Phishing and Social Engineering - protecting your data on networks during Cybersecurity Awareness Month, and beyond

10/25/2021

The Center for Intelligence and Security Studies (CISS) would like to remind you that October is Cybersecurity Awareness Month.

This week we will discuss Phishing and Social Engineering

Best Practice 5: How to identify Phishing and Social Engineering (Humans Hacking)

Phishing is defined as a fraudulent attempt to obtain personally identifiable information (pii) such as usernames, passwords, credit card numbers, bank account numbers or other sensitive details by impersonating trustworthy sources using digital communication, which now may include your landline if you still have one. Those phone numbers that you don’t recognize are more than likely a phishing attempt.

The most common forms are email spoofing, instant messaging, and text messaging. In addition to impersonating a trusted source, most phishing creates a sense of urgency. The cyber-criminal is hoping for you to react instantly without thinking. The goal is to direct you to enter personal information at a fake website which looks and feels like the legitimate site. In other cases, they are hoping that you will verbally give your personal information.

In addition to impersonation-based phishing, cyber-criminals and nation-states such as Russia, Chine and Iran use fake news articles designed to provoke outrage, causing you to click a link without thinking. Once on there, you can be infected with a virus such as ransomware or redirected to pages that will do the same.

Through 2020, phishing is the most common attack performed by cyber-criminals. The FBI reports twice as many incidents of phishing than any other type of computer crime.

The ‘Nigerian Prince’ email has become one of the most famous phishing scams. In fact, it has become a cliché or even a joke at this point. It has been around for over 20 years. This attack pretends to be from a member of a foreign monarchy asking the user to send a nominal amount of money with the promise of millions in return. Many have fallen prey to this attack.

But phishing scams are not a joke- in fact they are dangerous and they come in many forms. They have become more sophisticated as technology has advanced.

Social Engineering is also known as Human Hacking because they use your own personal bias to lure you into reacting a certain way. Phishing is a subset of Social Engineering

What is your defense? Common sense, patience and thoughtfulness.

When it comes to Phishing, begin with the knowledge that very few companies will email out of the blue you asking you to verify any personal information. If you receive an email, phone call, text or any other kind of digital communication requesting any personal information be suspicious.

When it comes to Social Engineering, especially in social media outlets, be aware of your own personal bias and take a minute to think about what you just saw or read. Many social media post are designed to elicit a deep emotional response. They are counting you to act on that emotional impulse in order to get your personal information, donate to a political candidate outside of your district and much more. Once you have fallen for this, you become a known good target.

NEVER click on the link in an email, text or message, even if you know the sender- they might have been hacked.

NEVER give any personal information over the phone unless you called the company or it is a return phone call for a conversation you initiated.

NEVER answer a number that you do not recognize- if it is important they will leave a voice mail. When they do leave a voice mail, use the internet to verify the phone number, website or other contact information. Do this by entering the company name into a search engine and comparing the information in the communication. Once you have verified the information is legitimate, it is safe to click on a link. If you cannot verify that the communication is legitimate, do not click on the link, return the phone call or respond to the message. This is true for landlines and mobile devices.

ALWAYS take a few extra minutes to verify the information.

ALWAYS wait until you have time to process a request before responding- this eliminates the impulse to respond quickly.

ALWAYS be suspicious. It is better to be a day late in responding than it is to spend months or years fixing something that could have been avoided.

Phishing attacks play on your trust, your beliefs, your fear and other emotions to be effective. The only way to counter that is to keep our head- use common sense. Slow down.

Using the tips we have provided during cybersecurity awareness month are just the beginning to safely navigating cyberspace in the 21st century. Take the time to educate yourself further.

Dr. John B. Nicholas, professor of Computer Information Systems and co-founder of the CIS Cybersecurity degree track and Faculty Fellow of CISS will be posting cybersecurity best practices in The Digest each week this month.