SECURE IT
Navigating the Phishy Social Engineering Ocean
Whether we like it or not, we all have a digital footprint. Information about both our professional and personal lives are exposed, floating around the vast cyber ocean. Even if you prefer snail mail, telephone conversations, and writing checks, we’re all at risk for falling victim to social engineering attacks.
The piranhas in the ocean (the adversaries) try their best to trick us into sharing confidential, personal information. And their most common attack vector is via social engineering. This trickery can occur through email, phone, face-to-face, or the stormy, wicked web. It makes social engineering a major factor in cyber security awareness and protecting our digital footprint.
The statistics associated with social engineering are staggering. Accenture Security reports that 85% of organizations now experience some degree of phishing and social engineering attacks, which is an increase of 16% over just one year. We can assume this will certainly continue, as long as humans, people, and our very employees, continue to be the weakest link in overall cybersecurity defence.
Navigating the Social Engineering
Cyber attackers and social engineers will modify their tactics, but there are some common signs to help you recognize an attack. Let’s look at a cyber criminal’s trends and tactics.
Phishing - Using e-mail to trick you into providing sensitive information, to include a Reply to the original malicious e-mail, clicking on bogus links or opening attachments, and entering data.
Spear Phishing - These are phishing attempts aimed at specific targets, such as research engineers.
Pretexting - Typically utilized in email, this is a technique where a fake situation is created using publicly available details on the target where the information is used for manipulation or impersonation.
Scareware - As the name implies, a frightful pop-up attempting you to type in confidential, personal, and private information in order to rectify an infected computer issue.
Vishing - Utilizing the telephone in attempt to trick you into providing valuable, most likely confidential, information.
Bating - An attempt to hook you in by offering goods, such as a free device or gift card.
Additionally, according to the 2019 Data Breach Investigations Report, phishing and pretexting represent 98% of social incidents, and 93% of breaches. Coming in at 96%, e-mail continues to be the most common vector.
While their tactics may seem difficult to spot on the surface, here are some common ways to spot and thwart social engineering attempts while navigating the social engineering ocean. They include:
- Request or appeal for sensitive, personal information, such as SSN, user IDs, passwords, or banking information.
- Sending correspondence that comes with a sense of urgency – you may be missing out on a deal, service or network shutoff, or even loss of funds.
- Open communication from a perceived authority, perhaps your bank or utility company.
Remember that social engineers exploit our willingness to provide information and are good at creating a trust relationship. Being able to recognize social engineering attempts is key, especially if that attempt includes the mother lode of social engineering: the phish.
The Social Engineering Mother Lode
Phishing remains the number one social engineering strategy, the buried treasure for the bad guys. Countless phishing email messages are sent to unsuspecting targets every day. While many of these messages are so bizarre that they’re obviously fraudulent, others might be more convincing.
No one wants to believe they’d fall for any type of scam, obvious or not, but for as long as people still open these emails, it only magnifies the fact that phishing, when utilized as a social engineering tactic – is the perfect mechanism.
Additionally, the CISA (Cybersecurity and Infrastructure Security Agency) is now aware of an email phishing scam that attempts to trick the DHS (Department of Homeland Security). The phishing emails use a spoofed address that appears to look like a NCAS (National Cyber Awareness System) alert, luring targets to download malware by clicking on an attachment.
So how do we guard against these phishing attacks? Unfortunately, there is no one key tactic or process, but a host of things you can look for.
DO...
- Check the FROM address, be wary of perceived reputable companies with GMAIL or foreign domains.
- Mouse over links to see the real destination.
- Keep your anti-virus software up to date.
- Use different passwords for your accounts, and immediately change if you suspect a breach. Consider using a passphrase or implementing multi-factor authentication for added protection.
- Forward phishing emails to the GVSU IT Helpdesk.
DO NOT...
- Click on any links or attachments unless you're sure it's from a trusted source.
- Give out personal or private information.
- Succumb to emails if the branding looks real or appears to be from someone you know.
- Click or call listed phone numbers that are included in pop-up ads.
- Forward a phishing email to other people, except to report it. Do not reply to phishing emails.
Still a Bit Lost at Sea? Additional Phishing Tips.
Here are some additional phishing and social engineering tips to help you raise the red buoy when dealing with e-mail:
- Look out for mismatched URLs – hover your mouse over the URL and compare the address.
- Poor grammar and spelling could be an indicator that it is a phish.
- A request for personal information, or worse, asking for money, especially with urgency, can be a phish.
- An offer that appears too good to be true probably is.
- Unrealistic or unlikely threats could be a phish.
- Content just doesn’t look right - trust your gut.
Remember that in addition to phishing emails appearing to come from organizations of authority such as your bank, these attempts may also appear to come from different, diverse types of organizations, and often take advantage of current events and specific times of the year, such as:
- Natural disasters or significant weather issues
- Global health scares, even flu season
- Financial or monetary concerns, like IRS scams
- Major political elections
- Holidays and celebrating events, such as international athletic events
Source: Cheryl Conley, SANS Security Awareness, Nation Cybersecurity Awareness Month, October 2019