Skip to main content
SANS Security Awareness

Utility nav

  • GDPR
  • Support
  • SANS.org
  • Contact
  • Request Demo

Main navigation

  • Products
    • Products Overview Column
      • Products

        Build and mature your security awareness program with comprehensive training for everyone in your organization.

        View Products
    • Security Training Solutions
      • EndUser Training

        Security Awareness training designed by experts.

      • Phishing Tools

        Tiered-template phishing simulation tool designed for all learners.

    • Products - Training Span
      • ICS Training

        Train all learners involved with Industrial Control Systems. 

      • NERC CIP Training

        Relevant Critical Infrastructure Protection training meeting compliance. 

      • Developer Training

        Protect web applications with secure coding practices. 

      • Healthcare Training

        Train learners following HITECH and HIPAA standards. 

    • Events
      • Courses & Summits

        Gain key insights and practical information in security awareness program building from experts in the field with our Summits and training courses. 

      • Summit Recap

        Review top talks from the 2019 SANS Security Awareness Summit in San Diego.

  • Why SANS
  • About
    • About Overview Column
      • About

        SANS has been around as long as the Internet. Learn about our history, experts and events around the world.

        Read About SANS Awareness
    • About Column 1
      • Our Experts

        World-class experts covering every aspect of security awareness and defense.

    • About Column 2
      • History

        Read about the SANS Security Awareness legacy.  

    • About Column 3
      • News

        Check out what’s going on with SANS Security Awareness in the news.

  • Reports
  • SSAP Credential
  • Blog
  • Resources
    • Resources Overview Column
      • Resources

        Looking to build and mature your security awareness program? These resources will enable you with the topics and techniques to improve your learner’s awareness in security.

    • Resources Column 1
      • Blog

        Read from subject matter experts and guest authors about the latest going on in security awareness.

      • Events & Webcasts

        Gain key insights and practical information in security awareness program building from experts in the field with our Events & Webcasts. 

    • Resources Column 2
      • Posters

        Developed by the community for the community. Download and share these awareness posters with your organization.

    • Resources Column 3
      • OUCH! Newsletter

        The world leading security awareness newsletter. Offered in multiple languages, created by a community of experts.

Mobile Menu

February 2019 • The Monthly Security Awareness Newsletter for Everyone

Personalized Scams

Overview

Computer with envelope and exclamation point

Cyber criminals continue to come up with new and creative ways to fool people. A new type of scam is gaining popularity— personalized scams. Cyber criminals find or purchase information about millions of people, then use that information to personalize their attacks. Below we show you how these scams work and walk you through a common example. The more you know about these scams, the easier it is for you to spot and stop them.

How Does it Work?

Email or phone call scams are not new, cyber criminals have been attempting to fool people for years. Examples include the “You Won the Lottery” or the infamous Nigerian Prince scams. However, in these traditional scams cyber criminals do not know whom they are targeting. They simply create a generic message and send it out to millions of people. Because these scams are so generic, they are usually easy to spot. A personalized scam is different; the cyber criminals do research first and create a customized message for each intended victim. They do this by finding or purchasing a database of people’s names, passwords, phone numbers, or other details. This type of information is easily available due to all the websites that have been hacked. It is also commonly available on social media sites and in publicly available government records. The criminals then target everyone they have information on.

One common trick cyber criminals use is fear or extortion to force you into paying them money. The attack works like this. They find or purchase information on people’s logins and passwords obtained from hacked websites. They find your account information included in such a database and send you (and everyone else in the database) an email with some personal details about you, including the original password you used on the hacked website. The criminal refers to your password as “proof” of having hacked your own computer or device, which is of course not true. The criminal then claims that while they hacked your computer they also caught you viewing pornography online. The email then threatens that if you do not pay their extortion fee, they will share with your family and friends evidence of embarrassing online activities.

The catch is, in almost every situation like this the cyber criminal never hacked your system. They don’t even know who you are or which websites you’ve visited. The scammer is simply attempting to use the few personal details they have about you to scare you into believing they hacked your computer or device, and to trick you into paying them money. Remember, bad guys can use the same techniques for a phone call scam also.

What Should I Do?

Recognize that emails or phone calls like these are a scam. It’s natural to feel scared when someone has personal information about you. However, remember the sender is lying. The attack is a part of an automated mass-scale campaign, not an attempt to directly target you. It is becoming much easier for cyber criminals today to find or purchase personal information, so expect more personalized scams like these in the future. Some clues to look for:

  • Whenever you receive a highly urgent email, message, or phone call be very suspicious. If someone is using emotions like fear or urgency, they are trying to rush you into making a mistake.

  • When someone is demanding payment in Bitcoin, gift cards, or other untraceable methods.

  • When you get a suspicious email, search on Google to see if other people have reported similar attacks.

Ultimately, common sense is your best defense. However, we also recommend you always use a unique, long password for each of your online accounts. Can’t remember all your passwords? Use a password manager. In addition, enable two-step verification whenever possible.

Subscribe to OUCH! and receive the latest security tips in your email every month - www.sans.org/security-awareness/ouch-newsletter.

Resources

Social Engineering
Stop That Phish
Search Yourself Online
Password Manager

OUCH! is published by SANS Security Awareness and is distributed under the Creative Commons BY-NC-ND 4.0 license. You are free to share or distribute this newsletter as long as you do not sell or modify it. Editorial Board: Walt Scrivens, Phil Hoffman, Alan Waggoner, Cheryl Conley.

English
201902-OUCH-February-English.pdf
Arabic
201902-OUCH-February-Arabic.pdf
Bahasa Indonesia
201902-OUCH-February-Bahasa.pdf
Bulgarian
201902-OUCH-February-Bulgarian.pdf
Chinese, Simplified
201902-OUCH-February-ChineseSimplified.pdf
Chinese, Traditional (Taiwanese)
201902-OUCH-February-Chinese,Traditional(Taiwanese).pdf
Chinese, Traditional
201902-OUCH-February-ChineseTraditional.pdf
Danish
201902-OUCH-February-Danish.pdf
Dutch
201902-OUCH-February-Dutch.pdf
Farsi
201902-OUCH-February-Farsi.pdf
French
201902-OUCH-February-French.pdf
German
201902-OUCH-February-German.pdf
Hebrew
201902-OUCH-February-Hebrew.pdf
Hungarian
201902-OUCH-February-Hungarian.pdf
Italian
201902-OUCH-February-Italian.pdf
Japanese
201902-OUCH-February-Japanese.pdf
Korean
201902-OUCH-February-Korean.pdf
Latvian
201902-OUCH-February-Latvian.pdf
Lithuanian
201902-OUCH-February-Lithuanian.pdf
Malaysian
201902-OUCH-February-Malaysian.pdf
Norwegian
201902-OUCH-February-Norwegian.pdf
Polish
201902-OUCH-February-Polish-FINAL.pdf
Portuguese
201902-OUCH-February-Portuguese.pdf
Romanian
201902-OUCH-February-Romanian.pdf
Russian
201902-OUCH-February-Russian.pdf
Serbian
201902-OUCH-February-Serbian.pdf
Spanish
201902-OUCH-February-Spanish.pdf
Swedish
201902-OUCH-February-Swedish.pdf
Turkish
201902-OUCH-February-Turkish.pdf
Urdu
201902-OUCH-February-Urdu.pdf
Guest Editor
Thumbnail

Lenny Zeltser

Senior Instructor at SANS
Lenny Zeltser is an information security and malware analysis expert. He currently serves on SANS Board of Technology Directors and is Chief Information Security Officer (CISO) at Axonius. He teaches courses through SANS primarily on Malware, has co-authored four books on network security, malware &
Twitter
@lennyzeltser

Subscribe to OUCH!, our Monthly Security Awareness Newsletter

Get monthly content to keep you up to date on the latest Security Awareness News and Tips.

The SANS Institute provides training related to cybersecurity and the safe use of technology within your organization. To provide this training, the SANS Institute captures and processes personal data and as such has been identified as a “controller” of your information.

The information provided to SANS Institute for training purposes may include name, email address, phone number(s), address, company, department, job function, industry, organizational memberships, and geographic region. The SANS Institute may also collect data about devices and software used to access the training and training systems; this data includes browser version, operating system version, IP addresses, access times, connection duration, and other browser analytics. As training is delivered, the SANS Institute processes and stores data associated with training assignments, completion, and scores on any learning activity that is delivered. SANS may also utilize third party processors to provide these services.

If your information is provided by your employer, this information is used as part of the initial or ongoing training cycle. The purpose for collecting this data is to allow the SANS Institute and your employer to assign, deliver, record and report on your cybersecurity training. Your information and training records will be shared only with you and your employer.

At any time you have the right to receive a copy of the personal data you have provided to us in an electronically readable format.

A data protection regime is in place to oversee the effective and secure transmission, processing, storage, and eventual disposal of your personal data, and data related to your training. The SANS Institute will retain your data until you request that it be removed, after which it will be securely disposed of. The SANS Institute will never sell your personally identifiable data and will only share your personally identifiable data with SANS cyber security solutions partners when you provide agreement to do so.

When you consent to us using your information for the purposes of sending you information on SANS products or services you are providing us with your consent to send you materials detailing our products and services that we consider will be of interest to you, based on your use of the educational material that we provide as resources. We profile you this way to make the materials more relevant to you. We will only send you information on products from within the SANS services portfolio.

If, at any point, you believe your personal information to be incorrect, you may request to see a copy of your data, ask to have the errant data corrected, or ask that it be securely disposed of. If your information is provided by your employer, the SANS Institute will work directly with your employer to promptly address the matter. If you wish to raise a complaint or concern, or have questions relating to GDPR, please contact the Data Protection Officer via gdprprivacy@sans.org.

SANS has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to the EU Data Protection Authorities (DPAs), or where applicable instead, to the Swiss Federal Data Protection and Information Commissioner. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the following web site for more information and to file a complaint with the EU DPAs: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm

You may, at any time, withdraw your consent; to do so, please contact gdprprivacy@sans.org.

The SANS Institute is a U.S. company founded in 1989 that specializes in information security and cybersecurity training. All information provided to SANS Institute will be transferred to and processed in the United States. The SANS Institute is committed to comply with the Privacy Shield Framework which has been found adequate by the European Commission to enable international data transfer under EU law. For more information, please see www.sans.org or contact gdprprivacy@sans.org.

SANS Security Awareness

301-654-SANS (7267)
Monday-Friday, 9am-8pm EST/EDT

Social

  • Facebook
  • Twitter
  • Linked In

Footer

  • Products
  • Why SANS
  • About
  • Reports
  • Resources

Footer utility

  • Support
  • SANS.org
  • Contact
  • VLE Help

Stay up-to-date on the latest security awareness news and tips. 

Subscribe to our monthly newsletter, OUCH!

Subscribe Now

Copyright Nav

  • ©2018 SANS™ Institute
  • Privacy Policy
  • Trademark Usage Policy
  • Credits