Posted by 
Navigate the Phishy Social Engineering Ocean
Article by: SANS Security Awareness
Whether we like it or not, we all have a digital footprint. Information about both our professional and personal lives are exposed, floating around the vast cyber ocean. Even if you prefer postal mail, telephone conversations, and writing checks, we’re all at risk for falling victim to social engineering attacks.
The piranhas in the ocean (the adversaries) try their best to trick us into sharing confidential, personal information. And their most common attack vector is via social engineering. This trickery can occur through email, phone, face-to-face, or the stormy web. It makes social engineering a major factor in cyber security awareness and protecting our digital footprint.
Navigating the Social Engineering Ocean
Cyber attackers and social engineers will modify their tactics, but there are some common signs to help you recognize an attack. Let’s look at a cyber criminal’s trends and tactics.
Phishing – Using e-mail to trick you into providing sensitive information, to include a Reply to the original malicious e-mail, clicking on bogus links or opening attachments, and entering data.
Spear Phishing– These are phishing attempts aimed at specific targets, such as research engineers.
Pretexting – Typically utilized in email, this is a technique where a fake situation is created using publicly available details on the target where the information is used for manipulation or impersonation.
Scareware – As the name implies, a frightful pop-up attempting you to type in confidential, personal, and private information in order to rectify an infected computer issue.
Vishing – Utilizing the telephone in attempt to trick you into providing valuable, most likely confidential, information.
Baiting – An attempt to hook you in by offering goods, such as a free device or gift card.
According to the 2018 Data Breach Investigations Report, phishing and pretexting represent 98% of social incidents, and 93% of breaches. Coming in at 96%, e-mail continues to be the most common vector.
While their tactics may seem difficult to spot on the surface, here are some common ways to spot and thwart social engineering attempts while navigating the social engineering ocean. They include:
- Requests or appeals for sensitive, personal information, such as SSN, user IDs, passwords, or banking information.
- Sending correspondence that comes with a sense of urgency – you may be missing out on a deal, service or network shutoff, or even loss of funds.
- Unsolicited communication from a perceived authority, perhaps your bank or utility company.
Remember that social engineers exploit our willingness to provide information and are good at creating a trust relationship. Being able to recognize social engineering attempts is key, especially if that attempt includes the mother lode of social engineering: the phish.
So how do we guard against these phishing attacks? Unfortunately, there is no one key tactic or process, but a host of things you can look for. The table below lists ways to help identify the dangerous phish
| DO… | DO NOT… |
| Check the FROM address, be wary of perceived reputable companies with GMAIL or foreign domains. | Click on any links or attachments unless you have verified that it’s from a trusted source. |
| Mouse over links to see the real destination. | Give out personal or private information. |
| DO… | DO NOT… |
| Keep anti-virus software up to date. | Enter your username and password information into any portal that you don’t recognize. Navigate directly to the website and log in. |
| Use different passwords for your accounts, and immediately change if you suspect a breach. Consider using a passphrase or implementing multi-factor authentication for added protection. | Click or call listed phone numbers that are included in pop-up ads. |
| Check for URLs that don’t match the website you intend to visit or poor grammar and spelling. | Succumb to phishing messages with offers that seem too good to be true or threats. |
Visit VSU Division of Information Security website for additional information.