WORKPLACE BLOG

With ever-increasing cybersecurity threats, it's important to stay on top of what the different attacks are and how you can avoid them. There are many different tactics that cyber attackers utilize, but one of the most common attacks is social engineering. This blog will focus on what the different types of social engineering attacks are, so that you can avoid being a victim. We will also discuss some things you can do if you think you are a victim of any of these attacks.

What is a social engineering attack?

In a social engineering attack, an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization’s network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility. There are several different types of social engineering attacks, but a phishing attack is by far the most common.

What is a phishing attack?

Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts.

Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year, such as

• Natural disasters
• Epidemics and health scares (e.g., H1N1)
• Economic concerns (e.g., IRS scams)
• Major political elections
• Holidays

A very good example of this would be during and after the COVID-19 pandemic. Due to stay-at-home orders and a massive surge of working from home, phishing attempts increased dramatically and have continually become more sophisticated. 

There are several different types of phishing attacks, such as vishing and smishing attacks. There are more details on these below.

What is a vishing attack?

Vishing is the social engineering approach that leverages voice communication. This technique can be combined with other forms of social engineering that entice a victim to call a certain number and divulge sensitive information. Advanced vishing attacks can take place completely over voice communications by exploiting Voice over Internet Protocol (VoIP) solutions and broadcasting services. VoIP easily allows caller identity (ID) to be spoofed, which can take advantage of the public’s misplaced trust in the security of phone services, especially landline services. Landline communication cannot be intercepted without physical access to the line; however, this trait is not beneficial when communication directly with a malicious actor.

What is a smishing attack?

Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as webpages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.

Why it's important to learn about phishing and social engineering.

It's important to understand the tactics that social engineering attacks utilize in order to avoid them. It's very likely that you or someone you know has been targeting by one or more phishing or social engineering attempts. Without the knowledge of what phishing is, people are likely to fall for the tactic and provide sensitive information, click the malicious link, or download the malware.

The Cybersecurity and Infrastructure Security Agency (CISA) had done a phishing assessment campaign where they sent phishing emails to organizations and individuals as an experiment. Some of the results were reviewed in this infographic that was posted in 2023. They found that 80% of organizations had at least one individual fall victim to the attempt, and 10% of the phishing emails sent had someone execute malicious software embedded in the email by either a link or attachment. It was noted that only 13% of employees reported a phishing attempt.

This experiment shows how easily someone with malicious intent may be able to "trick" people into sending them sensitive information, payments, or more, and that's why it's important to be continually reminded and educated on phishing and other social engineering attacks so you can identify, avoid, and report them.

How do you avoid phishing and social engineering attacks? 

With phishing and social engineering occurring more often, it's important to be able to identify, avoid, and report the attempts to your organization, friends, and family. There are many different ways to avoid phishing, below is a list of steps you can do to be sure you stay safe:

• Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
• Do not provide personal information or information about your organization, including its structure or networks, unless you are certain or a person’s authority to have the information.
• Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
• Don’t send sensitive information over the internet before checking a website’s security.
• Pay attention to the Uniform Resource Locator (URL) of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information. Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group.
• Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic. Rhyme Managed IT can help you stay up-to-date on all the latest software to stay protected.
• Take advantage of any anti-phishing features offered by your email client and web browser.
• Enable multifactor authentication for your accounts, that way if one piece of information is compromised the attacker will still be unable to access the account.
• When you receive requests via email, text, or on the phone, it's a good idea to always be skeptical. Ask yourself questions such as: "Do I know this person?", "Did I order something from this site?", or "Am I expecting something from this person?". If you maintain a skeptical mindset when it comes to receiving requests you're less likely to follow links, download attachments, or give out information without first validating the request.
• If you recognize something as a phishing attempt you should always report it. If it was sent to your work email then you should report it to your IT department so they can inform the rest of the organization, if it was sent to your personal phone or email, inform your friends and relatives as they're likely to also receive a similar message.
• Another great way to avoid phishing attacks or other social engineering attempts is to test yourself and your organization. Take phishing assessments and provide updates to your coworkers. It's up to you to stay safe, but working together is a great way to keep everyone aware, talking about it, and avoiding it.

What do you do if you think you fell for a social engineering or phishing attempt?

If you think you fell for a phishing scam or other social engineering attack, don't panic there are steps you can take to keep yourself secure. Often, the reason that phishing attacks are performed is to gather some form of information. Maybe it's account information, a name or address, or even credit card information. The attacker uses this information to either get further into your organization, make purchases, or use your identity. Below is a list of steps you should take if you believe you've fallen for a phishing scam or social engineering attack:

• If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
• If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
• Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
• Watch for other signs of identity theft.
• Consider reporting the attack to the police, and file a report with the Federal Trade Commission.
• Report it to your friends and family, even if it was sent to your work email or phone there is a chance they may receive it as well.

Phishing and social engineering attempts are the first steps for larger cyber attacks or data breaches. Although they have proven to be successful and many people do fall victim to them, they aren't impossible to avoid. With the proper education, training, and mindset, phishing and social engineering can be prevented. If you want to learn more on how you or your organization can learn more about phishing and how you can train yourself or coworkers, click the button below:

Contact Us

Reference: Cybersecurity and Infrastructure Security Agency (CISA)

To learn some more ways to prevent social engineering see: