PDF Version: Most-Common-Social-Engineering-Attacks
Tag: Phishing Attacks Page 1 of 2
Organizations of all sizes are subjected to regular, highly sophisticated phishing attempts. Expecting IT and security teams to identify and combat all phishing attacks solely through technology is impractical. Phishing can take many forms, but it is essentially any email attack that is aimed to get the recipient to take a specific action. Phishing emails are now being meticulously researched and concocted to target specific receivers. So, how can you raise awareness about it and train your team to recognize a phishing email?
Phishing emails frequently include a variety of red flags that, if detected by the receiver, can prevent the attack from succeeding. A few red flags as mentioned below suggest the authenticity of any email: –
- Addressing, greeting, and context of the email: When reading a phishing mail, the first thing that generally raises suspicion is the words, tone, and figure of speech. In most of the mails, someone impersonating as a coworker may suddenly becomes overly familiar, or a family member may become a little more professional.
- Unfamiliar looking email ids, URIs: Looking for suspicious email ids, URIs (Uniform Resource Identifiers), and domain names is another simple approach to spot a potential phishing scam. It’s recommended to double-check the originating email ids against previous similar correspondence done. If the email contains a link, hover the pointer over the link to see what pops up. Don’t click if the domain names don’t match the links.
- Threats or high level of importance: Any email that threatens unpleasant repercussions should be viewed with caution. Another strategy used by criminals is to convey a sense of urgency to encourage, or even demand, urgent action from the receiver in order to confuse them. The fraudster expects that by reading the email quickly, the content will not be thoroughly reviewed, allowing additional phishing-related irregularities to go undetected.
- Attachments are the root cause of all evils: Be wary of emails with attachment(s) from an unknown sender. When the recipient did not request or expect to receive a file from the sender, the attachment should not be opened. If the attached file contains a file extension that you have never heard of, be cautious. You can flag it for an anti-virus scan before opening it.
- Irrelevant follow-ups: In a follow up email of some previous correspondence, if the correspondence requests something unusual, could be a sign of fraudulent communication. For example, if an email purports to be from the IT team and requests you to install a program or click a link to patch your asset whereas all patching is typically handled centrally. It is a strong indication that you’ve received a phishing email and should not follow the instructions.
- Concise and precise: While many phishing emails will be crammed with information in order to provide a false sense of security, others will be sparse in order to capitalize on their uncertainty. A scammer may send an email impersonating a familiar connection with some irrelevant text, for example – “Are you up for a profitable business venture with me?” and an attachment “Business Proposal”. These kinds of emails are usually sent to 9 to 6 working professionals who are looking to make side-income apart from their primary profession.
- Recipient didn’t initiate the email thread: As phishing emails are unsolicited, a common red flag is to inform the receiver that he or she has won a reward. The recipient can be lured to qualify for a prize if they reply to the email, or will receive a discount if they click on a link or open an attachment. There is a significant likelihood that the email is questionable if the receiver did not initiate the dialogue by opting in to receive marketing materials or newsletters.
- PII (Personally Identifiable Information) requested: When an attacker creates a false landing page that users are directed to via a link in an official-looking email, often some sort of credentials, payment information, or other personal information is asked.
- Grammatical errors: The use of poor grammar and spelling is another prevalent symptom that raises a red flag. As most firms have the spell check feature turned on in their email client, you’d expect emails from a professional source to be free of errors in language and spelling.
Sifting through the numerous reports to eliminate false positives is difficult and cumbersome. So, how can a business prevent phishing emails and spot phishing attacks? One strategy is to give priority to notifications from individuals who have a history of correctly recognizing phishing messages. These prioritized reports from employees help the SOC (Security Operations Center) team quickly respond to possible phishing attempts. This reduces the risk to individuals and business partners who could fall prey to such phishing campaigns.
To know more about various cyber-attacks and methods to prevent them, contact Centex Technologies at (254) 213 – 4740.
Social engineering is a broad term that is used to define a range of malicious activities that majorly rely on human interaction. These attacks often involve tricking people into breaking standard security protocols. The success of social engineering attacks is dependent on the attacker’s ability to manipulate the victim into performing certain actions or providing confidential information to the attacker. Social engineering attacks differ from traditional attacks as they can be non-technical and don’t necessarily require the attackers to exploit or compromise software or a network.
The best way to protect an organization from social engineering attacks is to educate the employees about different types of social engineering attacks. Here is a list of most common types of social engineering attacks –
- Baiting: A baiting attack is conducted by the attackers by leaving a bait such as a flash drive, USB, or CD at a place, where it is likely to be found by an employee. The device is loaded with malicious software. The success of such attacks depends upon the notion that the person who finds the compromised device will plug it to a system. When the device is plugged to a system, the malware is installed. Once installed, the malware allows the attacker to gain access to the victim’s system.
- Phishing: It is one of the most common social engineering attacks. The attack involves the exchange of fraudulent communication with the victim. The communication may be in form of emails, text messages, chats, or spoofed websites. The communications may be disguised as a letter from a financial institution, charity, employment website, etc. The communication contains a link and the victim is lured to click on the link to install a malware on his device. In other form of phishing attacks, the link may be used to collect victim’s personal, financial or business information.
- Pretexting: This type of attack occurs when the attacker fabricates a situation that forces the victim to provide access to sensitive data or a protected system. Some common examples of pretexting attacks are the attacker pretending to require financial details of the victim to validate victim’s identity or the scammer posing as a trusted person such as IT employee to gain victim’s login details.
- Quid Pro Quo: In such attacks, the scammer requests sensitive data from the victim in exchange for a desirable compensation. For example, the scammer may set up a form asking the users to fill in their information in exchange for a free gift.
For more information on types of social engineering attacks, contact Centex Technologies at (254) 213 – 4740.
W-2 phishing was launched with an intention to swipe away your tax refund. More than 100 employers became victim of W-2 phishing attack in first 10 weeks of 2017, putting 120,000 taxpayers at risk of an identity fraud. As per statistics by IRS Return Integrity Compliance Services, reports of W-2 phishing emails increased by 870% in 2017 and the figures are quite alarming.
How Is It Launched?
The cybercriminal shall send an email in which he might impersonate himself as the CEO of the company. The email contains an urgent request to send employee tax information. On receiving the email, the concerned employee often sends the file and hands over confidential & personal employee information to the fraudsters.
W-2s are important forms that are attached when one files their tax return. It contains a person’s confidential information such as name, address, income, social security number etc. Employee’s sensitive information is acquired from W-2s to commit an identity fraud.
Following are some ways in which this information can be misused –
- Your social security number can be used to claim a duplicitous tax refund.
- Take a loan on your name
- Open up a new credit card
- Make payments from your account
Ways To Protect Yourself From W-2 Phishing Attack
- Raise Awareness – Since W-2 phishing attacks are on rise it is important to keep your staff aware about the phishing scam. Make sure that you educate your employees on regular basis about the recent phishing scams. It is important that your staff that deals with all the financial statements and tax information is aware about the W-2 and other similar threats.
- Set Relevant Policies – To protect your company from such attacks, it important to set up some secretive policies and communicate them to your employees. There should be policies that decide what kind of requests should be catered to through an email. For e.g. when there is a policy that top executives would never ask for sensitive information via email, then the concerned employees would not be deceived by any fraudulent email asking for employee credentials. Also it is important to be vigilant when responding to any email.
- Flags Spam Emails – If you are able to identify a W-2 phished email then flag it and forward it to your employer and other concerned employees to prevent them from falling into a trap.
- Verify The Sender – Make sure that your employees do not revert to an email sent from an untrusted source. Follow a practice of reconfirming the request of sending any confidential information with the concerned executive once, before actually sending it.It is important to stay alert about such attacks to take preventive measures well in advance.
For more information about IT Security, call Centex Technologies at (254) 213-4740.