Social engineering attacks are an active attempt to manipulate people into showing sensitive information. These attacks are successful because they evade all software and applications designed to prevent attacks.
Think of it like this:
You are a thief trying to break into a house. You could try to break in through a variety of methods such as picking the lock, finding an unlocked window, or just busting through when no one is home. This works but we have developed technology to combat it.
We have ever increasingly secure locks, security systems, cameras, and a host of other products available to prevent or deter these attacks.
Why go through the challenging work of trying to break into this, when the person just might let you inside on their own free will. You dress up as a pizza delivery guy and walk up to the door with a pizza.
Let us flip back to the homeowner. The doorbell rings. Strange, they were not expecting any visitor tonight and had not ordered any pizza. Looking through the peephole, it is a pizza delivery person. What does the homeowner do now?
In this situation the malicious attack has bypassed all the security in place and just walked up to the door hoping someone will open it. The actions that the homeowner takes will highly dictate how the situation moves forward.
Do they just open the door? Maybe keep the chain on the door and crack it? Ignore the knocking entirely?
Every communication, especially unexpected or unprompted, should be treated with caution.
What Does a Social Engineering Email Look Like?
These usually start out from a previously compromised account. From that account a malicious attacker will pose as that person and send out more malicious emails to everyone that person knows. These contacts can be from your email contact list, Twitter followers, Facebook friends, any repository of contacts.
Since the email came from a seemingly legitimate source, your friend, you are more likely to open it without much thought.
From here they may have a link for you to visit or an attachment to open. Clicking the link or downloading the attachment can give access to your device. From here they will act on that device, stealing information, installing malicious software, and continuing the attack on others through your contact lists.
- Note the subject of the email. It is not specific and tries to install a sense of urgency. Often these will be eye catchy to get you to look and click at once. This can be from documents you need to read to your account is locked and you need to open and 'click here' to fix.
- The sender is Workday Report <firstname.lastname@example.org>. These do not match up and we do not have reports coming from this address. These addresses will often be incorrect, odd, or have misspellings.
- The greetings line will often be generic, simple, and not have any name associated with it. Remember these emails are mass sent to everyone.
- If there are hyper links to websites, hover your mouse over the link but do not click. The actual website destination will pop up in a box. Notice how in the body, the destination is www.lsus.edu but when hovering over it with a cursor, it is a different website. Keep in mind that while usually the link is made up of random letters or numbers, they can look very convincing. For example, "lsus.edu" has a lowercase "L". A malicious attacker could create a website that uses a capital "i" and it would look like "Isus.edu".
- Check the date and time the email was sent. If you expect normal reports to arrive at 10am and it is now arriving at 3:00am, something might be off with that email.
Other attacks include
- Phishing. Attacks that appear to come from legitimate sources, typically email. An email that goes out to an entire organization or group.
- Spear Phishing. Like Phishing but extremely targeted and specifically crafted to individuals. Generally done through email.
- Whaling. A version of spear phishing but targeting 'big fish' like a president of an organization.
- Vishing. This is "Voice Phishing". An attacker poses as a support agent or representative of the organization. Usually targets new employees of an organization.
- Smishing. This is "SMS or text phishing". An attacker uses text messaging or other communication applications to execute their attack.
- Slow down. These attacks take advantage of the fast nature of business. No matter the urgency, carefully review everything.
- Research. Call the company or person and see if they did send you a legitimate email.
- Beware of downloads or attachments. If you do not know and are not expecting a download or attachment, stay cautious, research, and inform ITS.
Reporting Suspicious Items
You can report a suspected email by clicking the "Report Message" card at the top of an email.
This triggers a series of actions that lets ITS quickly investigate and take any needed action on that email. You are the line of defense.
If you suspect anything else, please inform ITS by emailing us at email@example.com.