messages filled with typos? You could be dealing with an imposter. Nonetheless, even if the messages sound right, they could be fakes. For example, a hacker who has access to the person’s email may be able to copy the person’s style. Cybercriminals may also use tools like ChatGPT to write grammatically-correct and professional-sounding messages.
- Don’t automatically trust voice recordings and videos. Scammers are now using AI to clone voices and create deepfake videos from clips they find online. If you receive a request via audio or video, take time to verify its authenticity before responding.
Sometimes, you may be unable to spot a bad actor. If you have any suspicions at all, verify the request for information. Even if you DON’T suspect that anything is amiss, verifying requests for sensitive information or funds is a smart policy. For example, if a vendor gives you a new bank account number for payment, call to verify the information over the phone.
If it’s a scam, the scammer may control the account or phone number. Don’t click links, reply, or use the contact information provided in a message. Instead, use your own contact information, type the URL you know is correct, or use another method to contact the other party to verify the information.
In addition to learning how to spot a bad actor, you can take steps to protect your systems, such as using multifactor authentication, securing your network, and keeping your software up to date. The U.S. Small Business Administration has more tips for strengthening your cybersecurity.
If a cyberattack occurs despite your best efforts, cyber insurance can provide financial protection and support your recovery. Learn more.