Avoiding Social Engineering and Phishing Attacks
What is social engineering?
When someone uses human interactions to obtain or compromise information from a person or organization, it’s called social engineering. By asking questions of the right people, he or she may be able to piece together enough information to gather private personal information or infiltrate an organization’s network. It’s a very common way to attack because it doesn’t rely on the ability to hack into the network.
What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use email or malicious websites to pose as a trustworthy organization to lure you into sharing information that can then be used to access your account.
Phishing attacks may also appear to come from other types of organizations, such as non-profits. Another tactic is to take advantage of current events such as the COVID-19 pandemic to trick you into donating online, exposing your financial information.
Here are some indicators of a phishing attack:
- Suspicious sender’s address. The sender’s address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
- Generic greetings and signature. Both a generic greeting—such as “Dear Valued Customer” or “Sir/Ma’am”, and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will generally address you by name and provide their contact information.
- Fake hyperlinks and websites. If you hover your cursor over any links in the email body, and the links do not match the text that appears when hovering over them, the link may be fake. Malicious websites often look identical to a legitimate site, but the URL may vary in spelling or a different domain.
- Do not provide personal information or information about your organization, including its structure or networks, unless you are confident of a person’s authority to have the information.
- Do not reveal personal or financial information in an email and do not respond to email solicitations for this information. This includes following links sent in an email.
- If you are unsure whether an email request is legitimate, try to verify it by directly contacting the company. Do not use the contact information provided on a website connected to the request; instead, check previous statements for contact information.
- Take advantage of any anti-phishing features offered by your email client and web browser.
- If you believe you might have revealed sensitive information about your organization, report it to the organization’s appropriate people, including network administrators.
- If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
- Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account and not use that password in the future.