Social Engineering is the psychological compromise of a person, which alters their behavior into taking an action or breaching confidentiality. One of the best ways to protect yourself against social engineering attacks is to be able to identify them as they occur.
Phishing – most common and found in over 80% of incidents and breaches. This attack is usually carried out via unsolicited email that claims to be reputable and from a trusted source. The email is sent to many people, hoping a few will fall for the trick
Spear-phishing and Whaling – Two varieties of phishing where the email that is sent is specifically crafted for the recipient, often after the attacker has researched the individual on social media sites. Whaling implies a targeted email to an organization’s leaders, where spear-phishing may target anyone.
BEC, Impersonation, Misrepresentation – Business Email Compromise (BEC) attacks have become more common since the COVID-19 pandemic began and generally involve the attacker attempting to impersonate an organization’s leaders and then trick employees into acting on their behalf. Think of this attack if you see a sender named “Maud Mandel” but the email address is “[email protected]”*.
Vishing – Voice phishing is common for criminals that like to call people and say that they are with the IRS, or insist that their computer has a problem. Once convinced, the victim is likely to provide private information or system access to the attacker.
Smishing – SMS phishing has been revitalized by URL shortening services. The attackers can send text messages to hundreds of numbers hoping someone that receives it does want to “sell their house for cash” or “lose 37 pounds” by clicking the included link.
Pretexting – Similar to vishing, pretexting can blend several of these attacks but usually is designed to establish the attacker as an authority figure using a story they’ve created, or pretext. An attacker acting as a police officer or tax collector are popular and common pretext scenarios.
All forms will try to instill a sense of urgency, requesting the victim to do something quickly
All social engineering attacks may include poor grammar, obfuscated URLs and a way to contact the attacker
These attacks almost always originate externally
They usually lack the normal email elements, such as signature blocks or unsubscribe options.
Look for the “External” label in Gmail
Examine the sender’s email address
Report suspicious email, voicemail or texts
Use your good judgement (aka, Stop, Think, Connect.)
Click on links or open attachments from within unsolicited email
Forward a suspicious email to a peer or colleague
Reply to the email or text
Trust strangers or something that sounds too good to be true
Do your part, #BeCyberSmart and don’t fall for these tricks this Halloween!