Telltale signs of a social engineering attack

separator

In today’s connected world, it’s easy to be exploited. Although many individuals and businesses are ramping up their cybersecurity measures, hackers are also one step ahead — instead of preying on the weaknesses of technology, they’re taking advantage of human ignorance. This is known as social engineering, and it’s all about manipulating people into handing over their passwords and other personal information, downloading malicious files, or performing other compromising actions.

People can be persuaded to click on various kinds of content for several technical and social reasons. For instance, you might receive an email that appears to be from a friend or colleague. Because you know the supposed sender, you won’t think twice about opening the file. However, that attachment might be malware masquerading as a simple Word document.

There are several cybersecurity measures and strategies you can employ to protect your business from such scams. But perhaps the easiest and most reliable way to avoid these attacks is to train your people to identify social engineering activities such as phishing and click-baiting. The following are some telltale signs of social engineering attempts.

Mismatched display name and email address

Phishing emails — or emails that coax people into revealing sensitive information — often purport to be from reputable companies. These typically imitate official display names and email signatures, but most of the time, they are sent from dubious email addresses. For instance, a message from JPMorgan Chase sent by service@jpnorgan.com (the differences tend to be subtle and aim to look as genuine as possible at first glance) is fake.

You can verify the legitimacy of an email address by doing a quick Google search. If the email is listed on official sites, it’s most likely real. Otherwise, don’t reply to a possibly fraudulent email.

Be wary if your name is not in the To: or CC: line. Likewise, look out for emails sent to multiple people, especially if these are sent to email addresses that look like they were selected at random.

Suspicious sites and links

Many unscrupulous websites are designed to look as harmless and as legit as possible. One of the most damaging phishing sites of 2018 purported to be selling discounted tickets to the FIFA World Cup. The site had “FIFA” on its domain and was designed to look like the actual FIFA ticketing site.

To check if a site is legit or not, look for the padlock icon on the leftmost corner of your browser’s URL bar. A closed padlock icon means that your connection is secure, and a green padlock indicates that the site has passed Extended Validation SSL certification, meaning it is secure enough to handle financial transactions.

There are also instances where links don’t actually lead to the stated URL. A quick way of verifying a link is by finding the website yourself using a search engine. This will ensure you’re heading to a legitimate web page. Alternatively, hovering over a link in an email will reveal the target URL. Always be mindful of clickable URLs of the dubious kind.

Bad grammar and urgency

Some phishing emails are poorly crafted, exhibiting shoddy grammar, spelling errors, or even overly generic salutations. It pays to err on the side of caution and not open links in such emails.

Likewise, if an email conveys urgency, be skeptical and carefully review the message to know if it’s a unique email or a scam. For instance, you might receive an email saying that your bank account was frozen, and that you need to immediately provide your PIN to regain access. No legitimate business or organization will ever ask for confidential information in an email.

Since social engineering tactics are designed to take advantage of a brand’s ubiquity, it won’t hurt to be extra careful when replying to emails and opening links. This will save you from serious damage caused by cybercriminals infiltrating your network. Additionally, encouraging your employees to undergo security awareness training and testing programs helps stem the tide of social engineering attacks.

Integrated Technology Services (ITS) offers businesses a myriad of managed services, including IT Consulting and Strategy. We’ll help you develop comprehensive security strategies to reduce internal and external threats. Interested? Contact us today to learn more about how our experts will train your staff to protect your business from social engineering scams and other cybersecurity attacks.