Phishing and Social Engineering
Not to be confused with fishing, phishing is a cyber-attack. As CompTIA puts it: “You don’t need a pole, but it does involve reeling in unsuspecting victims”. This attack has many different methods of communication and can be used to seek out a plethora of personal data from an unsuspecting user. Phishing attacks can be received via a phone call, text message, or an E-mail (we will focus on E-mail in this article). Some sensitive information the attackers might be after may include passwords, bank accounts, or social security numbers. In some cases, the attacker might just have you buy several gift cards from Taco Bell to congratulate the accomplices for a job well done. 😉
So how do the attackers convince users to give up private data — by asking nicely? Not necessarily. These attackers employ social engineering techniques to convince you that giving up this piece of information is the right thing to do. Some common social engineering techniques include fear, greed, urgency, and authority. The attack will pretend to be a respectable person in your company, or they might pretend to be an AC repairman during the hot summer months. Attackers will use social skills to make you want to give up what they request. Therefore it is important to know some key attributes of a phishing E-mail, so that you can spot it and drop it.
There are different types of phishing attacks which are important to know & understand why you might be a target. These types can include:
- Spear phishing is when a certain target is selected based upon their position within the company. (Think accounts payable).
- Whaling is a type of phishing when a cybercriminal targets high level executives in an organization.
- Vwhishing is essentially the same as phishing but specifically through a phone call.
How to Spot and Prevent Phishing
No matter what, always be suspicious and ask yourself: “Am I expecting this?”. Below are some signs of a phishing E-mail that you can look for as either a home or business user:
- Unexpected favors from a manager or owner.
- Odd language and spelling errors.
- E-mail addresses that do not match the name of the person they are claiming to be.
- Links to log-in pages to complete an action.
- Sudden requested changes to remit-to account numbers.
If you do receive an E-mail with some of these characteristics and believe it to be true, please confirm with the sending user by other means. Do not respond back to the original E-mail. This is most likely going to go back to the attacker. It is recommended to call the sender from an already known phone number for example and ask if they sent you the E-mail.
Check out this video from Microsoft on some common characteristics of a phishing E-mail and what to do if you get one: https://www.youtube.com/watch?v=YfiN_W8I1cE
As a business owner or user, there are many technologies that can stop most phishing attacks before they even get into your inbox. If you have any questions about a suspicious E-mail, want to improve your E-mail security, and/or if you would like to train & test your end-users on phishing security please send me an E-mail at: firstname.lastname@example.org.