Today, social engineering
attacks can happen through electronic means such as email, websites etc. and in person (the old-fashioned way). In-Person Approaches
In-person social engineering attacks could include an attacker impersonating co-workers, police, financial authorities, insurance investigators etc. The social engineer might ask the target for important information, like passwords.
- "The finance manager asked that I pick up the audit reports. Will you please provide them?”
- “The Sales director has asked me for this (sensitive) information which is business critical and time is running out…”
DO NOT provide critical information immediately in such scenarios. Dig deeper, talk to your co-workers and managers (e.g.: finance manager or sales director) to discern whether these requests are legitimate. Online Approaches
Online social engineering attacks (commonly known as phishing) use legitimate looking emails, websites or other electronic means. Phishing emails can resemble those coming from a trustworthy sites like eBay, PayPal, or a bank. They might contain links that looks like they go to the original website, and can send you to a fake website that's made to look like the real website. When the victim logs in to the fake page, their information is stolen.Ways to detect a phishing email:
- Link/email address manipulation: the sender email address or the website link will look like a valid one. Closely examine the email address for an incorrectly spelled company name or hover over the link in the email to see if it directs you to the right website.
- Bad grammar/bad punctuation in the email message.
- Use of outdated company logo.
- Most companies you do business with will address you by your name. Therefore they aren’t going to address you as “Dear customer/client”.
- Beware of urgent or threatening language in the subject line.
Be careful - it can be one of your best defenses!