Phishing is still the most common way breaches begin, so let’s squish the phish and #BeCyberSmart

Social Engineering is the psychological compromise of a person, which alters their behavior into taking an action or breaching confidentiality. One of the best ways to protect yourself against social engineering attacks is to be able to identify them as they occur.



Phishing – most common and found in over 80% of incidents and breaches. This attack is usually carried out via unsolicited email that claims to be reputable and from a trusted source. The email is sent to many people, hoping a few will fall for the trick

Spear-phishing and Whaling – Two varieties of phishing where the email that is sent is specifically crafted for the recipient, often after the attacker has researched the individual on social media sites. Whaling implies a targeted email to an organization’s leaders, where spear-phishing may target anyone.

BEC, Impersonation, Misrepresentation – Business Email Compromise (BEC) attacks have become more common since the COVID-19 pandemic began and generally involve the attacker attempting to impersonate an organization’s leaders and then trick employees into acting on their behalf. Think of this attack if you see a sender named “Maud Mandel” but the email address is “[email protected]”*.

Vishing – Voice phishing is common for criminals that like to call people and say that they are with the IRS, or insist that their computer has a problem. Once convinced, the victim is likely to provide private information or system access to the attacker.

Smishing – SMS phishing has been revitalized by URL shortening services. The attackers can send text messages to hundreds of numbers hoping someone that receives it does want to “sell their house for cash” or “lose 37 pounds” by clicking the included link.

Pretexting – Similar to vishing, pretexting can blend several of these attacks but usually is designed to establish the attacker as an authority figure using a story they’ve created, or pretext. An attacker acting as a police officer or tax collector are popular and common pretext scenarios.


Common Elements:

All forms will try to instill a sense of urgency, requesting the victim to do something quickly

All social engineering attacks may include poor grammar, obfuscated URLs and a way to contact the attacker

These attacks almost always originate externally

They usually lack the normal email elements, such as signature blocks or unsubscribe options.



Look for the “External” label in Gmail

Examine the sender’s email address

Report suspicious email, voicemail or texts

Use your good judgement (aka, Stop, Think, Connect.)



Click on links or open attachments from within unsolicited email

Forward a suspicious email to a peer or colleague

Reply to the email or text

Trust strangers or something that sounds too good to be true


Do your part, #BeCyberSmart and don’t fall for these tricks this Halloween!

*Any likeness to Ms. Mandel’s personal email address is unintentional and purely coincidental!
More Information