How to recognize social engineering attacks
When we think of cyberattacks, we think of highly advanced or elaborate hacking techniques on our computers and accounts. On the contrary, a common technique cyber attackers use is tricking their target into giving them the information they want. This is called social engineering, a psychological attack that tricks you into doing something you shouldn’t, like making payments or giving up sensitive information.
The most recent SANS Newsletter lists common, recognizable clues of a social engineering attack.
Attackers might craft messages and emails to mimic a friend, family member, or coworker. These fake emails are called phishing emails. The language or tone of these messages might be different from how the sender normally sounds. Pay close attention to the signature to confirm the email is legitimate. Check that the email address is consistent with other emails you may have received from this friend or family member. If it appears to come from a coworker or a company, make sure the email address is their work email, not personal. These emails can be generic and easy to recognize, but emails can also be highly personalized to their targets and harder to identify if a cyber attacker does their research.
Urgency, crisis, or curiosity.
Attackers want to rush people into making a mistake. Scammers have been known to impersonate government officials or debt collectors claiming that their target owes money and will pressure them to pay over the phone via credit card, gift card, or wire transfer. It is also common to receive emails or phone calls that use a delayed package delivery or winning a prize from a contest to get you to respond with sensitive information. Whether it’s a debt collection or an incentive, take time to make sure there is either proof of debt, or that you were expecting a package or contest results before taking action.
One way to avoid falling victim to phishing emails at work is making sure to follow all security policies or procedures that would typically be expected, even if the person on the other end urges you not to. The attacker might also make requests for sensitive information, like account numbers or Social Security numbers, which should never be shared online. If you receive an email from someone you don’t know, do not share personal information, click on links or open attachments that may be infected or malicious.
Social engineering attacks are not limited to phone calls and emails. To learn about other forms of these attacks, be sure to check out this SANS Newsletter.
Social engineering isn’t the only method cyber attackers use. For more tips on how to protect sensitive information and your money, check out more SANS Newsletter blogs.