Traditional, mass email phishing has been a significant risk for many years, and institutions, like NEOMED, are improving their resiliency to this form of social engineering and abuse of trust with information security training, implementation of multifactor authentication tools, and raising the awareness of email threats. While mass email phishing is commonly known, are you aware of the other types of social engineering attacks that exist and are on the rise?
Cybercriminals use types of social engineering— the psychological manipulation of people into performing actions or divulging sensitive information—as the most common way to steal information and money or assume others’ identities. Social engineering is at the heart of all types of phishing attacks—such as those conducted via email, SMS/text messaging, and phone calls. Current technology makes these sorts of attacks easy and very low risk for the attacker, so it’s important that we are all aware of and on the lookout for these variants on the traditional, mass emailed phishing attack.
Some of the more common variants/methods are:
- Spear phishing/whaling: These kinds of attacks often involves very tailored, well-crafted messages that come from what looks like a trusted source, often in a hurry, targeting specific individuals at an organization, such as those who can conduct financial transactions.
- Smishing: Phishing attacks via SMS/text (“smishing”) attempt to trick users into supplying content or clicking on links in SMS/text messages on their mobile devices. Often the text message will contain an URL or phone number. The phone number often has an automated voice response system. And again, just like phishing, the smishing message usually asks for your immediate attention. Flaws in how caller ID and phone number verification work make this an increasingly popular attack that is hard to stop.
- Pharming: Pharming is where an attacker installs malicious code on a computer or server. This code then redirects any clicks you make on a website to another fraudulent website, without your consent or knowledge.
- Vishing: Voice phishing (“vishing”) are calls from attackers claiming to be government agencies such as the IRS, software vendors like Microsoft, or services offering to help with benefits or credit card rates. Attackers will often appear to be calling from your own area code or a local number close to yours. As with smishing, flaws in how caller ID and phone number verification work make this a dangerous attack vector.
No matter the medium, follow these techniques to help prevent getting tricked by these social engineering attacks:
- Don't react to scare tactics: All these attacks depend on scaring the recipient, such as with a lawsuit, that their computer is full of viruses, that personal information may be divulged, or that they might miss out on a chance at a great interest rate. Don't fall for it!
- Verify contacts independently: Financial transactions should always follow a defined set of procedures, which includes a way to verify legitimacy outside email or an inbound phone call. Legitimate companies and service providers will give you a real business address and a way for you to contact them back, which you can independently verify on a company website, support line, etc. Don't trust people who contact you out of the blue claiming to represent your company. If you receive an email or phone call requesting you call them and you suspect it might be a fraudulent request, look up the organization’s customer service number and call that number rather than the number provided in the solicitation email or phone call. If you are unsure whether an email request is legitimate, contact the company using information provided on an account statement or other source, not the information provided in the potentially fraudulent email.
- Don’t reveal personal or financial information in an email: Do not respond to email solicitations for this information. This includes following links sent in email.
- Keep a clean machine: Keep all software on internet-connected devices – including computers, laptops, smartphones and tablets – up to date to reduce risk of infection from malware.
- Know the signs: Does the message/phone call start with a vague information, a generic company name like "card services," an urgent request, and/or an offer that seems impossibly good? Hang up or click that delete button! Be especially careful when entering financial information on a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net). If the website looks different than when you last visited, be suspicious and don’t send or enter any personal or financial information unless you can verify that the site is secure.
Finally, if you've unfortunately become a victim of social engineering:
- If you encounter one of these attacks at the University, please report the attack to the NEOMED Help Desk as soon as possible (ext. 6911 or email@example.com).
- Watch for any unauthorized charges to your account(s). If you believe your personal financial accounts may be compromised, contact your financial institution immediately to get guidance on freezing or closing the account(s). Additionally, you can flag your credit reports by contacting the fraud departments of any one of the three major credit bureaus: Equifax (800.685.1111); TransUnion (888.909.8872); or Experian (888.397.3742).
- Consider reporting personal attacks to your local police department and filing a report with the Federal Trade Commission or the Internet Crime Complaint Center. Make sure you keep a copy of the police report in a safe place.
NEOMED takes great pride in its information security through its use of administrative, technical and physical privacy controls; however, it’s important that we all take steps to prevent our or the University’s information falling into the wrong hands. The information outlined above may help you better spot social engineering attacks, and ultimately, help reduce your risk of identity theft or a security incident. If you have any questions regarding social engineering as it relates to the University, please contact firstname.lastname@example.org.
Below are some additional resources you can use to learn more about social engineering attacks.
- Learn more about spam and phishing or hacked accounts from the National Cyber Security Alliance.
- This phishing infographic, developed by the Digital Guardian, illustrates some forms of social engineering attacks.
- Read this Better Business Bureau Tip on Phishing Scams.
- Read the FCC article on Avoiding the Temptation of Smishing Scams.
- The FTC provides more information for consumers about phone scams and how to spot them.
- HEISC Information Security Awareness Training Video: "Phishing: E-Safe" (1 minute)
- FCC Podcast on Spoofing, Scamming, and Crackdown on Unwanted Calls (1 minute)
- Hang Up on Phone Fraud (3 minutes)
-Submitted by Jonathan Wagner