Social engineering is the tactic of manipulating trust to get people to give up confidential information, such as passwords, payment card details, or (through a malicious link) access to your computer to plant malware.
So, rather than going through the effort to hack your network, it’s much easier for a cybercriminal to trick you into clicking on a link that plants spyware on your computer or to enter your name and password into a bogus form.
98% of cyberattacks rely on the use of social engineering.
Social engineering includes phishing emails – the number one method used to gain the access needed for a data breach. That’s why so many information security application take socially engineered emails into consideration when designing cybersecurity protections.
Electronic safeguards are only part of the equation when safeguarding against these types of attacks. The human factor is the other part. People just can’t be trusted to evaluate all emails, both personal and work-related!
Follow these tips on identifying types of social engineering so you can avoid becoming a victim. If you own a business, these are good tips to share with staff as a beginning to protecting your company electronic assets.
Red Flags to Spot Dangerous Social Engineering Attempts
Phishing and other types of socially engineered attacks are on the rise. According to the 2019 State of the Phish Report by Proofpoint, 83% of survey respondents experienced a phishing attack in 2018, up from 78% the previous year.
Two other variants, vishing (voice phishing) and smishing (SMS/text phishing) also rose 4%, climbing to 49% of professionals saying they’ve experienced one of these attempts in the past year.
Socially engineered emails, instant messages, calls, or texts use a variety of tactics to try to gain your trust or otherwise get your defenses down so you’ll take the action that the hacker has engineered.
Common tactics used in these attacks:
- Email seems to come from family or colleague
- Urgency to pay an overdue bill or prevent an account closure
- Requests for donations to a trending cause
- Spoofing a logo from a trusted source (UPS, Walmart, your bank, etc.)
- Requirement to verify your information immediately
- Enticement to play an online game or take a survey
Here are some of the red flags that can help you identify social engineering and avoid becoming a victim.
An email is coming from an unrecognized person or email address
An immediate red flag is receiving an email from someone you don’t know or don’t normally communicate with. It could be spoofed to seemingly come from a vendor or client company or from someone inside your organization. but the message isn’t expected or usual.
Phishing scammers often use a name they may have found on your company’s website to make an email or text look like it’s coming from someone like your boss, but when you look deeper at the email, it doesn’t match an email the person normally uses.
Being copied on an email to people you don’t know
This tactic cc’s you on a mysterious email sent to someone you don’t know and might cc multiple others with important sounding email addresses. The message will pique your curiosity on why you were copied and ask you to click a malicious link.
Unusual email sent time
Did you get an email that looks like it possibly might be legitimate, but it was sent at 2:00 a.m., seemingly, from your accounting department? That’s a big red flag when the message looks like to comes from a known source, but at an unusual time zone.
Hyperlink that doesn’t match what it purports to be
The oldest trick in the phishing handbook is to hide a malicious link behind a legitimate-looking text of the URL or a button. It’s vital to always hover over links, without clicking, to reveal the true URL. That URL is often displayed on the bottom left of your computer screen.
If you receive an email from “Amazon” that has your name and company listed (a tactic to gain trust) but hovering over the link shows a web URL that isn’t Amazon’s at all, that’s a dead giveaway that it’s a social engineering attack.
Subject line that is irrelevant
If you receive an email, text, or social media direct message with a subject that doesn’t match the content or is in reply to a message you never sent or requested information on, that’s another red flag.
Often these types of attacks will try to use something as short and simple as possible, like “Re: the meeting you requested.” It’s easy to fall for a subject line like that – an everyday work activity.
Attachments that aren’t expected and are in executable file types
Along with unexpected emails, be on the lookout for unexpected file attachments. A common ploy is to send an “urgent purchase order that needs a response today” then attach a dangerous file type, like an .exe or .rar file. Even file types for Excel or Word can have a dangerous macro inside.
This is an area where anti-phishing and spam filters can protect your network and prevent virus and malware infections by sandboxing and analyzing threats before they make it to your employees’ inboxes.
Defend Against Social Engineering with the Right Tools
Twin State Technical Services offers superior cybersecurity solutions for companies in the Quad City area. We help businesses protect themselves with tools like Proofpoint Essentials, a cloud-based application with tailored packages to meet a variety of needs and budgets, and KnowBe4 to test the phishability of your employees.
Learn more about our social engineering safeguards today by calling 563-441-1504 or reaching out online.
Tags: cyber attack, phishing, social engineering