Does this sound familiar?
“Hi, this is John Smith from [your Board/Association] help desk. I need to make sure your computer is set up so that some changes we’ll be making here don’t cause you a problem in accessing the Board’s MLS® System. First, please confirm your Board MLS® System username or public ID.”
After being told the public ID, John tells the member their address, phone number, and email address and has them confirm it. Then John says, “Are you near your computer and online? Great! Now, I want you to log into the Board’s MLS® System and change your password – but don’t tell me what it is – for security reasons you should never tell anyone what it is.” Finally, John helps the person download a patch to make sure the Board’s new MLS® System report designer will work when it is upgraded next month.
What just happened? The member just had their computer and all online accounts breached – including access to the Board’s MLS® System, banking, and whatever other accounts they may have accessed from that computer. He or she was a victim of what hackers call “social engineering” or “phishing”: breaching security by manipulating the person instead of the computer.
The hacker’s aim was to build trust, then betray it. Let’s break it down:
- First, he went to the Board’s website, where he found the name of a support staff employee. He assumed that name when he called the member. Using that identity, he appealed to the member’s fear to obtain information and make changes to his or her computer.
- The hacker then told the member to change his password, but not to tell him the new password for security reasons, seemingly showing care for the victim’s security. Then he had them download a file from a website that took over the victim’s computer, logged anything the victim typed – including any computer and online account logins – to later be downloaded for analysis.
- Finally, the crowning achievement: getting the member to install malicious software.
Remember, caller ID can easily be faked and emails can be “spoofed” with forged sender addresses. So how would you validate that a request is legitimate? Calling the main Board number or sending an email to someone else you know in the organization would be reasonable steps. The hacker may try to make the situation seem urgent, but do your best to validate that a request is legitimate when you encounter suspicious behavior.
“Phishing” is a form of social engineering that involves electronic communications – traditionally email, but now social media as well. For example: “People are saying terrible things about you! Check out this link!” or “Take a look at this crazy picture I just posted to Facebook!” In any of these cases, you could easily find yourself on a site that installs a virus on your computer, or one designed to look like your bank’s site that gathers your banking information.
When you get an email, tweet or a phone call, take a second or two to think to yourself, “Do I know this person? Is there anything suspicious about what’s being asked of me?” It’s not paranoia; it’s awareness.
Don’t become a victim of “social engineering” or “phishing.” Security awareness can help prevent the theft of your private and sensitive information. More details about protecting yourself against hackers is available on REALTOR Link®.
This is the third in a series of short articles here on CREA Café intended to help make the subject of information security more accessible – and understandable. We hope you’ll help raise information security awareness by sharing the articles within your office and through your own online community, as well. For more information on information security best practices for REALTORS®, Brokers, and Boards and Associations, please visit REALTOR Link®.
The article above is for information purposes and is not legal advice or a substitute for legal counsel.